Australia is said to be the fifth most hacked country in the world, with the ACCC estimating $3.1 billion was lost to scams in 2022 alone. But what can brokers do to protect their businesses? In this feature, sponsored by cyber security specialist DotSec, we take a look at best practice for protecting your business and your clients.
Sponsored by DotSec
What is your company worth? For many brokers, the value of their business comes down to the size of their trail. But, really, the true value of a business is the data within it. A broker’s business is a goldmine of information, including not only high-value information like identification document numbers, but also bank details, addresses and a huge range of personal information. Despite this, few brokers consider the value of their data – or more to the point, the cost of not having it.
Speaking to The Adviser, Dr Tim Redhead, director of cyber security company DotSec, explains that trying to come back from an attack is incredibly costly, meaning prevention is better than trying to find a cure.
According to Dr Redhead: “Getting into the position where you have to decide whether or not you’re going to pay a ransom or take action means it is already too late. The horse has bolted. You want to avoid this happening in the first place.”
There are a range of legal requirements in place that require financial services businesses to protect their data. APRA-regulated entities have to follow the information security regulation Prudential Standard CPS 234; there are strict APRA reporting requirements around suspected breaches; and ASIC expects businesses to resource for technology and ensure their risk management framework adequately addresses cyber security risk. There are a range of requirements around Australian privacy legislation, too.
So, where do you start? He says you first need to know that you are “protecting your assets to a level which is commensurate with the asset’s value.”
He explains: “The three key things that are of value in a business are usually, in order, the business, the people that work in the business, and the data for which the business is responsible. If a computer is damaged, we tend to know the cost of replacing it and the cost of downtime. But fewer people consider the cost to the business of losing the data that is stolen or destroyed during a compromise.”
Moreover, he says businesses sometimes spend more money than they need to because they’ve not determined the value of their assets and spent more on security than those assets were worth, or find that their business has come to a complete standstill because an asset that had not been correctly valued had then been damaged or misused as part of a compromise.
As such, he says that the first thing business owners need to do is create an asset register – all the things associated with the organisation and how it works – and then undertake a risk assessment and consider all the things that could go wrong and the consequences if they did go wrong.
“A successful cyber security outcome is more likely if the organisation first works to understand risk and then mitigate that risk using people, processes and (where needed) technology,” the cyber protection specialist says.
“It doesn’t have to be terribly complex. There are basic risk assessment templates available online for free that can help you assess the likelihood of something going wrong.”
For example, if you were locked out of your CRM system, how would your business manage and how long could it manage for? If you needed to go about telling clients that you had been breached and information was compromised, would you even be able to contact them if you couldn’t access your system? Do you have a secure backup? How well protected is that, and how frequently has it been tested?
According to Dr Redhead, with many businesses embracing remote-access working during the pandemic or enabling external systems to tap into their systems using APIs, the opportunity for attackers to access systems via these cloud-service providers or third-party services has increased.
Dr Redhead explains: “We’ve seen one business that was ransomwared and was therefore unable to access their systems. The initial plan was to recover from backups, but as it turned out, the backups had been ransomwared as well, so independent recovery was no longer an option and it was necessary to pay up. Or shut the doors.”
“Often a system might have been compromised years ago. An attacker may have gained access to a laptop via a phishing email and then run malware from that. Over time, they can make their way through the whole system and connections. You might not even know they are there. They can sit dormant on a system for a long time, only springing into action when the right triggers are met for a specific rule they’ve set up.
“That could be an email using the keywords ‘payment’ or ‘deposit’. If they’ve been monitoring your emails, they could immediately intercept and send another email asking for payment to be sent to a different account – thereby stealing the customer’s home deposit.”
He warned that many businesses can also be stung by not complying with their cyber obligations and therefore voiding their insurance coverage. As such, he recommends brokers take the time to understand what the conditions of their insurance are and what they need to be doing to keep it valid.
Undertaking frequent revisions of cyber security and following a framework to ensure systems and applications are patched and maintained in a timely manner is extremely important. Software companies are always pushing out patches and bug fixes but if they are not promply applied, the business remains vulnerable. Anything online should be protected by two-factor or multi-factor authentication (whereby you are required to authenticate with something else such as an authenticator app or SMS prompt in addition to your password).
“People don’t like multi-factor authentication because it’s not convenient. But if even Facebook requires it now, you should probably have it on anything you value more than your Facebook account. Definitely on your bank account, your email account, your business systems.”
“Every reputable online service will have it and you should turn it on and use it without exception. Because where there is an exception, there’s a risk that you’re not managing.”
“Security fails when it’s focused on a single product or mechanism. It works if you take into account all the risks that you have identified and then act in a holistic way to either avoid, transfer, manage or accept those risks. And you only accept risks if you’re confident that the likelihood and/or consequences of those risks can be absorbed by the business. You need to Plan, Do, Act, and Check.
“There are several actions you can take that are not expensive but will quickly elevate you from the low-hanging fruit to further up the tree. Check out guidelines like the ASD Essential 8 and you’ll see that if you’re implementing application whitelisting and secure macro settings, have up-to-date antivirus and software patches, using multi-factor authentication on everything and using a password manager, you’re making yourself a much more tough nut to crack. You’re a much less attractive target and you’re much more likely to resist an attack should one unfortunately take place.”
For businesses undertaking a cyber risk assessment or remedying an attack, they can seek the support of a cyber specialist like DotSec.
TOP TIPS FOR PROTECTING YOUR BUSINESS
- Create an asset register so you know what your business needs to protect.
- Implement a risk management program where you formally identify, prioritise, treat and review your risks on a regular (quarterly, for example) basis.
- Implement application controls and secure Microsoft Office macro settings.
- Update all software when prompted
- Use multi-factor authentication for anything that is online
- Do not repeat passwords or use admin passwords unless necessary
- Use a password manager and do not write them down or keep them online, but make sure the password manager backups are working and tested!
- Check and test that backups work and are free from malware
- Audit third parties that have access to your business and ensure cyber protections are in place for any third parties involved in the business (even IT or security services) and that there is a responsibility matrix and accountability for any failures.
JOIN THE DISCUSSION