Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

Protecting your brokerage from data thieves

ta july feat    img

ta july feat    img
Tas Bindi 16 minute read

Lax data security practices can put broking businesses and their customers at risk, with the issue set to become more critical in the coming years as open banking advances. Tas Bindi speaks to leading experts in cyber security and finance about how brokers can minimise the risk of data breaches.

Cyber security may seem to be a technical issue, but in reality, it is a much broader business risk. A serious data breach, as many widely publicised incidents show, can result in significant penalties, financial loss and reputational damage. Poor data management and protection practices can put a business in jeopardy by opening the door for attackers to access, corrupt, destroy or sell sensitive information – such as credit card details, financial statements and identity data – on the dark web.

Antony Brooke-Wood, the chief information officer of Simpology, says that while no industry sector is immune from a cyber attack, financial services businesses are a “particularly attractive target” as they often hold sensitive (and therefore, valuable) information.

According to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Scheme 12-month Insights Report, the financial services sector is the second-most vulnerable to data breaches in Australia (after the health industry).

Connie Mcintosh, manager of cyber security operations at the University of the Sunshine Coast’s Institute for Cyber Investigations and Forensics, says this is likely reflective of the high volume of data held within these industries, as well as their “comparatively mature processes” for identifying and reporting data breaches.


“Both sectors face strong regulatory scrutiny around data protection, and the costs associated with data breaches may also be higher,” Ms Mcintosh adds.

“It is necessary for a business to understand the regulatory framework [for] data breaches and understand what puts them in scope of a data breach. If in scope, the [European Union’s General Data Protection Regulation] framework only allows 72 hours to report, whereas [it’s 30 days in Australia, under the NDB scheme],” she says. 

Reputational and financial risks

Indeed, Poli Konstantinidis, executive general manager of credit services and decision analytics at Experian Australia and New Zealand, says many consumers regard transactional data as having a high degree of sensitivity and vulnerability.

As such, providing sensitive information to a broker entails a significant degree of trust, and as customer expectations around data security increase, breaking that trust can ultimately damage a business.

“Less than 50 per cent of Australians are willing to share their data with businesses to better detect fraud, highlighting the fact that consumers are protective and cautious with their personal data, and once their trust is broken, it may be difficult to rectify,” Mr Konstantinidis says.

Experian’s APAC Digital Consumer Insights study recently found that 49 per cent of Australians are likely to cancel or switch bank services as a result of fraud.

“These statistics demonstrate the high importance businesses should be placing on improving their data management processes to ensure their customers feel that their personal data is in safe hands,” he says.

Alongside the reputational risks, cyber security breaches can carry substantial financial costs. According to Tim Dillon, APAC director of technical security consulting at the NCC Group, business email compromise scams are costing businesses tens of millions of dollars each year.

While the Australian Competition and Consumer Commission reported that business email compromise scams had cost Australian businesses more than $22 million in 2017, Mr Dillon speculates that it’s triple or quadruple that figure now.

‘The weakest link’

Renowned hacker Kevin Mitnick once said that “the weakest link in the security chain” is the “people who use, administer, operate and account for computer systems that contain protected information”.

Indeed, nearly half, or 41 per cent, of breaches reported by financial services firms are attributable to human error, such as personal information being sent to the wrong recipient, according to the OAIC report.

Mr Dillon says the majority of the breaches that the NCC Group responds to are compromised business emails, and nine times out of 10, it’s related to credential stuffing, which is a specific type of attack that involves a malicious group obtaining user credentials by breaching a system, and then attempting to use those credentials in other systems.

The issue is compounded by the fact that a lot of people still use their work email to register for various services online, Mr Dillon adds.

As an example, Ms Mcintosh cites an international case involving the Bank of Scotland. The case involved a number of data breaches due to human error, such as storing confidential customer data on a CD-ROM that reportedly got lost in the postal service.

The bank also repeatedly faxed confidential customer data to the wrong fax number, even after it had been reported, she says.

