Your Industry  

How advisers can become targets of cyber crime

Fleming says the single most important thing an adviser can do to protect the data under their control is to implement “multi-factor authentication.”

This means that, in order to login to a system or programme, a user is asked for more than just a username and password. By asking for more than this, it becomes very difficult for a hacker to get in. 

The aforementioned anonymous adviser says this is the policy he has adopted since his own company was hacked, and his experience so far has been positive. 

He says: "The experience has made me a subject matter expert on cyber security after what happened, and having become aware that accessing the data through the Microsoft 365 system is the most common form of attack, I have started to use multi-factor authentication."

Size doesn't matter

Fleming says a major obstacle his business encounters among many advisers is they believe their company to be “too small” for a cyber criminal to attack.

But he adds: “The important thing to realise is these attacks are randomised, the attackers use technology to try to pierce the defences of multiple companies and then see which ones they get into.”

Holland, whose clients include platform and asset management company Aegon, says a particular challenge for those in his profession who deal with financial services companies is that many such businesses often have “very old and paper-based systems, and as such technology has not kept up with the threat from hackers.

"One of the things we do is employ ethical hackers who can test systems and find where the weaknesses are. But we have to do it in a way that is intuitive for people who are not technologists to be able to use.”

He says the biggest threat faced by financial services companies is that of mis-directed email, that is, emails which appear to come from an adviser's account, and impersonate the adviser, and are used to then request information from clients, or to read previous client emails to access sensitive information.

Fleming says lots of companies already have the capacity to implement multi-factor authentication, but “see it as a hassle” to turn it on.

Fleming says: “Among our clients, some people call us in and say they didn’t fall for an email scam. They are quite savvy people. But when we look at the email logs, we can see they did fall for something. These types of email scams are far more sophisticated now than they [used to be].”

Holland says advisers should move away from the practice of emailing sensitive information as an attachment to an email, and instead use a system such as Unipass or Last Pass to transmit the data.