Peter Worn (left) and Indi Siriniwasa

A cyber breach is a matter of ‘when’ rather than ‘if’ and advice businesses need to maintain heightened due diligence over vendors they rely on.

According to experts, it is likely that in the future, licensees will use software only from companies that leverage secure cloud computing platforms, adhere to high internal security standards, comply with Australian Cyber Security Centre recommendations, and possess relevant certifications.

In addition, companies and fintechs operating across the wealth sector, often use third-party code repositories, a common practice for millions of software developers worldwide, but it should come with extra considerations especially with regards to data security.

These include the introduction of access controls mechanisms and multi-factor authentication, segregation of duties, user activity monitoring as well as storing and managing credentials such as passwords in a safe manner.

On top of that, these software providers also need to consider how they can generally uplift their security posture while remaining compliant with ACSC recommendations.

Finura Group joint managing director Peter Worn tells Professional Planner that financial advisers should conduct thorough due diligence when choosing technology providers.

“It’s crucial not just to rely on the security measures of cloud platforms like AWS [Amazon Web Services] or [Microsoft] Azure but to ensure that the software companies themselves maintain high internal security standards,” Worn says.

However, he warns that with the proliferation of the AI start-ups in this market, the risks are heightened as many of new tech providers are not up to scratch with ISO 27001, the international standard of security management.

“Ensuring that tech providers have this certification is vital to guarantee they follow rigorous security protocols,” Worn says.

Worn also stressed that providers should have also a well-defined incident response plan in place, which is regularly tested and which can quickly address and mitigate any security breaches.

“Continuous training and awareness programs for employees on cybersecurity best practices are crucial to maintaining a strong security posture,” he says.

In May, ASX-listed advice software provider Iress notified investors that it was investigating unauthorised access to its user space on GitHub, which is a third-party code repository managing its software code.

According to the subsequent updates, the firm discovered that a credential within Iress’ GitHub space was stolen and used to gain access to Iress’ OneVue production environment containing client data.

While ultimately the investigation concluded no further data was accessed, Alchemy Cyber Defence CEO Indi Siriniwasa says the lesson was that firms should strengthen their authentication practices, have security monitoring and alerts in place to continuously monitor of access logs for suspicious activity.

On top of all that, organisations should also conduct regular security audits and penetration testing, in addition to enhanced security training, and that all credentials used for accessing third-party platforms and production environments have the minimum amount of access privilege necessary to perform their functions.

Siriniwasa identified four fundamental issues of security that organisations should stay alert to, and these included third-party dependencies, hard-coded credentials, credential reuse and, also, lack of strong authentication mechanisms.

On the Iress OneVue hack, he says the reliance on a third-party platform – in this case GitHub – for managing code repositories introduced a vulnerability.

“The security measures in place for the third-party platform might not have been robust enough,” Siriniwasa says.

“The breach likely involved credentials hard-coded into the GitHub repositories, a common but risky practice that can lead to easy exploitation if the repository is compromised.”

He adds that if the same credentials were used across multiple applications or devices, it would allow the attacker to gain broader access once the initial password was compromised.

“The breach indicates a potential lack of multi-factor authentication or other advanced authentication methods that could have prevented the misuse of the stolen credential,” he says.

Join the discussion