Mr Brooke-Wood points out that once a hacker gains control of the target’s email, “they can use it to launch a number of different attacks, from identity theft to CFO fraud or extortion”.

A hypothetical attack in the broking sector, according to Simpology’s CIO, could play out as follows: “A broker uses the same password for both Facebook and their work email accounts. After a Facebook breach, these details are leaked online and a hacker uses them to take over their email account. At this point, they have access to the personal and financial records of the broker’s customers who were applying for a home loan.

“These details are used by the hacker to take over the customers’ identities and open credit cards and apply for personal loans in their name. The customers are subsequently alerted to the fraud and the broker suffers a reputational loss.”

A costly mistake

The potential real-life costs of such a business email compromise were illustrated in the case of PEXA, an electronic conveyancing service provider that faced scrutiny last year for its unintended involvement in two security breaches.

One of the breaches resulted in hackers stealing $250,000 from the sale of former MasterChef contestant Dani Venn’s property by diverting the settlement funds into a fraudulent bank account. The culprit had reportedly gained unauthorised access to a conveyancer’s email account and used it to reset the password for a PEXA account.

The fraud case prompted PEXA to boost security by rolling out multifactor authentication, anomaly detection, account activity timestamps and the ability to create new users in an “inactive” mode, meaning that only PEXA can activate new users on behalf of its clients after confirming the new user with them.

Open banking to make data security more urgent

The importance of practicing good data security is set to become an even more pressing issue for brokers over the next few years, as the open banking regime advances, according to Mr Konstantinidis.

“As the industry innovates in line with regulatory drivers, robust security measures are essential to ensure customer trust and loyalty. Security should never be jeopardised,” he says.

Mr Konstantinidis says the introduction of open banking in Australia will allow businesses to retain a competitive edge, while assisting them in managing two competing priorities.

“The first being the increased and heightened standards set by regulators around better and fairer outcomes for the consumer. And secondly, the increased consumer awareness and empowerment particularly on how they want to be serviced as we move towards an end-to-end digital servicing environment,” he explains.

Mr Konstantinidis believes the nation needs “the legal and technical frameworks to give equal consideration to technical efficacy and security of data transfer processes”.

“If there is no confidence to begin with, or a high-risk data breach occurs resulting in a consequent loss of confidence, there is a serious risk that the potential benefits of open data access and data sharing – and more particularly, consumer confidence in supporting and participating in the data sharing process – will be lost,” he adds.

As such, Experian’s executive GM stresses the importance of education, transparency and control, saying that “a solid understanding about who accesses the data, and how, is imperative to build and maintain trust in the system”.

“Further to this, to champion the consumer’s best interests, practical implementation and delivery must be addressed. Robust complaint remediation and redress processes will be key, and solution providers must deliver full customer support in instances where the new system does not go to plan,” Mr Konstantinidis says.

“We, as an industry, must ensure we build and maintain the required level of trust through this initial period of transition.”

Reducing the risks

David Fairman, chief enterprise security officer at National Australia Bank, says that brokers “absolutely have a role to play in protecting customers’ personal and financial information”, given the nature of their work and the amount of sensitive customer data they hold.

Key steps in protecting data include “an awareness of the risks, understanding obligations, and applying suitable controls,” he says.

The 3 key questions to ask

The very first thing brokers need to do to improve their data security practices, according to Mr Dillon, is to ask the following three questions:

  • Where is my customer data located?
  • Who has access to my customer data?
  • Is my customer data secure?

“Once they know where their data is, they need to apply basic security principles to that. If they are [stored] in the cloud, then they have to apply those basic security principles to the cloud.

“If they are mostly stored on a laptop, they have to make sure they’ve got the basics in place, like full disk encryption and multifactor authentication, to prevent business email compromise. These are the big ones,” he says.

“As they try to solve those three questions, they might have to get external help… but they should come to an outcome.”

When it comes to protecting emails, Simpology’s CIO suggests using:

  • unique, difficult-to-guess passwords
  • a password manager, such as LastPass
  • multifactor authentication, through a tool such as Google’s Authenticator

But importantly, he advises brokers to be proactive and minimise the damage that could result from an email breach.

