Advertorial: How will you deal with cyber attacks on your advice business?

According to a survey of 220 of our clients, 44% of advisers have direct experience of cyber attack. With the General Data Protection Regulation (GDPR) coming into force in May 2018, where breaches result in risk to individual rights and freedoms, such breaches will have to be reported to the regulator and to the individuals concerned.

How will you handle having to tell a client that their data has been compromised?

Identifying cyber threats, mitigating cyber risks and dealing with cyber attacks are all part and parcel of running any business that holds data on its clients. What would you do if your data was stolen and compromised? How would you get back up and running in such circumstances?

Where you have data, you have something that hackers want and can monetize. By withholding your data from you, hackers can extort you for financial gain in exchange for its return. These forms of attacks, known as ransomware, encrypt your data with the promise of releasing it upon receipt of payment of a ransom.

Such attacks are very common, so every business should have a clear plan to deal with them. Attacks need to be anticipated as part of modern business, with appropriate continuity planning and insurance in place to deal with them.

Several firms have opted, in such circumstances, to just pay the ransom. This is categorically not the right course of action. What incentive do these anonymous hackers have to actually release your data? Furthermore, there have been instances of firms paying for the release of data, only for the release key they are given to infect their system with more ransomware. Ultimately, you are dealing with criminals.

How can hackers gain access to your data?

The major weakness in any firm is its employees. If their access to your system is compromised, then your data is at risk. Simple phishing emails are a major source of success to hackers. These are emails containing infected attachments or malicious links which your staff may open purely by accident. 

Usually, the email will appear to have come from a trusted source – it is easy to manufacture an email to make it appear as though it has been sent from a senior figure at the company, or from a friend or relative. Most of us give up swathes of personal information on public sites such as Facebook. It is easy for hackers to ascertain individual likes and relationships and engineer these to their own benefit.

Email approaches from hackers have moved on from declarations of lottery wins in far flung corners of the globe. You’re far more likely to trust an email from a friend or colleague. Once the hackers have obtained login credentials for your system, they can then set about encrypting and withholding your data.

It is, therefore, imperative that you train your staff, to help them to identify malicious emails. They are the gatekeepers to your business, so training them is vital.

What if you are hacked?

It is essential to plan for this eventuality. If your data is withheld from you, how will you continue to function? Regular backups of  your data is the best way to ensure business continuity. If access to your primary data is denied, you can switch to the backup data and resume business from where you last updated it.

So if, for example, you last backed up your data three hours before being subjected to an attack, you will only lose those three hours of work – not your entire universe.

Backups should of course be hosted on a different system to your primary system. Backing up your data also has the advantage of putting you in the best place to continue business as usual if your primary system malfunctions. 

Increasing numbers of financial institutions are leveraging cloud storage for their data protection needs. Prominent cloud providers such as Microsoft and Amazon Web Services invest vast amounts of money in their cloud solutions. You can take advantage of this investment by utilising their services.

Microsoft, for example, estimates that it will spend $1bn in 2017 on cyber security. Obviously, it is unlikely that your firm can match that sort of spend, so it’s more efficient to utilise the security services of a major provider. 

Most cloud solutions also encrypt parts of client data differently, so in the event that they are hacked, not all of your data is compromised at once. As ever with any outsourcing solution, it is imperative to conduct proper due diligence on your chosen provider.

As the FCA makes very clear, the responsibility for any breach is always yours – you cannot outsource the ultimate responsibility.

Two-factor authentication

Alongside the usual forms of system encryption that you deploy, such as employees having to enter a password to access their work machines, two-factor authentication requires the deployment of a separate code initiated via a mobile device or dongle, to gain access to the system. This means that having the login credentials alone will not grant anyone access to the system.

Banks have been deploying this technology for years. You enter your login details and password, before having to generate another code that you input alongside these credentials in order to login and access your accounts.

This isn’t a silver bullet to your hacking problems, but it is a useful deterrent – one that Verizon stated in its 2016 annual cyber threat report would have prevented 24% of breaches that year.

GDPR

The General Data Protection Regulation is the storm on the horizon. Due to be implemented in May 2018, it is an EU-wide regulation that Brexit will not save you from. Britain will still be in the EU in 2018 and the British government has played a significant role in the development of the rules.

If you are breached and client information is compromised, you will have to report this to the regulator and, more often than not, inform all those affected. 

Furthermore there are some hefty fines in store for firms that lose client details. Headline attacks have happened in recent times to TalkTalk and TESCO Bank. Whilst they escaped with relatively low fines, GDPR can enforce a fine of up to €20 million or 4% of global turnover – whichever is greatest. 

Make no mistake, data breaches will be severely punished.

It is also worth bearing in mind the stat at the top of this article; 82% of consumers would disengage from financial advisers that have been hacked. The reputational damage could be severe.

So it is imperative to plan for any attack and have a clearly defined strategy in place. No attack is ever going to be a positive experience, but it doesn’t need to be a catastrophic one, either. Having the correct processes in place will make the recovery process far smoother, with having backup data in place to resume functionality in an online workplace. Steps, too, can be taken to lessen the likelihood of attack in the first place, with proper staff training and two-factor authentication. 

It is no good assuming you won’t ever get attacked. Your data, no matter what it contains, always carries value to malicious parties.

This page was produced by the advertising department of the Financial Times. The news and editorial staff of the Financial Times had no role in its preparation.