No matter what kind or what type of business you have, whether you are large or small, being cyber aware is a vital part of all organisations. In fact, 65% of Australian businesses were interrupted due to a breach last year, with 89% saying they have had breaches go undetected. (Telstra Cyber Security Report 2019)
For financial services organisations, where trust is an essential component of advice, it’s crucial to ensure that you have in place the right protections, systems and processes to protect your client data from possible breaches. Centrepoint Alliance head of Licensee Standards, Nicole Alexander and Chris Holland, head of Technology Services share their insights into what business should do to ensure that they have the right systems and processes in place.
What does the current threat landscape look like?
Chris: It’s no surprise that cybercriminals across the globe are using COVID-19 to target employees working from home. A recent McAfee Threat Report found an increase in malware threats during the first quarter of 2020, with the finance and insurance industry in the top 10 of targeted industry sectors.
The Office of Australian Information Commissioner reported that in the January – June 2020 period, the finance sector reported 75 notifiable data breaches, making up around 14% of the total notifiable data breaches reported during this period. Of the malicious or criminal attacks across all breaches, 69% were from cyber incidents of which 36% were from phishing, the leading source of malicious attacks.
Nicole: The purpose of phishing is usually to obtain sensitive information. And for financial advice firms, a cyber-attack can seriously damage your business and your reputation. That’s why it’s important to have a robust policy in place that helps you to improve your defences and prevent phishing attacks from succeeding, and to make sure that you and your employees know what to do should a breach occur.
What are some of the things you should be doing to become more cyber resilient?
Nicole: Cyber-attacks often rely on people to work. The easiest way to access a system is through people, rather than finding ways through security measures. Businesses should ensure their staff are trained on cyber threats and how to prevent them including and how to identify and avoid phishing emails. It’s important to reinforce everyone needs to be vigilant, especially when working with client data. There are a lot of companies who can provide security awareness courses. The best first step is to talk to your information technology provider on what resources they have available. There are also technical measures businesses can and should put in place to reduce the risk of malicious attacks.
Chris: Yes, from a technical standpoint, there are a few things that you can do straight away:
- Ensure you are using email and web content filtering
- The number one protection is a spam filter to prevent phishing and other malicious emails reaching employees inboxes. First turn on your spam filter in Outlook and look into a SMTP gateway to stop these malicious emails from getting to your inbox in the first place.
- Additionally, a web filter will block employees from visiting known phishing sites when they click links in emails or from general web browsing. Options to improve your email and web content filtering include Mimecast or OpenDNS.
- Update software
- Ensure you are running up to date operating systems - Windows 10 or the most up to date macOS for Apple users. Ensure you program your operating system and security software to update automatically. Updates may contain important security upgrades for recent viruses and attacks.
- Use the newest version of Microsoft Office (e.g. Office 365) which have enhanced security features. Update to the latest versions/apply patches promptly.
- Reduce the risks of malicious attack by disabling macros and blocking the activation of Flash content in Microsoft office and internet browsers
- Protect passwords. There are several ways to protect passwords and make it difficult for a criminal to access accounts using stolen credentials.
- Use strong passwords and consider using a well-respected password manager such as 1Password or LastPass.
- Use multi-factor authentication which requires the use of other factors in addition to a password to gain access.
- Keep administrative user access separate to the standard user access. Limit access to administrative privileges and never use an account with administrative privileges for browsing the internet or reading emails.
Where can people get more information?
Nicole: You can get guides and information about cybercrime and protecting online information from the Australian government here. You should also speak with your IT service provider about how they can help you review your current policies and systems to ensure that you have the frameworks in place to be more cyber resilient.