“They can reduce the ‘value’ of their email account to a hacker by not storing any sensitive information in their account. In other words, stop treating email like a file server,” Mr Brooke-Wood warns.

“It’s still incredibly common for brokers to email an applicant’s financial information to a lender when applying for a loan, which means all of that information is sitting in the broker’s email account.”

He adds: “Ideally, brokers should be sending this information to lenders using a tool like Loanapp’s Supporting Documents tool. Not only does it keep these files out of the broker’s inbox, but it ensures that they are encrypted both at rest and in transit, which is difficult to ensure when submitting documents via email.”

Ultimately, due to the accelerating threat of cyber attacks and the nation moving to an economy-wide open data model, Mr Konstantinidis says brokers need to be prepared to demonstrate what they are doing to ensure the best customer experience while also keeping customer data protected, in order to gain and maintain the customer’s trust.

Hack attack checklist

  • Don’t assume that cyber attacks only impact larger business. Small and medium-sized businesses are the target of more than 50 per cent of cyber attacks in Australia.
  • Don’t let your business operate without a data security policy.
  • Don’t click on links or open attachments in suspicious emails or messages.
  • Don’t email personally identifiable information (PII) data unencrypted.
  • Don’t store unencrypted PII or protected data on thumb drives, CD-ROMS and laptops, which can be easily lost or stolen.
  • Don’t store your backup data in the same network.
  • Don’t allow everyone in the business to access all folders.
  • Don’t allow employees to share accounts or credentials.

Essentials for keeping data secure

With the threat of cyber crime on the rise, Connie Mcintosh, manager of cyber security operations at the University of the Sunshine Coast’s Institute for Cyber Investigations and Forensics, shares the essential processes for businesses to safeguard customer and business data from corruption, compromise and loss.

  • Know your data: Know what data you need to protect, as well as where and how it is stored, backed up and protected.
  • Identify: Use multifactor authentication to make it harder for adversaries to access sensitive information and systems. Easy-to-implement solutions include DUO, OKTA and RSA.
  • Passwords: Use strong passwords and change them regularly. 
  • Training and education: Provide ongoing cyber security training and education to staff to emphasise that every member of the organisation is responsible for protecting data. Training on proper usage and handling of personally identifiable information is recommended to reduce data breaches caused by employee error, such as a lost device or accidental disclosure.
  • For your eyes only: Grant access to protected information only to those who need to view or use the data. Restrict administrative privileges based on duties.
  • In transit and at rest: Implement encryption both at rest and in transit to secure protected data from being accessed once someone has found their way onto your systems.
  • Antivirus software: Install and continue to update antivirus software.
  • Firewalls: Deploy firewalls on anything connected to the internet.
  • Mobile devices: Apply encryption and other measures to protect mobile devices that contain information.
  • Access denied: Do not allow software, applications and other additions to existing systems to be installed by staff without prior consent from approved authorisers. Patching existing software applications is also essential for data security access.
  • Back it up: Back up files regularly for quick and easy data restoration, and consider storing backed-up information offsite and away from the main system.
  • Lock it up: Keep computers and other electronics that contain protected information in locked rooms in secure areas.
Protecting your brokerage from data thieves
ta july feat    img
TheAdviser logo
ta july feat    img


View results >

Who do you aggregate through?

Thank you for your vote, you can see the results here.

Tas Bindi

Tas Bindi

Tas Bindi is the features editor for The Adviser magazine. 

Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business. 

You can email Tas on: This email address is being protected from spambots. You need JavaScript enabled to view it.


more from the adviser
arrow decline Mortgage approvals take record hit

The full impact of the COVID-19 crisis has been reflected in the ...

digital interface ta Non-bank enhances broker tech functions

La Trobe Financial has appointed a new GM to head up origination...

wallet fee 850 Half of brokers report decreased revenue

New research shows that more than half of all small businesses ha...