Financial planners should know by now that the notifiable data breach (NDB) rules that came into force in February apply to them and their clients’ data, since that invariably includes tax file numbers.

Industry bodies have alerted members about NDB protocols. Larger corporations above the $3 million turnover threshold will have a clear idea of what’s expected of them, and also usually the resources in place to manage what are essentially extensions of the Privacy Act and a broadening of the definition of the Australian Privacy Principles.

But for the many planners who work in or as SMEs and are captured – no matter their size – by virtue of handling TFNs and other protected client data, hard-working directors will shoulder the new compliance burden. Most, it is hoped, will already have in place the standard security protocols (see below), but after speaking to some, it’s clear their main question is: “How in Hades do I tell if my computer system has been breached?”

Federal government agencies such as the Office of the Australian Information Commissioner and Tax Practitioners Board will explain what’s required following a suspected or confirmed data breach, yet nowhere do they address that vital question for SMEs – to which the only possible answer is: “You can’t, without a serious IT professional on staff.”

Given this is an unlikely prospect for financial services SMEs, the only sensible alternative is a managed security service provider (MSSP). The good news is that almost every ISP offers some of the security functions an MSSP should provide. The not-so-good news is that, depending on the level of security your operation demands, you may need to seek a separate, dedicated MSSP to provide full, 24/7, real-time monitoring.

One is WatchGuard Technologies, an American company that seeks to make enterprise-grade security services accessible to a broader market. Its global push was marked by the appointment this year of its Australia-New Zealand regional director, Mark Sinclair.

“All ISPs offer some security protection,” Sinclair says. “Whether it’s at the level that a particular SME needs is another question. For instance, most malware attacks will stay hidden in a system until activated by a timer or a system event, perhaps many months later.”

Microsoft’s Advanced Threat Analytics show the median time before an attack is discovered is about 146 days. This lag of close to five months essentially deprives your weekly systems backups of their usefulness, although if you manage backups with a cloud provider, rather than using your own hardware, the possibility of backups that pre-date such an attack is increased.

As Sinclair notes, one attack that will not lurk in a system before activation is ransomware, an ever-increasing threat, which makes those daily and weekly backups still vital parts of any SME’s security regimen, even if the better option is to have the real-time monitoring of an MSSP in place.

As Richard Smith, founder of specialist cyber-insurance provider Edmund Insurance, pointed out this week, 47 per cent of Australian businesses that found themselves victims of ransomware in 2017 paid the ransom, and 83 per cent say they would pay the ransom again, the Telstra Security 2018 Report states. Presumably, the 17 per cent who would not pay again were unlucky enough to strike a ransomware criminal who failed to provide a decrypt key to keep their side of the bargain – yet another increasing danger of ransomware attacks.

“The concern is that criminals now directly target SMEs for several reasons, including the perception that they are easier to attack because their security policies are not robust or sophisticated,” Smith says. “SMEs are also more likely to pay ransoms due to the chances of them not having backups in place and because they are able to make such decisions quickly.”

WatchGuard’s Sinclair says the cost to SMEs of full, real-time MSSP monitoring ranges from about $85 to $150 a month, per user. The good news, he says, is that this should include the basic network support that many SMEs will already be sourcing to manage their office needs.

Finally, in financial year 2019, SMEs are expected to get access to a $2100 subsidy to check their system’s preparedness for an attack with a federal government-approved tester.

IT security regimen for financial planning SMEs

  1. Communicate threat data

NDB rules on the time allowed to report possible or confirmed data breaches are clearly spelt out on the OAIC website. If you have survived a threat, report it as soon as possible. Doing so helps others avoid the same threat.

  1. Encrypt all data

Financial advisers should have a working knowledge of how to encrypt data before sending it, especially via public platforms such as email. This knowledge is readily available, cheap and easy to use; for example, most advisers should find OpenPGP easy to implement.

  1. Perform consistent backups

Cloud services provide viable options for backup without the need for extra hardware. The cloud comes with its own security intelligence, but having your data backed up off-site is excellent protection against a fire or hack. You will need to pay attention to where the cloud servers are located to ensure privacy. For instance, data held on servers in the US may legally be accessed by the US Government. Also, one adviser I spoke to uses very fast solid-state drives (SSDs) to do terabytes worth of weekly backups, with daily incremental backups (that is, only the data that’s been changed since the last weekly backup) executed in 10 minutes on a normal day.

  1. Destroy old hardware

One of the most effective ways to hack an otherwise secure system is to find a physical breach. Making a drive unreadable is harder than many people think. Drives, both hard disks and SSD, should be magnetically cleaned before disposal.

  1. Update consistently

Modern operating system and API updates are delivered faster than ever these days, because of the increased connectivity between financial institutions. When an upgrade is presented for financial platforms, it is probably in response to a recent attack.

Join the discussion