Don't be the weakest link: good password management for financial advisers

4 mins read

Imagine you get a phone call one day from a client who tells you that someone has emptied out their super balance, siphoned off their bank savings and stolen their identity. The phone rings again, and you find your entire client list has been hit by a foreign hacker who cracked your practice’s passwords.

That’s the scenario that can await a financial adviser who doesn’t take password protection seriously enough, according to Midwinter Managing Director Julian Plummer, whose firm supplies software to practices.

“It could knock your clients out clean, and then it’d be game over within a week for your business,” he says.

“Situation dire”

Plummer says while in the past advice businesses were protected by tangible security measures – a locked front door, CCTV, perhaps an after-hours security guard, today their primary protection is their passwords. Study after study has found that weak or infrequently changed passwords are the weakest link in the security chain1, with global giant International Business Machines (IBM) attributing 82 per cent of data breaches to cracked or stolen passwords2.

“The situation is dire, that’s understating it,” he says.

“If it’s out of site it’s out of mind. It’s happening a lot.”

Advisers under threat

Plummer says financial advisers are among the most lucrative targets out there for criminal hackers because of the wealth of client information they keep on record.

“Financial planners are in the trenches when it comes to information security because they are the only profession to have medical and financial information, potentially legal information, estate planning and investment information plus superannuation information” he said.

“They are the motherlode.”

There is even a Ukrainian criminal syndicate that focuses solely on Australian self-managed superannuation advisers.

“That’s how specific they are with their targeting,” he says.

You shouldn’t be able to pronounce your password

Password security is a relatively easy thing to improve, but there are some things to keep in mind.

Plummer says your password should not be a word that can be found in the dictionary.

“If you can pronounce it, you don’t have a password.”

He also warns against reusing passwords – if every password is different, your other accounts will be protected in the event one is hacked.

Finally, he says, you should change your passwords regularly. If you’ve kept the same password for more than two years you are leaving yourself vulnerable to an attack.

What can you do?

Unless you have a photographic memory, chances are you won’t be able to remember a series of complex, regularly changing passwords. So what do you do? Plummer recommends using a password manager like Last Pass.

Password managers work as browser extensions on your computer or apps on your phone to create and store complex passwords. That way you don’t even have to know your own passwords, save for the master password to log into your password manager account. Good password managers, he says, come with the best available security protections and the company itself should ensure that even it can’t access your password. That way, even if the company is hacked, the attackers still won’t be able to find your passwords. If all that effort sounds a little paranoid to you, Plummer says you can never be too cautious. 

“Just because you’re paranoid doesn’t mean they aren’t out to get you,” he says.

Want to keep one step ahead? Sign up for our monthly enewsletter, full of insights and tips to help you in your day-to-day.

Important: This article has been prepared without taking account of the objectives, financial or taxation situation or needs of any particular individual. Before acting on the information, you should consider its appropriateness to your circumstances and if necessary, seek appropriate professional advice. Any information used in this article is for illustrative purposes only. Julian Plummer is not a member of the Commonwealth Bank of Australia Group of Companies (the Group) and the content or any view expressed by Julian Plummer does not represent an endorsement, recommendation, guarantee or advice in regard to any matter. CBA, nor members of the Group accept any liability for losses or damage arising from any reliance on external parties their products, services and material.