The recent fine handed out by the FCA to Tesco Bank for £16.3m for failure to adequately protect customers from cyber-crime contributes to constant concerns across the industry and with consumers about safety of client data. Fraudsters claimed over £2.2m worth of transactions over a 48-hour period as Tesco Bank failed to exercise due skill, care and due diligence. Interestingly the crime was quoted as ‘largely avoidable’ so how can financial advisers ensure that they don’t open their businesses to similar risks?
We spotted a recent article by Linda Preston-Todd, Head of Bespoke Solutions at Bankhall about the topic and thought that we would share her thoughts:
Personal data held by financial advisers in respect of their clients is valuable to criminals intent on identify theft. This data can range from information in passports, utility bills, payslips, bank statements etc.
Given the daily reports of cyber-attacks, it’s not surprising that cyber security was highlighted by the FCA as a priority area in its 2018/19 Business Plan. The regulator wants firms to become more resilient to cyber-attacks in order to ensure that customers’ interests are protected. Furthermore, introduction of the new General Data Protection Regulation (GDPR) has raised the stakes further and means that any failures could result in heavy fines and penalties.
There are various types of cyber-crime, with some of the most common being:
Phishing. Involves an attempt to acquire sensitive information such as usernames, passwords, and credit card details for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. There are many different types of phishing, but typically this involves an email communication posing as something innocent such as a bank asking a customer to update their password. It will contain a link to what looks like the bank’s internet banking page, but it will be a fake page set up by the criminals to capture the log in details.
Ransomware / Extortion. Involves the criminal infecting a person’s computer without their knowledge and withholding the information on it. This is generally by encrypting the data. The criminal will only unencrypt it once a payment has been made, if at all.
Data theft / Credential Hijacking. These types of crimes usually use Trojan software, which enters the computer from an untrustworthy source and waits silently until certain sites are opened. The software then captures usernames and passwords and downloads them via the internet to the criminals who will use them fraudulently.
Identity Theft. This involves searching for personal details online and increasingly includes harvesting information from social media sources. Criminals then use the person’s details to set up loans and bank accounts to siphon money or buy goods online, resulting in major financial loses that can also affect the victim’s future credit history.
Regardless of the size of business, the principles around cyber security remain the same. Here are some simple tips to help protect your clients’ data and your business reputation:
1. Make sure that every individual in the business understands what is at stake. Any suspicious e-mails with unexpected attachments or links should not be responded to, and do not click on any links or open any documents in the email. Search the internet for a contact number if possible and check the validity. If you’re unable to verify the sender, then simply delete it;
2. Make sure Macros are disabled for all installations of Microsoft Office (new versions are disabled by default);
3. Make sure all your computer’s operating systems (Window 7 etc.) are kept up-to-date with the latest security patches and ensure auto update is enabled within the computer’s settings. Malware often takes advantage of known software vulnerabilities to hack into systems;
4. Make sure that you have internet security / anti-virus software installed and that it is up-to-date and set to automatically update and run continually, checking files as you open them;
5. Keep business and personal activities separate and do not use your work device for personal use even with a different login;
6. Wherever possible do not use computer administrator accounts for day-to-day activity. This will reduce the risk of accidental infections, as these generally prefer to run on a computer to install files with administrator privileges;
7. Make sure your data, particularly where it is needed for audit purposes, is securely backed-up. Do not forget that cloud accounts can be accessed and encrypted too, so use a business cloud account not a personal one, especially those that are free-of-charge, as their security is likely to be minimal, if at all;
8. Use a business-focussed e-mail service from a reputable supplier who can help filter malware before it reaches you or your employees. For example, Google for Business or Microsoft Office 365.
9. Change your passwords regularly. A password should be a minimum 8 characters using a mix of symbols, numbers, upper and lower case letters and should be unique to every site you use. Try to avoid the temptation to use the same password for each site. Keep your passwords personal and secure – no one should ever ask you for your password. If they do then terminate the call or discussion and report it immediately.
10. Be careful what you post online – don’t give a stranger all the details needed to guess your password or change it using your security questions.