Protect your business from cyber attacks

In her latest article, Parmenion’s Information Security Manager Sarah Coles shares her 6 steps towards stronger security in your advice firm.

In the last month we’ve seen Royal Mail, ION Group and Succession Wealth suffering cyber-attacks.

It’s a growing trend. Cyber risks are now the biggest concern for companies globally.

And incidents can be costly. IBM’s Cost of a Data Breach Report showed that over 70% of the industries surveyed experienced a year-on-year increase in the cost of cyber breaches in 2022.

The average cost of a data breach has increased by over 13% since 2020. And then there’s the cost of disruption and, inevitably, reputational damage.

Take 6 practical steps to improve your protection:

1. Improve employee awareness of best practices

It’s well known that email is still the number one delivery method for ransomware, with attackers gaining access to the network either through phishing employee credentials or tricking staff into downloading malicious software. Employees are often referred to as ‘the weakest link’ but, by giving them regular phishing training, staff can help protect the business by reporting suspicious emails as they arrive. 

Promoting the use of an internal phishing mailbox is crucial, as it provides IT teams with better visibility and allows them to react quickly to threats, even removing phishing emails from employee inboxes before they’ve had a chance to interact. 

2. Use strong passwords and multi-factor authentication

MFA greatly reduces the chances of account takeovers, and IFAs need to promote the use of it as much as possible. If MFA is available on a financial platform and not being utilised, the ICO and / or FCA are likely to impose greater financial penalties if the IFA suffered a breach, as MFA is considered a ‘basic security principle’.

Advisers and paraplanners need to avoid sharing logins as this prevents MFA adoption and increases the chances of data breaches. Where this is unavoidable, the use of strong passwords is essential – aim for at least 12 characters.

3. Keep on top of evolving threats

It’s inevitable that some phishing emails will still get through as attackers continually adapt to circumvent controls. It’s vital for firms to continually review and keep up to date with threats. For years, attackers used macros in Office documents to distribute malware. Then Microsoft disabled Macros by default in July, making this method unreliable for distributing malware. Attackers changed their tactics soon after and began using Microsoft OneNote attachments to spread malware instead, as it allows users to insert attachments into the NoteBook. When a user double clicks the attachment, scripts can be launched to download malware from a remote site and install it onto the user device.

Here are some other recent examples:

- Attackers taking over Google advertisements at the top of browser search bars to direct users to phishing sites or install malware.

• Remind staff to avoid clicking Google Ads links in search results.

- Using legitimate looking DocuSign emails that contain blank images, hiding malicious URLs and bypassing security filter.

• Remind staff to always think twice before downloading attachments, questioning if they were expecting to receive the email or if it could be suspicious.

- Phone scam that simply asks, “can you hear me?” to record your voice as you say ‘Yes’ to bypass security.

• Remind staff to be cautious of unknown numbers, what they’re being asked, and how that information might be used against them.

4. Organise regular cybersecurity exercises

IFAs should seek external cyber expertise to complete vulnerability assessments at least annually, for example penetration testing of platforms or internal networks. If more resource is available, quarterly staff phishing exercises, user access reviews, IT / information security audits, incident response testing and physical security audits should also be considered.

5. Keep software up to date

The ability for a small IFA firm to invest in cyber security and keep up to date with threats may be limited when compared to larger businesses. However, it’s important to get the basics right, including regularly updating operating systems, web browsers and software applications.

6. Take regular backups and restore data during incident response testing

IFAs should have disaster recovery plans in place in case their business is attacked. This should include testing whether data can be restored from backups in the event of a ransomware attack. We’re all becoming more accepting that businesses can suffer cyber attacks, but the way in which a business deals with the fallout is often what determines the level of reputational damage caused.

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.