Cybersecurity is a very real threat for anyone these days and the damage that can be done from identity theft – both financial and mental – is significant.
Australians lost over $205 million to scams between 1 January and 1 May 2022, according to new data from the Australian Competition and Consumer Commission’s (ACCC’s) Scamwatch. Of that, the majority of losses have been to investment scams with $158 million lost, an increase of 314% compared to the same period last year.
Even financial professionals can be caught out, through no fault of their own, with personal finance commentator Paul Clitheroe detailing his own experience with identify theft in a recent article.
This interview took place at the 2022 SMSF Association conference where SuperGuide were guests of the SMSF Association.
What should SMSF trustees be aware of when thinking about cybersecurity?
Look, I think the most important thing is two factor or multifactor authentication, which pretty well all the software does have. And hopefully all the investment platforms that they’re dealing with also have important from where? Not only from what’s in the fund itself, but what data is coming into the fund from the investment platforms. And most of them now have got multi-factor authentication.
The biggest problem with cybersecurity is not necessarily somebody doing the wrong thing, trustee doing the wrong thing deliberately because they know it’s a lack of training. And I highly recommend for trustees that if you’re going to be doing stuff online generally you need to have some training around cybersecurity.
You need to understand what phishing is because that’s really the biggest cause of problems for people with computer systems and that’s really, I think the key. And in our organisation we do a lot of training of staff to try and cover all this sort of stuff.
Because if you don’t understand the basics of what you got to look for in an email or look for in an SMS or look for in whatever communication type you’re getting, then you are going to click on things you shouldn’t click on and they are eventually going to cause you problems.
How can SMSF trustees be sure that their accountant, adviser or investment software has the right cybersecurity protocols?
Yeah, it’s a good question. I don’t think they really can. They can ask the questions. I suppose the trustee could develop their own security questionnaire or steal one from someone on site and ask this of all of the people they deal with, you would hope that the software suppliers that they’re dealing with and the professionals that they’re dealing with have got proper professional indemnity and cyber insurance because it is really important. And I did talk about that at the breakfast yesterday.
It is very important that people have got combined insurances and that they’re covered for the events that they need to be covered. But all of that is useless without the training. So you really want to make sure that whoever you’re dealing with is training their people. Now, most of the investment platforms, they’re reasonably good. They’ve got multi-factor authentication, don’t use dates of birth and kids names and things like that as your passwords, use statements or use exotic characters because you don’t want something that’s easy to guess or easy to brute force if somebody’s trying to really get into your stuff.
But the other side of it is you’ve got to look where the risk is. So what’s the risk of somebody getting into your software or your data? Can they steal any money from you? And the answer is no, because the software doesn’t have the ability to transact if they do something through your investment platform, potentially, yes. They could steal money if you had cash in the platform or they could sell securities or something like that if they get into it. So it is important that you do have proper authentication on those.
Do you know of any cybersecurity insurance that is available for individuals or trustees?
Yeah. I can honestly say I haven’t looked. I would bet if we’re not seeing it already, we will soon see it in home insurance policies that there’ll be something around cyber and I think there’s already some of the smarter ones. As a trustee, individually, you don’t need huge amounts of cover because the professionals you’re dealing with should have that cover. Maybe that’s the question you need to be asking is if you’re a trustee and you’re dealing with a platform or you’re dealing with a professional firm, just ask them the question about professional indemnity and cyber insurance.
Lesh ensures that all BGL employees conduct relevant cybersecurity training, which is something all employers, especially those who work in platforms and technology, should consider providing for employees.
BGL uses international organisation KnowBe4, which offers training for employees of organisations all over the world, including Australia. “As part of employee training, KnowBe4 also offers a home user course for individuals to share with their families at no additional charge,” KnowBe4 senior public relationship manager Amanda Tarantino told SuperGuide.
Lesh strongly recommends doing some kind of training to raise your awareness of cybersecurity issues, but to get you started on your own SMSF cybersecurity audit we have put together the following 8-question questionnaire.
