Julian Plummer, managing director of Kamino Cyber Security and Midwinter Financial Services, said that SMSF advice firms and the SMSF industry as a whole are being targeted by overseas crime gangs because they know that they’re “a honey pot for information because they carry financial information, medical information and insurance information on clients”.
“Undoubtedly, there would have been SMSF providers that have been hit, and the majority of them wouldn't even know that they've been hit,” Mr Plummer warned.
Often the criminals accessing this sort of information are very careful to obscure their presence, he said.
It’s often not the software that advisers are using that leaves the firm most vulnerable, he explained, but the infrastructure within the office.
“So the active directory, the way the router and the firewalls are connected to the internet for example,” he explained.
Passwords are another area of weakness for SMSF firms, he cautioned.
“No matter what trick or system you have for remembering passwords for websites, I can assure you that [...] hackers have already figured out all the tricks,” he said.
“It's actually quite a scientific methodology and process behind password cracking and what makes things difficult is when people reuse passwords in one system, and that system then gets hacked, so that system gets breached and the hackers use that password on every other system to try and use credentials to log into Facebook or NetBank, for example.”
A lot of the firms he speaks to have very little in place to adequately safeguard against threats, which could land them into trouble once the Australian mandatory data breach notification laws commence from February 2018, he said.
The recently introduced laws, which receive royal assent in February 2018, specify that all businesses with an annual turnover of $3 million or higher will be required to notify individuals and the Office of the Australian Information Commissioner when cyber security incidents compromise personal information.
Under the new laws, where a suspected unauthorised access occurs, the organisation must undertake an assessment of whether the incident is an “eligible data breach”, Mr Plummer explained.
“As part of that assessment process, the organisation must decide whether the incident is likely to result in serious harm to any individuals,” he said.
“If an eligible data breach has occurred then the organisation must provide notification of the incident to the Office of the Australian Information Commissioner, and take steps to notify affected individuals.”
Mr Plummer said that data published by the Ponemon Institute has revealed that the average cost to an organisation for a data breach notification is $88,000, once the necessary actions such as creating a new client database, legal costs for the notification and related communication costs associated with notifying clients are taken into account.
“The cost alone should be enough to convince you to take this seriously,” he said.
One of the key steps that can be undertaken by firms to safeguard against data breaches is to simply ensure all the software used by the firm is updated to the latest version.
“Hackers always look for vulnerabilities, and vulnerabilities usually come in the form of bugs, so if they think software has a bug, they will exploit it. What you want to make sure is that the software is up to date – that all the bugs are removed,” he said.
“You can also educate your users. Make sure they understand what spear phishing attacks are all about. Make sure that any risky emails are sent to the trash and that attachments [with these emails] aren't opened.
“Get someone to assess the premises, your software and your hardware, and let them look for the vulnerabilities before someone maleficent does it on behalf of them.”
SMSF firms may also want to investigate cyber insurance or review current policies if they already have cyber insurance, he said.