Criminal hackers are exploiting the Covid-19 pandemic, as mass homeworking has increased existing some system vulnerabilities and created new threats. Heightened geopolitical tensions have also sparked an increase in state-sponsored threats from rogue nations such as Russia, China and North Korea. Here are my
Seven essential things every advisor needs to know to protect themselves and their clients.
- Two-factor authentication (‘2FA’)
2FA uses two pieces of information to prove (authenticate) your identity. Your password, ‘something you know’ is the first factor. The second factor will typically be ‘something you have’, like your mobile phone. After entering your username and password, a code is required before the account can be accessed. This might be within a text message or an app on the device. 2FA greatly reduces the likelihood of your account being hacked. Receiving an unexpected 2FA code also indicates your password has been compromised, so you can immediately change it. 2FA is free and straightforward. Activate it for important accounts, starting with email and any cloud services.
- E-mail and cloud
An email account is an attractive target. Hacking it allows criminals to reset other online account passwords, impersonate you, amend emails, activate auto-forwarding (so they receive a copy of emails you send or receive), and phish your contacts. Your cloud service accounts, e.g. Office365, are a close second. Use 2FA for your email accounts and cloud services. Change each account password to something unique, long (>15 characters) strong (three random words with some numbers and symbols). Never reuse an email or cloud password; criminals have tools that automatically try one compromised password with other popular online accounts.
- Insecure email
The global internet is a public network. Standard email is insecure: it can be read or intercepted. Increasingly, financial services clients email accounts are being hacked. Consider offering clients a secure message portal to avoid the risks associated with email. Crucially, and unlike email, a secure message does not traverse the public internet. Alternatively, consider a secure email service, which encrypts (scrambles) an email so only the intended recipient, who has the decryption password, can read it. Another option is to place the information in a Word or Excel document, create a document password, and then attach the document to a blank email. Only share the password with the client using another method, e.g. in person.
- Robust operating procedures
Simple, strong procedures will protect your firm and your clients. Examples include always calling the client using a number on file in response to an email instruction. Train staff regularly and consider testing how well staff adhere to the procedures.
- Zero trust
People tend to trust unexpected emails, text messages and phone calls until their suspicions are aroused. Firms can protect themselves and their clients by instead adopting a zero-trust mindset, when emails, text messages or phone calls are not believed until proven genuine. Independently, verify the sender by, for example, contacting them using details obtained from a search engine or website.
- Vigilance at home
It is understandable for staff to feel safe and secure when working at home, and to think cyberattacks will only happen back in the office. This is not true, with numerous recent reports of firms suffering attacks after staff succumbed to a phish. Bogus emails from senior staff (‘CEO fraud’), malicious conference call invitations, and Covid-19 phish are commonplace. Continually updated staff training – and examples of the latest criminal techniques – can reduce the likelihood, but the risk from phishing will never be eliminated. Subscribing to a simulated phishing service can maintain staff vigilance in every location, as they will know they might be tested anytime.
- Prioritise protection
Financial professionals naturally want to protect the client relationship. However, unusual requests, behaviour or transactions might indicate a compromised client. Avoid the desire for client goodwill overriding sound judgement. A client may initially react negatively to your persistence, but if that transaction transpires to be fraudulent, the client will quickly welcome your tenacity.
Nothing on this website should be construed as personal advice based on your circumstances. No news or research item is a personal recommendation to deal.