A brief adviser guide to cyber security
With many of us continuing to work from home and spending more time online, the issue of cyber security has increasingly come to the foreThe threats and risks associated with cyber attacks seem to be growing, both in volume and intensity.
There are a number of key things for firms to consider in order to counter this growing threat, and encouragingly, a wide range of resources available to help.
To begin with, and perhaps unsurprisingly, the FCA has quite a lot to say on the subject of cyber crime.
In its annual report for 2019/20, the regulator said it had assessed 824 incident reports, of which 790 were cyber or technology-related.
It also noted there had been 324,000 online video views of its latest ScamSmart campaign as at 31 March this year.
The FCA has built up a considerable library of support and help for firms on this matter, for example its good cyber security infographic, an industry insights paper and information for consumers on protecting yourself from scams.
The regulator says generally firms need to make sure they have the right systems in place to tackle this issue.
The FCA has also published a document on banks' fraud controls which, though it has largely gone under the radar, could prove really useful for firms.
Banks gave responses to the following questions:
- What is the firm’s approach to fraud prevention?
- How and when can the firm’s customers contact them?
Combating scams and helping clients stay safe
The FCA and The Pensions Regulator launched their latest joint campaign in July to help prevent pension scams.
There were two key aims behind the campaign: firstly to provide savers aged between 45 and 65 with the knowledge and tools to avoid pension scams, and secondly to provide the pensions industry with the knowledge and tools to help savers.
It outlined the four simple steps people can take to protect themselves:
- Reject unexpected pension offers
- Check the status of a firm with the FCA before changing your pension arrangements
- Don’t be rushed or pressured into making any decision about pensions
- Consider getting impartial information and advice
Its top tips are:
- Create separate passwords for your email
- Create strong passwords using at least three random words
- Save passwords in your browser
- Turn on two-factor authentication
- Update your devices
- Turn on back-up
But the most important thing firms can do is give their clients confidence about how their data is being handled and protected.
It's worth educating your clients as to how exactly your firm will contact them and flagging that if this protocol isn't followed, they should be suspicious.
Clients should be encouraged to call you to verify any suspicious communications, just as you will call to verify any suspicious communications from them.
Firms can keep their clients up to date on cyber crime by highlighting the range of resources available both at the initial advice stage and when delivering ongoing advice, or when completing suitability assessments.
At a firm level, the NCSC has guidance for companies of under 250 people which includes business advice and support on Covid-19, how to get your firm Cyber Essentials certified and the ability to test and practice your response to a cyber attack.
What to ask your IT support firm
Many firms choose to contract out cyber security work to a professional IT support firm.
There are though some due diligence questions you may want to ask before appointing (or renewing contracts with) an IT support firm.
- What is the knowledge and experience of the firm? Ask to speak to their customers to find out their experiences, or ask for accredited testimonials
- What support do they actually offer? What's available during office hours and outside of these, and at weekends
- How often will their security be updated? You want to be assured that the firm will regularly be updating software
- What training and further support can they provide your staff?You need to know that your staff will be able to get the IT support they need when dealing with problems or issues
- Account management
- Anti-virus protection
- Change management
- Data back-up and data loss prevention
- Secure email
- Encryption policy
- Incident response
- Network access
- Password policy
- Patch management
- Physical security
- Portable computing
- Data protection policy
Staff training should be carried out regularly, keeping them up to date of company procedures and protocols.
Updating protection software should also become part of a firm’s culture, often becoming a weekly if not daily activity.