In the following analysis, Simon Glover, Head of Data, Architecture & Cloud Infrastructure, EMEA, Morningstar Wealth, sets out some of the key things which small and medium-sized IFA firms can do to minimise the risk of a cyber attack derailing their business
Technology can bring incredible benefits for individuals and businesses alike. It opens doors to information, functionality and tools that enable millions of companies to provide the best service possible to their customers.
But technology also has a darker side. These doors can be slammed shut – quite literally. Omni Hotels & Resorts, among other major hotel chains, found this out recently when its hotel doors were hijacked in a ransomware attack.
It’s a case of ‘when’ and not ‘if’ for cyber threats
Half of UK businesses reported a cyber security breach or attack in the 12 months to April this year, with the finance and wealth industries a current and growing target. Last month, research from technology transformation specialists Stridon found more than half (51%) of professional services firms lack the capacity and insight to fully execute their technology projects.
Put simply, a financial advice business is more likely than not to experience some form of cyber threat. It may be targeted and malicious, or could result from mistakes and carelessness. Either way, the impact can be severe with far-reaching implications for advisers’ businesses, clients and other members of their value chain.
The good news is, with a few simple steps, some vigilance and effective communication, advisers can protect their business. There are ways for smaller firms to do this without it being labour intensive or overly time-consuming.
The exact nature of the threat and response will depend on the:
- systems a particular business uses
- underlying infrastructure
- volume of data it holds and processes
- size of firm
The key is building resilience into the business, setting out a recovery plan and thinking about how to protect clients, colleagues and the firm itself as well as other members of the value chain.
Everyone has a role to play
However large or small an advice firm might be, everyone has a role to play in this process.
Awareness is the first line of defence. Everyone in the business should be aware of and think about cybersecurity as a norm. This might take the form or regular training sessions or discussions. The team should be able to spot potential threats or scams and feel confident to flag these to the right person. Recording and sharing these threats makes them less likely to succeed. Depending on the size of the business, this may be one person’s responsibility, or everyone may be equally responsible for sharing and updating a central database for future reference.
It can be difficult to keep up with new threats. And if it is difficult for larger firms who have at least one person and sometimes a whole team dedicated to cyber security, it is much harder for smaller or micro advice firms.
But help is available. The National Cyber Security Centre (NSCS) has an excellent range of free resources, many of which are aimed specifically at small and medium businesses.
Another way everyone can get involved is personal security. Phishing, where people are tricked into sharing personal information or login credentials, often via email, is by far the most common threat. Some 84% of businesses reported a phishing attack in the last year.
Passwords are crucial; over 80% of all hacking-related data breaches are down to weak or stolen credentials. Easy ways to combat this include regularly changing passwords and using a password manager to securely store, generate and manage passwords. The right password manager will depend on the size and needs of each business but multi-factor authentication, industry standard encryption and zero-knowledge password storage are all worth putting in place. The NSCS also has a helpful guide to password protection.
Be prepared
Whatever the size of business, a recovery plan is essential. It does not need to be overly detailed or time consuming. This can focus on setting out high-level points, such as key people, essential steps, and who needs to be engaged with or informed in the event of an attack. Then it can be built on over time.
Having a plan helps ensure that, if a firm is subject to a data breach or cyber threat, the business is prepared and can immediately respond and recover quicker. This avoids wasting time working out what to do.
Once a plan is in place, it needs to be regularly tested and reviewed. Threats are ever changing, so responses to them should be deemed an evolving process. Ultimately, awareness and engagement across the entire team is the best line of defence.
