It is hard to write about cyber security without sounding overly scary, but that is because it is a scary subject. Platforms and other providers have reported more cyber attacks in the past year than ever before, and financial advisers are also an obvious target.
One of the most common attacks is the fraudulent email. A firm receives a simple email from a client telling them their bank details have changed and providing a new address, sort code and account number. The adviser changes its records accordingly.
A few days later, another email comes through from the client asking for £20,000 to be drawn from their investment account. The adviser arranges for the sum to be dispatched to the new bank account.
However, it soon turns out the emails have not come from the client and all hell breaks loose. A crook has hacked into the client’s email account (not that hard with the free email services around), impersonated them and stolen the money.
This unhappy story has been the experience of a fair number of advisers lately and will continue to happen until everyone has woken up to the danger and introduced some sensible precautionary procedures. As the use of computers and the internet becomes ever more central to our businesses, cyber security has become something that no adviser firm can ignore.
Email impersonation is one of the most straightforward types of cyber crime – equivalent to a backstreet mugging and often carried out by people hardly more sophisticated. Advisers should be able to stop it happening to them and their clients.
Make sure all these types of requests are followed up in person and that the person doing the check knows the client really well or can check on the basis of data that a crook is most unlikely to have captured. Warn clients of the dangers as well: suggest they change their email and other passwords reasonably often.
Crooks can gather a lot of knowledge about people. There is a surprising amount of information on the internet, especially of those on Facebook or Twitter.
‘Phishing’ is another way crooks can find out a good deal, by impersonating a bank or even HM Revenue & Customs. A phishing operator could pretend to be a product provider, a platform or even a financial advice firm and ask trusting clients for their personal information and for confirmation of banking and other financial details. Firms should have set procedures for asking for such information and warn clients they would never do so via email.
Further up the scale of potential cyber threats are more sophisticated assaults on or via advisers. TalkTalk recently fell prey to SQL injections – information-seeking software that penetrated their defences and directly sucked out names and banking details from its database.
Encryption and effective firewalls should be a strong enough defence against most such attacks and other malware. However, a really determined attack can sometimes get through.
With this in mind, it is worth having a plan of how to respond to such a catastrophe. What would you say to clients and the press? What practical actions would you take to limit the damage and isolate the problem? What insurance do you have to cover such an eventuality?
There are many elementary actions advisers should take to deal with cyber security generally. Secure all laptops, phones and tablets with coded entry, and use secure email. Change passwords often and make them strong. Remember also that cloud-based data storage is probably more secure than office-based servers.
I actually finished writing this article on an aeroplane and my neighbour in the next seat suggested I should place a special filter over my screen so that nosy people could not read what I was reading or typing. It is important to keep confidential information safe in public places.
Danby Bloch is chairman of Helm Godfrey.