Staying cyber safe: essential steps for advisers
In recent years, Australia, like many countries worldwide, has experienced a marked increase in cyber-attacks targeting individuals and organisation’s alike.
Advisers, with their access to sensitive financial information for their customers, are particularly vulnerable to these threats.
Protecting client data and maintaining system integrity is not only a regulatory obligation, but also fundamental to sustaining client trust.
This article outlines essential cyber hygiene practices that can significantly reduce the risk of cyber incidents, fostering a safer working environment for Advisers and their practices. Additionally, we’ve also provided guidance on where to find more comprehensive resources for those looking to proactively enhance their cyber security resiliency.
While there are several steps that can be taken to enhance cyber security, the Australian Cyber Security Centre (ACSC) and the Australian Government highlight the following as the most important:
Patching for protection
One important step in maintaining cyber security is ensuring that all devices, including laptops / computers, IT and networking equipment such as servers and office security devices, and mobile phones / devices are regularly and promptly updated when required.
Software updates often contain vital security fixes and enhancements that protect users against newly discovered security vulnerabilities.
Delaying these updates can leave systems exposed to threats that may be easily mitigated. With this in mind, its important to adopt a proactive approach to act on device updates where possible as well as regularly checking for updates.
Multi-factor authentication: adding an extra lock
Another important practice is implementing multi-factor authentication (MFA) wherever available.
MFA adds an additional layer of security by requiring not just a password but also a second form of verification, such as a code sent to a mobile device or an authentication application.
This significantly reduces the likelihood of unauthorised system access, even if passwords are compromised.
Multi-factor authentication is encouraged for any environment, where staff work remotely (eg form home), VPNs, and for all users who remotely perform privileged actions, or remotely access sensitive data repositories.
A VPN creates a secure, encrypted tunnel between the user’s device and the company’s network, protecting data from interception by unauthorised parties. By using VPN, businesses can ensure that remote access to their internal resources remains secure, even when employees are connecting via potentially unsecured public records.
Implementing MFA in conjunction with VPNs further strengthens security, ensuring that only authorised users can access your critical systems and data.
Following industry best practices in password management is crucial for maintaining security. Passwords should always be unique for each account, complex enough to resist brute force attacks, and not easily guessable (e.g. avoid using common words or phrases, personal information, or sequential patterns). A strong password typically includes a mix of upper and lower-case letters, numbers and special characters. Passwords should never be shared with others or stored in plain text. Instead, consider using a reputable password manager to securely store and generate complex passwords. Additionally, enabling MFA wherever possible adds an extra layer of security. Regularly updating passwords, especially after a security incident or data breach, is also advised.
If you are using a reputable password manager tool, it’s recommended you use a provider such as Proton Pass, Dashlane, or 1Password, to securely store and manage passwords across multiple devices, reducing the temptation to reuse passwords across different accounts.
Empowering staff: building a cyber-savvy team
Staff education is paramount in establishing a robust cybersecurity posture. Phishing attacks, including those delivered via email and SMS, remain a primary vector for cybercriminals to compromise company systems.
These malicious attempts often involve deceptive tactics designed to trick recipients into disclosing sensitive information or installing harmful software.
Regular cybersecurity awareness training is essential to equip employees with the knowledge and skills to recognise and report any threats.
By fostering a culture of vigilance, you can significantly reduce the risk of successful cyberattacks.
We encourage you to ensure your staff learn and know the basics of staying cyber safe, by reading the information provided on the Australian Signals Directorate (ASD) website, listed here:
https://www.cyber.gov.au/learn-basics
Building a robust defence: the essential 8
The Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD) are leading authorities on cybersecurity. Their resources provide invaluable guidance for protecting sensitive data.
While these resources are essential for staying informed about evolving threats and mitigation strategies, taking a proactive approach is necessary for a comprehensive cybersecurity posture.
The ACSC's "Essential 8" framework serves as a cornerstone for effective cybersecurity. This industry-recognised standard outlines 8 critical strategies to mitigate the most common cyber threats faced by businesses and organisations. These strategies address vulnerabilities exploited in patching applications, configuring Microsoft Office macros, and implementing application whitelisting, among others.
The "Essential 8" is designed to be adaptable and scalable, allowing advisory companies of all sizes to tailor the framework to their specific needs and risk profiles. This adaptability ensures a cost-effective and efficient approach to cybersecurity.
Further Guidance:
For a deep dive into the "Essential 8" and its implementation, we recommend visiting the ACSC's dedicated webpage:
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained
Additional Guidance & Information
Stay informed with the latest threats and best practices by leveraging resources from:
• Australian Cyber Security Centre (ACSC):
https://www.cyber.gov.au/
Provides threat alerts, advisories, and best practices, and offers guidance on protecting sensitive information.
• New Zealand's National Cyber Security Centre (NCSC):
https://www.ncsc.govt.nz/resources
Offers advice tailored to the New Zealand context.
Cybersecurity is an ongoing journey, not a one-time destination. By adopting these essential practices, combined with staying informed through the valuable resources provided, you can significantly strengthen your cybersecurity posture, and protect you and your clients' sensitive information.
