CPD: Information security in the advice industry – busting the many myths
Originally published in AdviserVoice.

Firewall? What firewall? Busting the myths of information security in the advice industry.

Don’t make the mistake of thinking that the security of your data and tech is a matter for the tech heads. Because it’s not. True information security can only be achieved if everyone in your organisation is involved. Here are some tips on getting started.

As a society, as individuals and as businesses we are increasingly dependent on technology. It facilitates everyday activities we now take for granted. Information stored in digital devices, online or in the cloud could almost be said to prove our very existence. This increasing reliance is the reason the threat of cybercrime and other security breaches, be they through accident or design, are now larger than ever.

For an advice business, the combination of the personal information you hold and the firm’s access to funds and financial products puts you at particular risk. That fact is well understood throughout the industry. What is less well understood is that combatting the threat involves far more than the getting the tech heads to build ever wider, higher and thicker firewalls.

The truth is, there are many types of security breach no firewall can guard against. An unsecure laptop or other device accidentally left on a train, the failure to take passwords seriously, leaving a screen or document open in plain view– all of these everyday events are just as capable of dealing damage as the most sinister of black hat hackers sitting in a darkened room somewhere in Eastern Europe.

The consequences of such breaches can have a devastating effect on your business, your clients, your suppliers and you, as individuals who represent the business. They include loss of business and reputational damage, theft of funds, becoming the victim of – or inadvertently aiding – crimes such as fraud, and of course, fines, litigation or even criminal prosecution depending on the nature of the breach that occurs.

An excessive focus on the “black box” side of security, the high-end technology and digital safeguards that must be constantly updated to stay ahead of the security game, can sometimes take precedence over these many other risks. As important as the technical side is, so too is ensuring these other risks are systematically assessed and addressed at every level of your advice practice.

A formal Information Security Management System (ISMS)

Given what’s at stake and the magnitude and variety of the risks involved, one of the best approaches an advice practice can take is to institute a formal Information Security Management System (ISMS). This involves taking a holistic view of your entire operation, not just what goes on in the IT department, systematically assessing all information security risks, and putting in place measures to minimise them – across the entire business.

At Ignition Wealth, we’ve opted for a system that meets the internationally recognised ISO/IEC 27001 Information Security Management Standard. The ISO 27001 standard consists of two parts: a management system that makes sure that we define what needs to be done and keep on top of it, and a set of controls which are the things we do to make our information security better and lower our risk.

Plan for the worst

An ISMS system such as ours looks at different kinds of risks and their potential consequences, which is a scary place to start and a great way to get each and every member of your business on board.

From loss of confidentiality through unauthorised access, to loss of integrity from some kind of corruption, accidental or otherwise, to loss of availability as in the recently publicised wholesale ransomware attacks in the US and Europe – all must be considered.

Hand in hand with this goes a consideration of the consequences, and how such an event would affect customers, employees, our reputation, finances, ability to meet contractual obligations and so on.

Legal compliance, always a subject close to the financial adviser’s heart, is also a key factor in creating a robust ISMS. To give you an idea of what that entails, in our own case, this takes into account meeting the requirements of the following:

  • Health and Safety legislation both nationally and in various States and Territories
  • Privacy Act 1988 and Australian Privacy Principles
  • Freedom of Information Act 1982
  • Copyright Act 1968 and Copyright Amendment (Digital Agenda) Act 2000
  • Patents Act 1990
  • Spam Act 2003
  • Cybercrime Act 2001
  • Electronic Transactions Act 1999

Sound daunting? It can be. But the protection afforded by a good ISMS more than repays the initial time and effort to roll it out. And, the beauty of a good system such as one that meets the ISO 27001 standard is that it evolves along with your organisation – and the many potential new threats that arise each day.

Six steps to better information security

Your pathway to better information security management – and preferably, a fully-fledged ISMS – can start here and now. Here are some basic steps to get you started.

  1. Discuss what information is held within your organisation, who holds it and where it is located – is it mostly electronic or paper; on the network or in the cloud? The main point is that you have lots of information held all over the place and much of it is vital. You may be surprised at the volume, or, once you undertake this exercise, how insecure some of it is.
  2. Build an asset register. Once you have identified the information in your organisation, define what your information “assets” are (i.e. the information you need to protect) and keep a list in a dedicated, regularly updated asset register. And keep the register itself secure.
  3. Perform regular risk assessments to check that you have done everything you reasonably can manage the risks from changing threats. That means monitoring the environment and staying tuned to expert opinions on evolving threats.
  4. Check your resources. Make sure you have enough of the right type of resources to address the risks, maintain the register and update the system as required. And make sure your team is well trained and understands the importance of their roles.
  5. Spread the word. Ensure regular company-wide updates and compulsory awareness training. At Ignition Wealth we tell everyone about our policies and, in particular, what their part is in keeping our information safe.
  6. Constantly monitor, evolve and improve. That includes checking in on your original objectives and making sure they are still valid – and that your system still delivers on them. Track whether you are meeting them and we look for ways to improve.

What it all comes down to is this. Dealing with potential security risks ad hoc, or taking a “learn as you go” approach is not sufficient to adequately protect your data and information assets, or those you hold on others’ behalf. Nor will it suffice as a defence at law in the not unlikely event that a breach leads to legal action. The sooner you understand that information is everyone’s concern, the sooner you’re on the way to better management, lower risk – and a better night’s sleep!

 

Take the quiz to earn 0.25 CPD points.