Five ways your firm can fight back against cyber risks
As cyber-crime increases, financial advisers and other businesses should think very seriously about taking action to safeguard their operations and clients.
Cyber-crime complacency within firms and businesses is rife – and very risky.
In fact, according to a survey by Chartered Accountants Australia and New Zealand, two-thirds of financial professionals admit their organisation does not have a current remediation plan in place to combat cyber-security threats.
Simone Herbert-Lowe, the solicitor director of Law & Cyber, which provides advice on cyber-resilience, says too often cyber-security is not managed as a business risk and is just left to the IT department. “As managers, you want to take control,” she says.
Herbert-Lowe suggests five ways to play it safe.
1. Educate your staff and clients
More and more funds-transfer frauds are occurring in which a scammer sends a fake email impersonating an executive or a client in the hope of conning them into paying funds into the wrong bank account. Unfortunately, some staff members fail to spot the scam.
Cyber-risk typically involves criminal activity from scammers impersonating someone using email, hackers using malware to obtain access to systems and corporate secrets, or human error involving accidents or oversights. Herbert-Lowe says management needs to roll out targeted education programs that give employees the knowledge to rebuff risks.
“Firm owners and managers need to educate themselves and any staff, because it takes just one malicious email to infiltrate a whole company’s email.”
Herbert-Lowe recommends to also advise clients about cyber-safe practices, because they can be a weak link if they are lax. She adds that it makes sense to provide written warnings about cyber-safety strategies in emails or fee agreements.
2. Encrypt your passwords
Herbert-Lowe says generating sophisticated passwords and then using password managers to store them in an encrypted database avoids the need to remember multiple, complex passwords.
“If you use a password that’s been compromised on one website, there’s a fair chance that it will become available on the dark web and it can then be applied to your other accounts.”
She recommends thinking about using passphrases, a stronger form of defence than a regular password. Passphrases comprise a phrase or sentence that can be used instead of a word or a set of characters.
3. Avoid using public wi-fi
There is no excuse for sitting at McDonald’s, the airport or a hotel lobby using free wi-fi to send emails with sensitive financial details or corporate secrets, believes Herbert-Lowe.
Likewise, using personal email accounts while working from home can be dangerous, as they may not have the same levels of security as your work email and their terms and conditions could permit others to read your emails, potentially breaching duties of confidentiality.
4. Take out cyber-insurance
Apart from covering business losses, cyber-insurance comes with the benefit of access to specialist advisers who can help a business get back on its feet after a cyber-incident. If, for example, a financial advice firm or small business is the target of a ransomware attack, the insurer should be well placed to assist at the time of crisis.
“People who are absolute experts at dealing with ransomware attacks or other cyber-attacks will be guiding you on exactly what to do,” Herbert-Lowe says.
5. Manage your data back-ups wisely
Ransomware attacks involve scammers locking up computer systems unless a fee is paid.
Herbert-Lowe says ransomware attacks underline the importance of regularly checking back-ups, and segregating that information and data from live servers.
“If you do experience a ransomware attack, you don’t want your back-up compromised as well,” she says. “If you separate your backups from the live servers, you have a chance to more easily rebuild your systems.”
Likewise, it pays to have a cyber-plan in place if a worst-case scenario does occur in the form of a cyber-attack. She recommends your plan includes insurance policy details, bank account information, the phone number of your IT specialist and other such important information.
However, Herbert-Lowe issues a warning: “Don’t just keep this information on your computer, because if hackers strike and you can’t access your computer you won’t be able to access your crisis plan either.”