Lax data security practices can put broking businesses and their customers at risk, with the issue set to become more critical in the coming years as open banking advances. Tas Bindi speaks to leading experts in cyber security and finance about how brokers can minimise the risk of data breaches.
Cyber security may seem to be a technical issue, but in reality, it is a much broader business risk. A serious data breach, as many widely publicised incidents show, can result in significant penalties, financial loss and reputational damage. Poor data management and protection practices can put a business in jeopardy by opening the door for attackers to access, corrupt, destroy or sell sensitive information – such as credit card details, financial statements and identity data – on the dark web.
Antony Brooke-Wood, the chief information officer of Simpology, says that while no industry sector is immune from a cyber attack, financial services businesses are a “particularly attractive target” as they often hold sensitive (and therefore, valuable) information.
According to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Scheme 12-month Insights Report, the financial services sector is the second-most vulnerable to data breaches in Australia (after the health industry).
Connie Mcintosh, manager of cyber security operations at the University of the Sunshine Coast’s Institute for Cyber Investigations and Forensics, says this is likely reflective of the high volume of data held within these industries, as well as their “comparatively mature processes” for identifying and reporting data breaches.
“Both sectors face strong regulatory scrutiny around data protection, and the costs associated with data breaches may also be higher,” Ms Mcintosh adds.
“It is necessary for a business to understand the regulatory framework [for] data breaches and understand what puts them in scope of a data breach. If in scope, the [European Union’s General Data Protection Regulation] framework only allows 72 hours to report, whereas [it’s 30 days in Australia, under the NDB scheme],” she says.
Indeed, Poli Konstantinidis, executive general manager of credit services and decision analytics at Experian Australia and New Zealand, says many consumers regard transactional data as having a high degree of sensitivity and vulnerability.
As such, providing sensitive information to a broker entails a significant degree of trust, and as customer expectations around data security increase, breaking that trust can ultimately damage a business.
“Less than 50 per cent of Australians are willing to share their data with businesses to better detect fraud, highlighting the fact that consumers are protective and cautious with their personal data, and once their trust is broken, it may be difficult to rectify,” Mr Konstantinidis says.
Experian’s APAC Digital Consumer Insights study recently found that 49 per cent of Australians are likely to cancel or switch bank services as a result of fraud.
“These statistics demonstrate the high importance businesses should be placing on improving their data management processes to ensure their customers feel that their personal data is in safe hands,” he says.
Alongside the reputational risks, cyber security breaches can carry substantial financial costs. According to Tim Dillon, APAC director of technical security consulting at the NCC Group, business email compromise scams are costing businesses tens of millions of dollars each year.
While the Australian Competition and Consumer Commission reported that business email compromise scams had cost Australian businesses more than $22 million in 2017, Mr Dillon speculates that it’s triple or quadruple that figure now.
Renowned hacker Kevin Mitnick once said that “the weakest link in the security chain” is the “people who use, administer, operate and account for computer systems that contain protected information”.
Indeed, nearly half, or 41 per cent, of breaches reported by financial services firms are attributable to human error, such as personal information being sent to the wrong recipient, according to the OAIC report.
Mr Dillon says the majority of the breaches that the NCC Group responds to are compromised business emails, and nine times out of 10, it’s related to credential stuffing, which is a specific type of attack that involves a malicious group obtaining user credentials by breaching a system, and then attempting to use those credentials in other systems.
The issue is compounded by the fact that a lot of people still use their work email to register for various services online, Mr Dillon adds.
As an example, Ms Mcintosh cites an international case involving the Bank of Scotland. The case involved a number of data breaches due to human error, such as storing confidential customer data on a CD-ROM that reportedly got lost in the postal service.
The bank also repeatedly faxed confidential customer data to the wrong fax number, even after it had been reported, she says.
Mr Brooke-Wood points out that once a hacker gains control of the target’s email, “they can use it to launch a number of different attacks, from identity theft to CFO fraud or extortion”.
A hypothetical attack in the broking sector, according to Simpology’s CIO, could play out as follows: “A broker uses the same password for both Facebook and their work email accounts. After a Facebook breach, these details are leaked online and a hacker uses them to take over their email account. At this point, they have access to the personal and financial records of the broker’s customers who were applying for a home loan.
“These details are used by the hacker to take over the customers’ identities and open credit cards and apply for personal loans in their name. The customers are subsequently alerted to the fraud and the broker suffers a reputational loss.”
The potential real-life costs of such a business email compromise were illustrated in the case of PEXA, an electronic conveyancing service provider that faced scrutiny last year for its unintended involvement in two security breaches.
