Ajay is the founder of StickmanCyber, a business that helps companies mitigate their cyber security risks. He was selected to join the 2020 NSW Government's Cyber Security Task Force & contributed to the 2021 NSW Government Cyber Security Strategy.
Despite recent reports of cyber attacks around the world, many businesses remain unaware of the growing threat of attacks from unknown sources. Cyber criminals don’t discriminate. It’s not just large corporations, governments and Silicon Valley startups, all companies are at risk.
According to a report by IBM, cyberattacks are costly, with destructive or wiper-style attacks costing businesses an average of $US4.69 million and ransomware attacks an average of $US4.62 million. Even a malicious breach costs an average of $US4.24 million up from $US3.86 million the previous year.
For small to medium-sized businesses, the effects of a cyberattack can be even more devastating. While these small-scale attacks may not make news headlines, the impact a cyber-breach has on the day-to-day running of a business, along with the fiscal impacts, can do irreparable damage.
It’s a financial planner’s job to not only protect their own data, but clients’ and customers’ sensitive information too. Here are some of the most common ways that cyber security can be breached, and what you can do to protect yourself and your customers.
Compromised business emails
Compromised business emails are a very common and persistent threat to organisations big or small. Busy, high profile executives are targeted or impersonated within the organisation, often using a technique called typosquatting, where the scammer uses a lookalike name. Google.com might become Goog1e.com or Gooogle.com, with the hope that the victim may miss the spelling mistake and assume the email is legitimate.
Cyber criminals might send an email using a fake lookalike URL from the CEO to the actual legitimate email ID of the CFO asking for some funds to be transferred urgently to a specific bank account. The CFO trusts that the email is legitimate and performs the transfer.
Similarly, the attacker could also send an email impersonating a supplier using a fake email ID that is a lookalike of the supplier’s company to the accounts department of the victim, stating that they have a new bank account for the recent supply. Once the funds are transferred to that account, the hacker withdraws the cash and is almost impossible to trace.
Tackling an attack
There are many ways to deal with such sophisticated attacks, using a combination of processes, people training and technology. There’s a need for constant training, awareness and process flows that help internal and external staff to spot any anomalies.
In finance, all types of fund transfer requests need to have more stringent processes with three or four levels of checks before payment is actually initiated. From a technology standpoint, there are many solutions that a business can implement including managed security monitoring, detection and response services, annual security penetration testing, multi-factor authentication and passwordless technologies.
It’s also important to get your passwords in order. Passwords should be rotated at the very least every 60 days, although every 30 days is even better. To make them even harder to guess, passwords should be at least eight to 10 characters long, have at least one number, one capital letter, and one special character, such as one of the following: ‘!@#$)’.
Multi-factor authentication (MFA) is the next step up from passwords. MFA adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Some common examples of MFA include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, a physical object such as a security token or bank card, or fingerprint, face, or iris scanning.
While management and finance teams are regularly tasked with protecting the business from all types of risk, the board is ultimately accountable. Company boards are just as responsible for a businesses’ cyber security as the finance department. Board members must look at cyber security through the lens of risk and exposure, and realise that they are responsible for the impact of any risk – including cyber.
In fact, the federal government is currently discussing new standards with industry that could see company directors being held personally responsible for cyberattacks. Making directors accountable and having better governance over their businesses is a welcome shift, but the real key is how and what the government is going to do in order to enforce these new regulations.
With financial planners so heavily reliant on IT systems to do their highly sensitive work, it is no longer sufficient to simply install a firewall and hope for the best. A more holistic approach is required, with a combination of people, processes and technology all working together to minimise the ever-present risk of an attack.
Prevention is the best cure, and this is certainly true in the world of cyber security. By protecting your business in advance, you’ll be far better placed to ensure your data stays secure if an attack does happen.
Subscribe for updates
Join 12,000+ of your peers! Get the latest strategy and practice management insights delivered straight to your inbox.