- Nearly half of Australian financial advisers had a cyber security incident in 2017.
- A poorly managed incident could mean the end of your business.
- If you’re not taking cyber security seriously, you’re not prepared for business in the digital world.
Cyber security is the hot button issue for the financial sector. It’s not just your client’s personal information and financial security at risk. A poorly managed security issue compromises your credibility and breaks trust with clients who depend on you to manage their money.
Founder of cyber security services firm Kamino, Julian Plummer, recently discussed cyber security in financial services in a Netwealth webinar, Cyber security: Peace of mind in a digital world.
What’s it costing the industry?
Based on a Kamino survey, around 45 percent of Australian financial advisors had a cyber security incident in 2017. Each incident cost an average of $275,000 to remediate, repair, take action against or prevent from happening again.
Plummer says these are alarming statistics in a sector reliant on reputation.
“We trade on trust,” he said. “If advisors have a database of client holdings, tax file numbers, addresses and account numbers, that information must be secure.”
Of the companies who experienced a cyber security incident in 2017, 60 percent were out of business within six months.
“If you have hundreds of clients, all those clients have money, and you're connected to the internet? You’re a target.”
More than hacking
The Kamino survey identified common cyber incidents for financial advisers as:
- Malware software (worm or virus) - that does malicious things to your computer.
- Ransomware software - that infiltrates your systems to encrypt all data, with a ransom to unlock it.
- Phishing emails - people pretend to be employees of your business to access information or money.
- Unauthorised access - people who don’t belong in your network having access to your emails, files and databases.
People, process and Johnny Cash
Plummer says people and process, and how your information is treated every day, are key to preventing and managing security issues. But even then, no one is unhackable.
“There’s always an Achilles heel,” says Plummer. “You need to know your vulnerabilities and decide on your appetite for risk against investing in information security. You need to be like Johnny Cash; constantly walking the line between security and profitability.”
Overconfidence won’t protect your data
Almost half of survey respondents believed they’re prepared to deal with a cyber attack, and almost 20 percent of financial advisors said they managed their own cyber security.
Plummer says its likely most have been hacked without even knowing it.
“It’s happening now. There’s a Ukrainian crime outfit called the Business Gang who target nothing but Australian SMSFs, they make a very good living.”
Reliance on device usernames and passwords can also provide a false sense of security.
“People walk around with a lot of information on their laptops. If your data isn’t encrypted, all I have to do is take your laptop and plug the hard drive in to read everything.”
Don’t take the click bait
Plummer says phishing emails asking for payments or information, or ransomware looking to compromise your network is usually introduced by a simple click on the wrong link.
“If you have 10 people getting a phishing email every two days, and 99 per cent of the time they don’t click on the link, that’s still a 60 per cent chance one of those links gets clicked,” he says.
“Your staff need to understand the type of emails to expect and what they look like. It can appear to come from their boss, so communicate on what you will and won’t do over email. One complacent click and that's the end of your business.”
Julian remembers seeing a financial planner log in with a two-letter password.
“My jaw nearly hit the floor,” he remembers. “Then I saw the Post It notes all over the screen, the door was wide open, and a spreadsheet on his desktop called passwords.xls. After investing tens of thousands of dollars to protect data, his office was the weakest link.”
Plummer suggests advisors use a password manager like LastPass.
“You have one very difficult password to remember and generate all your other passwords as gibberish. You will not have a business if you share passwords,” he says.
“Even if LastPass got hacked, you’d have a month’s head start and time to change your passwords. They're security experts and you’re not.”
Managing cyber threats for a better night’s sleep
If you’re not taking cyber security seriously, you’re not prepared for business in the modern world.
“It's much easier for people to do massive harm on a much larger scale than it was ever before. You can lose your business in an instant,” says Plummer. “That's something that should keep you awake at night.”
Want to know more?
Listen to the complete Cyber security: Peace of mind in a digital world webinar.