One of the breaches resulted in hackers stealing $250,000 from the sale of former MasterChef contestant Dani Venn’s property by diverting the settlement funds into a fraudulent bank account. The culprit had reportedly gained unauthorised access to a conveyancer’s email account and used it to reset the password for a PEXA account.
The fraud case prompted PEXA to boost security by rolling out multifactor authentication, anomaly detection, account activity timestamps and the ability to create new users in an “inactive” mode, meaning that only PEXA can activate new users on behalf of its clients after confirming the new user with them.
The importance of practicing good data security is set to become an even more pressing issue for brokers over the next few years, as the open banking regime advances, according to Mr Konstantinidis.
“As the industry innovates in line with regulatory drivers, robust security measures are essential to ensure customer trust and loyalty. Security should never be jeopardised,” he says.
Mr Konstantinidis says the introduction of open banking in Australia will allow businesses to retain a competitive edge, while assisting them in managing two competing priorities.
“The first being the increased and heightened standards set by regulators around better and fairer outcomes for the consumer. And secondly, the increased consumer awareness and empowerment particularly on how they want to be serviced as we move towards an end-to-end digital servicing environment,” he explains.
Mr Konstantinidis believes the nation needs “the legal and technical frameworks to give equal consideration to technical efficacy and security of data transfer processes”.
“If there is no confidence to begin with, or a high-risk data breach occurs resulting in a consequent loss of confidence, there is a serious risk that the potential benefits of open data access and data sharing – and more particularly, consumer confidence in supporting and participating in the data sharing process – will be lost,” he adds.
As such, Experian’s executive GM stresses the importance of education, transparency and control, saying that “a solid understanding about who accesses the data, and how, is imperative to build and maintain trust in the system”.
“Further to this, to champion the consumer’s best interests, practical implementation and delivery must be addressed. Robust complaint remediation and redress processes will be key, and solution providers must deliver full customer support in instances where the new system does not go to plan,” Mr Konstantinidis says.
“We, as an industry, must ensure we build and maintain the required level of trust through this initial period of transition.”
David Fairman, chief enterprise security officer at National Australia Bank, says that brokers “absolutely have a role to play in protecting customers’ personal and financial information”, given the nature of their work and the amount of sensitive customer data they hold.
Key steps in protecting data include “an awareness of the risks, understanding obligations, and applying suitable controls,” he says.
The very first thing brokers need to do to improve their data security practices, according to Mr Dillon, is to ask the following three questions:
“Once they know where their data is, they need to apply basic security principles to that. If they are [stored] in the cloud, then they have to apply those basic security principles to the cloud.
“If they are mostly stored on a laptop, they have to make sure they’ve got the basics in place, like full disk encryption and multifactor authentication, to prevent business email compromise. These are the big ones,” he says.
“As they try to solve those three questions, they might have to get external help… but they should come to an outcome.”
When it comes to protecting emails, Simpology’s CIO suggests using:
But importantly, he advises brokers to be proactive and minimise the damage that could result from an email breach.
“They can reduce the ‘value’ of their email account to a hacker by not storing any sensitive information in their account. In other words, stop treating email like a file server,” Mr Brooke-Wood warns.
“It’s still incredibly common for brokers to email an applicant’s financial information to a lender when applying for a loan, which means all of that information is sitting in the broker’s email account.”
He adds: “Ideally, brokers should be sending this information to lenders using a tool like Loanapp’s Supporting Documents tool. Not only does it keep these files out of the broker’s inbox, but it ensures that they are encrypted both at rest and in transit, which is difficult to ensure when submitting documents via email.”
Ultimately, due to the accelerating threat of cyber attacks and the nation moving to an economy-wide open data model, Mr Konstantinidis says brokers need to be prepared to demonstrate what they are doing to ensure the best customer experience while also keeping customer data protected, in order to gain and maintain the customer’s trust.
With the threat of cyber crime on the rise, Connie Mcintosh, manager of cyber security operations at the University of the Sunshine Coast’s Institute for Cyber Investigations and Forensics, shares the essential processes for businesses to safeguard customer and business data from corruption, compromise and loss.
Tas Bindi is the features editor for The Adviser magazine. She writes about the mortgage industry, macroeconomics, fintech, financial regulation, and market trends.
Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business.
The demand for fixed-rate mortgages dropped to an eight-year low ...
Recent political and economic developments have helped trigger a ...
Those wishing to access the government’s new SME business fund ...