SMSF cybersecurity questionnaire
1. Do all your SMSF programs and platforms have two or multi-factor authentication?
This is one of the most important things when it comes to cybersecurity, according to Lesh. Multi-factor authentication means you need more than a single password to get into any program or trading platform where you keep SMSF funds, or are able to transfer funds to and from.
Multi-factor authentication requires a combination of two or more proofs of identity to give you access. Those proofs of identity could include something you know (pin or secret question), something you have (like a token) and something you are (like a finger print). You might already be familiar with authenticator apps and physical tokens, which are also used in multi-factor authentication.
2. Are you using hard to detect passwords (not birthdates/family member names and the like)?
Everybody has a lot of passwords these days and it is getting increasingly harder to remember them, but it is important to be diligent with your passwords and not use names or numbers/dates that could easily be traced back to you.
Michal Kepkowski is a senior software developer and a PhD candidate at Macquarie University’s Cybersecurity Hub. He also cautions against using the same password for multiple services.
“History shows that data breaches are still a significant problem. Usually, such breaches expose credentials including passwords. So what attackers are doing is simply taking those passwords and trying different services,” he says.
One option is to use a password manager which can randomly generate a strong password for you and remember it, and all your other passwords as well. Password managers can be local on one single device, or be held in the cloud. Both have their purposes. Kepkowski personally uses KeePass, a free password manager on his computer, and Bitwarden, which is an open-source product in the cloud.
“Open-source password managers have the advantage of being checked not only by developers but also by the community and in case of issues, the patch can be quickly applied,” Kepkowski says.
3. Are you automatically updating all your software and apps as prompted?
Those annoying little reminders and prompts about the latest software or App update are there for a reason. They very often include updates to security protections and bugs to programs but ultimately, they should make your programs and your computer more secure and harder for scammers to access once you complete them.
4. Are you backing up data regularly?
Backing up your data will stop important information and files being lost. The Australian Taxation Office (ATO) asks SMSF trustees to keep many records for a minimum of five years and some documents for much longer. So, it’s important that vital information won’t be lost or corrupted and it’s also important that the backed-up data is stored responsibly and is protected from scammers too.
5. Do you delete emails or any correspondence with unknown or suspicious emails, texts or social media messages?
Questionable emails from unidentified senders should always be deleted as soon as possible. Even if it looks like it’s from a regulator such as the ATO, be very wary if it is asking for important and confidential information. One way is to check the email address itself – not just the sender name that pops up. But scammers are getting increasingly sophisticated. The NAB webinars explain how to spot phishing emails.
6. Are you careful what you share on social media?
You may or may not be a social media user but if you are be careful what you share. Even if it seems innocuous, a picture of your SMSF’s holiday house investment, for example, could alert someone to the fact that you have an SMSF and that could begin their search for further details. Posting information about holidays also lets scammers know you’re not home and other personal information could offer clues for deciphering your password. Potential identity thieves could also glean enough information to impersonate you to your financial providers.
Scammers can also target you through social media messaging and requests for information or to complete an online quiz. So be wary of any unsolicited messages and make sure you have strong privacy and security settings.
7. Are you aware of current cybersecurity threats and how they could impact you?
The ACCC’s Scamwatch website is a good place to start for this and they also offer an alert service you can sign up for that will notify you of the latest scams. The Australian Cybersecurity Centre also has a list of common cyber threats and what to watch out for.
8. Have you asked your service providers whether they have professional indemnity and cyber insurance that covers cybersecurity threats?
Most reputable SMSF and financial service providers will have relevant insurance but that does not mean you should not ask. The question may be a timely prompt for them to check their existing policies to make sure they include all potential cyber threats.
You should also ask them if, like BGL, they provide cybersecurity training for employees. And always remember you can take your business elsewhere if you don’t like the answer they give or if they are unwilling to answer.