A cyber-security breach is potentially catastrophic but advice practices can take some simple steps to bolster their defences says Midwinter’s Chief Technology Officer Fraser Hamilton.
Cyber-attacks are on the rise as the world becomes increasingly digital. And advice practices – particularly small businesses that deal with large sums of client money – are at risk of being targeted.
No-one is immune. One major dealer group was recently ordered to pay $750,000 by the Federal Court over cyber-security breaches that allowed criminals to gain access to confidential and sensitive client information over several years.
The landmark ASIC case serves as a warning to other advice practices to strengthen their cyber-security defences no matter how busy they are helping clients or running their business.
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” Justice Rofe said in the judgment.
Fortunately, there are simple steps that advice practices can take to ensure they’re protecting their business and client assets from most cyber threats.
Use a password manager
Passwords are a common point of weakness. Simple passwords are easy for hackers to guess (“123456” remains the most-used password in the world).
Another common point of weakness is re-using the same password across multiple sites. If one site has a data breach which exposes passwords, it leaves users vulnerable across many sites where they have used the same email address and password combination.
The solution is to use a password manager, such as Dashlane, 1Password, and LastPass. They require remembering just one strong master password – every other password can be generated randomly and stored within the password manager.
Use two-factor authentication
Two-factor authentication (or 2FA) provides a second line of defence beyond passwords. It requires confirmation on top of a password via a second channel, such as text message or email.
While it can be slightly inconvenient compared to using a password alone, it provides a significant security upgrade. Many people are now accustomed to 2FA given banking apps commonly require a second confirmation via text message when transferring money.
If your software supports 2FA, switch it on.
Use client portals for sensitive information rather than email
Email is a popular fallback to send sensitive data but it remains inherently insecure.
It leaves both advice practices and clients exposed to phishing attacks, where cyber criminals send fraudulent communications that appear to come from a reputable source. They can harvest personal data, make false requests, or change bank account details contained in emails.
Even if cyber criminals aren’t at play, it’s all too easy to send sensitive information to the wrong email address, which can undermine client trust.
The 2022 Future Ready IX advice report, sponsored by Midwinter, showed that 22% of advisers say they don’t have adequate security and file encryption for transmitting sensitive data.
Good advice software should include a secure client portal to communicate or send information. Clients can set their own password (or the password can be delivered over a different communication channel, such as in person or by text message) to use the portal, which is significantly more secure than sharing client information via email.
Use cloud-based storage and software rather than local storage
A secure cloud-based workflow is more efficient and secure than storing information locally or on paper. It is easier to provide an audit trail, search for information, and ensure ongoing business continuity. It is cost-effective and flexible, with major cloud-based vendors investing huge amounts of money to secure their systems.
Software applications that run in the cloud are seamlessly updated with new features and security patches while desktop software often requires manual checks.
When using a cloud-based service, it is pertinent to check where the data will be stored. Storing data in Australian-based data centres not only ensures it falls under Australian legislative protections but also that these protections can be enforced in case of a breach.
While most practices are using the cloud in some form, practices should also review their backup strategy. The Future Ready report found that while 93% of advisers now back up their critical data daily or in real time, one-in-three (32%) said they haven’t tested or restored from their backups in at least six months.
Review cyber-security of suppliers and software providers
The cyber-security of any advice practice is only as secure as its weakest link. A breach at a small supplier could give cyber-criminals a way into your sensitive client data or advice practice.
Ensure that suppliers have strong cyber-security controls in place and be wary of free software – if you are not paying for the product, you are the product.
Most large companies invest heavily in security and technology. Companies such as Midwinter have the resources to adopt international standards such as the ISO/IEC 27001 on information security management. Compliance with these standards is independently assessed and provides a heightened level of confidence.