Major General (Ret’d) Dr Marcus Thompson, former head of the Department of Defence’s Information Warfare Division, alerted brokers to the lurking threats of cyber attacks and pushed them to implement defence mechanisms before they fall prey to cybercriminals.
“The time to be thinking about a response is well before a response is required,” Dr Thompson told Mortgage Business sister brand The Adviser.
“Once an incident occurs, it’s too late to be thinking about that.”
Dr Thompson’s warnings have followed multiple incidents of malicious cyber attacks in the financial services sector, with studies revealing last year that the industry suffered the highest number of data breaches between January and July 2021.
Home buyers have also been targeted by scammers and lost hundreds of thousands of dollars.
These sustained attacks and scams (which have escalated during the COVID-19 crisis) led Connective to urge brokers to bolster their cyber-security posture to protect their businesses but lamented that this issue had dropped down their list of priorities.
Dr Thompson and The Adviser’s parent company Momentum Media director, defence, security and aerospace, Phil Tarrant will discuss these issues at the Better Business Summit 2022, and examine why brokers have a large target on their backs as they increasingly operate in a digital environment, and how they could build cyber-resilient brokerages.
Dr Thompson said brokers and the broader financial services sector are vulnerable to cyber-criminal activity because they have access to their clients’ sensitive financial information and digital systems that connect to financial institutions and other trading mechanisms.
Dr Thompson outlined the cybersecurity threats facing Australian businesses in a Cyber Security Uncut podcast hosted by Momentum Media cyber-security brand Cyber Security Connect, and flagged that the threat has heightened in the wake of Russia’s “invasion” of Ukraine.
Scott Morrison recently warned that businesses could be in the firing line of Russian cyber criminals as reprisal for Australia imposing a series of measures against the country including economic sanctions.
Dr Thompson cautioned businesses against complacency, and suggested that they patch their systems, and update their hardware, software and security measures.
The 3-pronged defence system
Noting that some businesses have employed measures with more vigour than others, Dr Thompson advised brokers to implement three types of cyber-security protection.
The first is self-defence, which would involve providing education to increase awareness among employees and embedding a culture of caution.
“Don’t be the person who clicks on the links in the phishing email or posts information on social media that a professional cybercriminal could use to target your brokerage in a socially engineered phishing attack,” he said.
The second is passive defence, where system administrators assess how well businesses are complying with the mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), which aim to prevent adversaries from compromising systems.
Known as the “essential eight”, these strategies include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multifactor authentication
- Regular backups
The third is active strategy where professional cyber-security officers sit inside systems and actively detect, contain, and resolve threats to a business’ system.
Be across the law
In addition, being updated on legislation is crucial, particularly the Security of Critical Infrastructure Act 2018, which manages the complex and evolving national security risks of sabotage, espionage, and coercion posed by foreign involvement in Australia’s critical infrastructure.
It applies to 22 asset classes across 11 sectors including financial services and markets.
“That legislation reclassified critical infrastructure within our economy, so there will be obligations on all companies within these sectors to consider not only the cybersecurity of their organisation but also their product or service offering,” Dr Thompson said.
The NSW government established a new identity support unit last year to minimise the risks associated with identity theft, setting up IDSupport NSW to prevent identity misuse and provide a single-point-of-contact support service for citizens.
In 2020, the NSW government allocated a record $240 million to strengthen its internal cyber capacity, established a regional Cyber Security Hub in Bathurst, led the work for an industry standards taskforce, and introduced SME targets for information and communication technology (ICT) expenditure across government.
Dr Thompson will delve further into the legislative environment at the summit, and present a conceptual framework for the consideration of cyber security, and answer brokers’ questions around their technical support during his session.
The Better Business Summit 2022 will be held in the following locations:
- Brisbane, 28 April 2022 at Sofitel Brisbane Central
- Sydney, 5 May 2022 at the Australian Turf Club, Royal Randwick Racecourse
- Adelaide, 12 May 2022 at the Adelaide Convention Centre
- Perth, 19 May 2022 at Crown Towers
- Melbourne, 2 June 2022 at Crown Towers
To read more about how brokerages could strengthen their cyber-security measures, check out the December 2021/January 2022 edition of The Adviser magazine.
To listen to the full Cyber Security Uncut podcast by Dr Marcus Thompson and Phil Tarrant, click here:
[Related: ASIC chair outlines 2022 priorities]