As businesses that deal with troves of sensitive data via technological devices and digital platforms, it is no surprise that the financial services industry has long been a hot target for cyber criminals.
Financial services is the third most cyber-attacked industry in the world, according to the 2016 IBM X-Force Cyber Security Intelligence Index.
As financial advice businesses increasingly rely on technology to drive operational efficiency, cyber security is becoming a top priority for the industry. History has shown that damage from cyber breaches ranges far beyond ransom payments and data loss, through to client litigation and reputational damage.
However, there are ways for financial advisers to protect themselves, cyber experts say, and there are steps advisers can take to build a stable business environment in an increasingly complex technological landscape.
Causes for concern
Partner at KPMG Forensic Stan Gallo says there are numerous reasons why financial advice businesses make profitable targets for cyber criminals.
“Small to medium (SME) businesses like some financial advice practices will not have the same levels of security as their larger colleagues,” Mr Gallo says.
“Planners will have a raft of personally identifiable information (PII) and other sensitive data that is extremely valuable to a hacker. Identity theft is still a critical issue, and financial planning businesses provide a valuable source of internal company data and employee information.
“Businesses who are linked to a larger organisation are also hot targets because they are usually the weaker links and act as an avenue for hackers to target a bigger business.”
Founder and director of Threat Intelligence and prominent Australian IT security figure, Ty Miller, says the most common type of attack used to compromise a business is a spear phishing attack.
“Unlike a phishing email, which might spam millions of people with a fake email pretending to be from the CBA for example, spear phishing is specifically designed to break into one particular organisation using detailed communication like a personalised email subject line. These kinds of attacks are very common attacks that often target SME businesses,” he says.
“Untraceable bitcoin ransoms demanded by a hacker can range from anywhere between 10 – 50 bitcoins ($10,000 – $50,000).”
As an increasing number of financial advice businesses move operations over to the cloud, Mr Miller says, “The biggest assumption made by businesses is that the cloud is secure.”
“In reality, cloud providers operate on what is called a ‘shared responsibility model’. They will protect their own systems, but it is up to the individual businesses to secure their systems and data,” he says.
“A lot of organisations don’t realise this and they build all these systems in the cloud but won’t take into account any security or very minimal security.
“Obviously this opens up opportunities for attacks like web application hacking, which is also common today.”
“We’re moving into this era where everything is interconnected: your laptop, your phone, your watch, your camera, your car, your microwave and fridge. All of these things are often connected to the internet and have really terrible security in place. Hackers can now access all of those devices by breaking into just one of them,” Mr Miller says
Distributed Denial of Service (DDoS) attacks are also extremely common in the banking and financial services sectors, according to the ACSC Cyber Security Report 2016.
“We’ve seen an increase in ransomware and extortion of companies as well as a rise in DDoS attacks – where hackers break into a device and gain access to a particular system and then flood an organisation with large amounts of traffic – effectively knocking them off the internet,” Mr Miller says.
There are typically four types of cyber threat actors, according to Mr Miller.
“You have your ‘script kiddies’ who are essentially a bunch of kids running around hacking into businesses for fun and trying to build a reputation with their friends,” he says.
“Then you have your ‘hacktivists’ who have an agenda, which might be to damage the reputation of a company.
“You then have organised cyber criminals who are trying to make a profit out of security breaches.
“The fourth category of cyber criminals are those that carry out state sponsored attacks – typically your government sponsored attacks.”
The consequences of cyber crime
With new disclosure laws working their way through Parliament it’s only a matter of time before businesses will have a legal obligation to publicly report cyber breaches and face the costs of reputational damage, Mr Gallo says.
“In terms of cost, it’s not just the initial data loss and consequent remediation costs – there is a range of other flow on of costs,” he says.
“If it gets out, even for a small business, that your organisation is not secure, that’s going to have a significant impact.
“You also have things like regulatory and legal issues. If the data that was breached was personally identifiable information or sensitive information then you may have regulatory obligations to disclose.
“You also have the possibility of clients taking legal action against the business if sensitive data relating to them has been exposed – so businesses need to consider the broader consequences.”
Becoming a ‘cyber-wise adviser’
Mr Gallo says the issue of cyber security is at the top of most businesses’ risk agendas, however there are problems turning knowledge about cyber security into action.
“A lot of organisations are still focused on cybercrime being an IT problem and it’s not,” he says.
“IT controls will help but they’re not infallible, and cyberattacks target end users so you need a security mindset culturally within the organisation – a human firewall.”
BDO national leader for cyber security Leon Fouche suggests that the first step for advice businesses is to carry out a risk assessment to understand the most valuable parts of a business and identify vulnerabilities.
“Then you need to do a proper assessment to determine how well the valuable areas are protected and what other protections you need to put in place,” he says.
“Because malware is deployed through phishing emails and infected websites – you need to conduct awareness training among your employees.
“Malware typically exploits outdated, unpatched software. Only 60 per cent of all organisations have proper patching in place, so if you have an outdated version of Windows or Adobe, you need to make sure your software is the latest version.
“Businesses dealing with third parties, like an email provider or cloud service, should request evidence that the external provider has tested their security and get a clear understanding of what risks are involved in that environment.”
“It might sound quite daunting for an organisation but due to the nature of our interconnected world, businesses can no longer ignore the fact that they’re going to be attacked,” Mr Fouche says.
According to Mr Miller, the costs for a risk assessment and receiving initial visibility on business cyber vulnerabilities can range between $10,000 and $20,000.
For advice businesses without that kind of budget, Mr Miller says the best place to start is with employees.
“The most common way that organisations are breached is through their employees,” he says.
“Make sure that you lock down your laptops and you have all your different security controls in place – whether it’s antivirus programs or whether you keep patching your systems regularly with updated software.”
“The next thing would be to make sure that anything exposed to the internet actually has security controls in place that will detect and prevent attacks proactively.
“Businesses can also implement network segmentation within their environment that acts to contain network security breaches so that if you do get breached, the breach does not spread throughout your whole organisation.”
“A really good place to start, no matter what size your business, is to have a look at the information that is made available by the federal government Mr Gallo suggests.
“The Australian Signals Directorate is free and they publish mitigation strategies to target cyber-attacks. According to the government website, if a business implements the top four strategies it will mitigate in excess of 80 per cent of common cyber attacks,” he says.
