How to be cyber safe for financial planning firms
How to be cyber safe in 5 easy steps
The recent RI Advice Group case is a timely reminder of the importance of taking cyber security seriously.
You can read a full version of the judgment here. But here is a condensed summary.
The facts
ASIC took action against RI Advice – a dealer group – over various cyber security incidents that occurred among its network of firms.
These are the types of incidents that could have happened to anyone without a strong cyber security policy being in place and enforced.
Here are just a few of the alarming examples:
- A Financial planner’s email account was hacked, and a fraudulent email sent to their clients urging the transfer of funds which resulted in one client transferring $50,000.
- A practice’s server was hacked, and a file containing the personal information of some 220 clients being held for ransom.
- An unauthorised person used a Practice’s employee’s email address to send phishing emails to over 150 clients and contacts
Key failings
The Court found that the following failings contributed to these incidents:
- No up-to-date antivirus software installed and operating.
- No filtering or quarantining of emails.
- No backup systems in place, or backups not being performed.
- Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places.
Practical tips
At Plutosoft, we take data security seriously and have the following practices in place to protect your data. There are measures you must take too.
- Passwords: We impose minimum password strength criteria using a combination of letters, characters, and symbols. Always ensure you use a strong password as this is one of your biggest vulnerabilities.
- Multi–factor authentication: Ensure multi-factor authentication is turned on and that all staff are required to use MFA. When using Plutosoft, you can switch on MFA in your practice settings. This is strongly recommended.
- Know where your data is hosted: All data stored or uploaded into Plutosoft is hosted on an Oracle Data Centre in Australia. For other applications you may be using, do some research into where the data is hosted. If data is hosted overseas, make sure you are satisfied that there are appropriate protocols in place.
- Back-ups: Plutosoft data is backed up onto parallel servers. If you are using your own file servers, make sure you back-up your data regularly
- Cyber policies: Make sure you have a firm cyber policy and ensure all staff are trained on it. In this age of remote working, do you know where your employees store their data? Working from home carries certain risks. Such as your employees saving sensitive client documents onto their local home computer and not on your approved company network. Make sure staff are aware of the protocols.