Cyber security tips for advice practices
The threat of a data breach, and the considerable costs involved, is becoming more and more of a concern for financial services businesses.
Listed consumer finance group Latitude fell victim to a data breach in March this year that has stripped almost $130 million from its annual cash profits, following a five-week freeze of all customer accounts while the breach was investigated.1
In the financial advice sector, a case involving major licensee RI Advice in 2022 found that the group had breached its licensing obligations by failing to effectively manage its cyber security risks. The case was brought by ASIC against RI Advice after a “significant number” of cyber incidents between 2014 and 2020, including one where several thousands of clients’ details were compromised. RI Advice had to engage a cyber security expert to revamp its security protocols and was ordered to pay $750,000 towards ASIC’s costs as a result of the case.2
While things are a little different in small practices, which often don’t have the resources to devote large amounts of funds to cyber security projects, there are some simple things that you could consider putting on your list as a practice owner or manager to stay on top of when it comes to cyber security.
1. Identify your most at-risk assets
If you have a limited budget for cyber security, it’s important to prioritise both the systems that would have the most impact on your business if they were attacked, and those that are most vulnerable to attack.
As part of this assessment, you can take a look at where and how your data is stored and who has access to it. Get in contact with any vendors you work with, like cloud data storage providers, to get their help completing the assessment as well. Once you have an idea of which systems could be vulnerable, you can develop a strategy to protect this data as best you can, and a response plan for what to do if there is a breach.
2. Train your employees
Employees are a key vulnerability for businesses when it comes to cyber security, as phishing emails are becoming an increasingly common way for attackers to breach a business’s systems. In April 2023 alone, the Australian Competition and Consumer Commission received almost 7,500 reports of phishing scams which cost consumers more than $2.4 million.3
Consider putting your employees through some basic training on how to recognise phishing emails, which often look like they are coming from someone within your business.
3. Automatically update your operating system and software
Keeping your regular software up to date is as important as using appropriate anti-virus software, since software companies often add patches to the latest version of their apps to close security vulnerabilities. The easiest way to do this is to set your software and operating systems to auto-update on all staff computers after a set amount of time, rather than having to manually conduct an update.
4. Password protection
Passwords are another key vulnerability for a business, as employees can accidentally allow attackers access to servers by leaving work devices open or misplacing them in a public place.
Restricting access to your business’s systems as much as possible can help avoid this kind of mistake. You may want to ensure employee passwords follow strict guidelines – such as no common words and a combination of letters, numbers and special characters – and are backed up by authentication through another device. Another option is to require extra-strong passwords, and give your employees access to a password management system.
5. Restrict access
Alongside ensuring that employee access to your business’s IT systems is tightly controlled, you may want to consider which applications or permissions your staff really need within your IT structure. Make sure you have ‘administrator’ and ‘employee’ level accounts, with access to the most important data restricted to only crucial people within the business.
You can also look to keep a close eye on employee turnover and terminate access to your systems as soon as an employee leaves the business. WiFi is another way outsiders can gain access to your network, so make sure passwords are changed regularly and remote management is turned off.
6. Back up all files
Make sure all important files are backed up either offline or in the cloud, so that you will still have access to these if any of your systems are compromised.
7. Encryption
Encrypting work devices that contain sensitive information is an easy way to protect your data from attack. This can include devices like laptops, tablets and work phones, as well as anywhere else your business’s data may be stored, such as with your cloud storage provider. Don’t forget to also look at the encryption on your WiFi, to ensure information sent on your network is protected too.
1 Latitude data breach to slash cash profit by at least $128 million. Business News Australia, 26 May 2023
2 Media release: Court finds RI Advice failed to adequately manage cyber security risks. ASIC, 5 May 2022
3 Phishing. ACCC ScamWatch, April 2023
This information is for advisers only.
This information is for advisers only and is general in nature, it does not take into account your objectives, financial situation or needs. Before determining whether to apply for or hold the product(s) you should read the Product Disclosure Statement (PDS) and consider the appropriateness of the product(s) to your circumstances. A copy of the PDS can be obtained from 132 977 or on our website clearview.com.au/pds. If relevant, information about the Target Market Determination(s) for this product(s) is available at clearview.com.au/tmd. ClearView does not make any representation as to the accuracy of any referenced websites or articles, and to the extent permitted by law, does not accept any responsibility or liability for the content.