Cyber-crime complacency within firms and businesses is rife – and very risky.
In fact, according to a survey by Chartered Accountants Australia and New Zealand, two-thirds of financial professionals admit their organisation does not have a current remediation plan in place to combat cyber-security threats1.
Simone Herbert-Lowe, the solicitor director of Law & Cyber, which provides advice on cyber-resilience, says too often cyber-security is not managed as a business risk and is just left to the IT department. “As managers, you want to take control,” she says.
Herbert-Lowe suggests five ways to play it safe.
1. Educate your staff and clients
More and more funds-transfer frauds are occurring in which a scammer sends a fake email impersonating an executive or a client in the hope of conning them into paying funds into the wrong bank account. Unfortunately, some staff members fail to spot the scam.
Cyber-risk typically involves criminal activity from scammers impersonating someone using email, hackers using malware to obtain access to systems and corporate secrets, or human error involving accidents or oversights. Herbert-Lowe says management needs to roll out targeted education programs that give employees the knowledge to rebuff risks.
“Firm owners and managers need to educate themselves and any staff, because it takes just one malicious email to infiltrate a whole company’s email.”
Herbert-Lowe recommends to also advise clients about cyber-safe practices, because they can be a weak link if they are lax. She adds that it makes sense to provide written warnings about cyber-safety strategies in emails or fee agreements.
2. Encrypt your passwords
Herbert-Lowe says generating sophisticated passwords and then using password managers to store them in an encrypted database avoids the need to remember multiple, complex passwords.
“If you use a password that’s been compromised on one website, there’s a fair chance that it will become available on the dark web and it can then be applied to your other accounts.”
She recommends thinking about using passphrases, a stronger form of defence than a regular password. Passphrases comprise a phrase or sentence that can be used instead of a word or a set of characters.
3. Avoid using public wi-fi
There is no excuse for sitting at McDonald’s, the airport or a hotel lobby using free wi-fi to send emails with sensitive financial details or corporate secrets, believes Herbert-Lowe.
Likewise, using personal email accounts while working from home can be dangerous, as they may not have the same levels of security as your work email and their terms and conditions could permit others to read your emails, potentially breaching duties of confidentiality.
4. Take out cyber-insurance
Apart from covering business losses, cyber-insurance comes with the benefit of access to specialist advisers who can help a business get back on its feet after a cyber-incident. If, for example, a financial advice firm or small business is the target of a ransomware attack, the insurer should be well placed to assist at the time of crisis.
“People who are absolute experts at dealing with ransomware attacks or other cyber-attacks will be guiding you on exactly what to do,” Herbert-Lowe says.
5. Manage your data back-ups wisely
Ransomware attacks involve scammers locking up computer systems unless a fee is paid.
Herbert-Lowe says ransomware attacks underline the importance of regularly checking back-ups, and segregating that information and data from live servers.
“If you do experience a ransomware attack, you don’t want your back-up compromised as well,” she says. “If you separate your backups from the live servers, you have a chance to more easily rebuild your systems.”
Likewise, it pays to have a cyber-plan in place if a worst-case scenario does occur in the form of a cyber-attack. She recommends your plan includes insurance policy details, bank account information, the phone number of your IT specialist and other such important information.
However, Herbert-Lowe issues a warning: “Don’t just keep this information on your computer, because if hackers strike and you can’t access your computer you won’t be able to access your crisis plan either.”
Sign up for our monthly enewsletter, full of insights and tips to help you in your day-to-day.
Important: This article has been prepared without taking account of the objectives, financial or taxation situation or needs of any particular individual. Before acting on the information, you should consider its appropriateness to your circumstances and if necessary, seek appropriate professional advice. Any information used in this article is for illustrative purposes only. Simone Herbert-Lowe is external and not a member of the Commonwealth Bank of Australia Group of Companies (the Group) and the content or any view expressed by Simone Herbert-Lowe does not represent an endorsement, recommendation, guarantee or advice in regard to any matter. CBA, nor members of the Group accept any liability for losses or damage arising from any reliance on external parties, their products, services and material. Past performance is no guarantee of future performance.
1 The Association of Chartered Certified Accountants. Cyber & the CFO (May 2019), p20.