How can advisers shield themselves from cyber threats? Our Managing Director, Julian Plummer explains below…
As more websites that hold personal data are infiltrated, the need for advisers to protect their practices with information security is becoming increasingly urgent.
If you are a financial planning technology provider, it’s almost impossible not to keep your eye on issues that affect planners. If you are serious about what you do, you will likely have your finger on the pulse when it comes to these things because they almost always impact the way advisers generate and deliver advice.
Over the past year, there have been plenty – the federal budget, life under LIF, Opposition Leader Bill Shorten’s call for a royal commission into advice – all heavy topics that will most definitely impact the advice industry. One central issue that hasn’t garnered much of a mainstream mention yet is information security, and yet I think it is one of the most important things planners should be thinking about today.
Because something bad has happened.
In June 2012, LinkedIn was hacked, and earlier this month all 177.5 million passwords stolen from that hack were released into the wild via a Russian password cracking forum.
The reason this is a problem is that passwords are an endless feedback loop.
When password cracking first began in the early 1990s, the only tools available to hackers were simple dictionary attacks from basic word lists grabbed from the internet. Basic words lists were of limited help to hackers and only got them so far when trying to guess passwords.
Things improved for hackers in 2009 when a website called “RockYou” was breached and more than 32 million raw passwords were leaked. A password payload that large helped hackers refine their attack methods and added statistical rigour to their techniques. These were real passwords, not just a list of words from a dictionary, and thus professional password hacking was born.
RockYou started the endless feedback loop, and more websites followed. eHarmony, Ashley Madison and then LinkedIn.
The LinkedIn breach means hackers have a new treasure chest of passwords significantly larger than anything they have had access to before. This new bounty will help hackers move on to even bigger treasure troves.
If you’re wondering how good hackers’ techniques currently are when it comes to cracking passwords, consider this – it took one researcher with a NVidia GTX Titan graphics card (RRP $1,599 on eBay) less than a day to brute force crack 95 per cent of the 177.5 million LinkedIn passwords.
Given the overwhelming majority of Australian planners use online financial planning tools and software in one form or another, password security is now an issue.
And it’s more than likely that at some point, somewhere, your password has been hacked.
Don’t believe me?
This website will let you know how many times you have been hacked.
Further, password breaches will follow as a result of LinkedIn and planners should be constantly vigilant about their information security, and the security of their clients, from this point on.
Be alert, but not alarmed – five tips for planners to manage the risks
There are several simple steps planners can undertake to manage the risks of a cyber breach
1. User a password manager. I’m sorry. It’s time.
A password manager is an application that helps you store and retrieve passwords. The passwords here are usually heavily encrypted and require a master password to access. This master password is usually very strong and allows you full access to your entire password database.
The LinkedIn hack was so toxic because most people share the same password for different sites. Once hackers have your LinkedIn password, there is a good chance they can access others. A password manager will help stop this.
You may be wary of putting all the passwords in the one place. What if the password manager itself gets hacked? It possible, but unlikely, as password managers put far more effort into security than your average website does.
Password managers also use ‘hashing’ techniques on their password database, and should they get hacked, the hashing means hackers will need a significant amount of time to ‘unhash’ the passwords to make sense out of them. By which time you will have been able to take remedial actions. LastPass is the manager I prefer and it works on almost any device.
2. Use strong passwords.
Any tricky password combination of a word followed by some numbers will take less than a microsecond for a hacker to guess. Sadly, any cunning pneumonic or special wordplay trick that you have conjured up has also likely been anticipated by the hackers.
Here is a simple tip. Unless your password looks something like this “wfTIZQvDb95hF91BZSXSfEFk”, consider it easy to guess.
Obviously there is no way you will be able to memorise these types of passwords for your day-to-day internet usage. So again, password manager. Handily, LastPass will also generate strong passwords for you to use.
3. Use multiple security layers
Combining multiple security controls will help protect your planning practices’ resources and data. Days could be spent discussing the optimal approach to layered security, but an effective and simple start would be ensuring you run dedicated anti-malware alongside your traditional anti-virus solution. I like MalwareBytes working alongside Kaspersky AntiVirus, with Symantec Email Security cloud service running on email servers. If you have those three in place, you’re not doing too bad.
Your IT person can ensure all these applications are running on your employees’ computer using something called ‘group policy’.
4. Watch out for spear fishing
A few weeks ago, our canny financial controller forwarded me an email I had purportedly sent her.
In this email, I supposedly instructed her to immediately pay a vendor a considerable amount of money, with banking details conveniently placed in the body of the email. The email looked as if it was sent from me (using a technique called spoofing), with my job title and signature looking quite legitimate. The grammar was sound and the context believable.
This is a good example of a ‘spear fish’ attack, where an attacker sends an email that looks like a legitimate message from a trusted company, in hopes the victim will give up some lucre. Normal phishing emails are typically relatively easy to spot (they look spammy), but this was an impressive and highly targeted lark.
How did they get all this organisational information? Probably from going through my LinkedIn profile, looking at my connections and figuring out who Midwinter’s financial controller was.
Luckily, Midwinter’s financial controller was fresh out from our internal ISO 27001 security audit and is extremely well-trained in spotting such nonsense, but my hats off to the attacker. It was impressive.
At this point, I should say the attackers were unsuccessful in their spear fishing attempt.
My suggestions here are to ensure your employees:
• Handle all email with a bit of suspicion. Remain sceptical of any email that has a strong call to action (particularly attachments)
• Ensure email tone is consistent with what you expect
• Ensure bank transfers and other sensitive businesses processes have adequate sign off measures
• Be wary of spammy social media invites, particularly from LinkedIn. I seem to be getting a lot of LinkedIn contact requests from digital marketing experts in the Philippines recently
• Spend a bit of time researching spear fishing. Companies such as PhishMe have great resources in keeping up-to-date with the latest threats
5. Take care with PUAs
PUAs are Potentially Unwanted Applications. This includes adware, browser extensions and other software that comes bundled with other software. These PUAs can cause havoc with a planner’s business.
Anyone downloading the popular uTorrent application earlier this year would have been the unlucky recipient of a PUA called ‘Epic Scale’, which rudely used your computer to mine bitcoins.
Even more concerning is the growing threat of Ransomware, which is becoming an issue for unwitting advisers who install software without fully realising what they are up for.
Again, talk to your designated IT person about group policy to ensure unwanted software cannot be installed on your employees’ computers. Also ensure your backups are frequent. And stop downloading movies from torrents.
Conclusion – consider yourself a target.
It is crucial you acknowledge that you are at risk and take steps to manage that risk.
Your whole planning business is built on trust and you’ve worked hard to earn that trust. You probably spend a lot of time ensuring your advice is compliant, your employees super is paid on time and your accounts are up to scratch – as you should. Add information security to that list because as the world digitally transforms and more of your operations move online, ensuring the safety of your information will go hand in hand with ensuring the safety of your business.