Cybersecurity is a very real threat for anyone these days and the damage that can be done from identity theft – both financial and mental – is significant.
Australians lost over $205 million to scams between 1 January and 1 May 2022, according to new data from the Australian Competition and Consumer Commission's (ACCC’s) Scamwatch. Of that, the majority of losses have been to investment scams with $158 million lost, an increase of 314% compared to the same period last year.
Even financial professionals can be caught out, through no fault of their own, with personal finance commentator Paul Clitheroe detailing his own experience with identify theft in a recent article.
Learn more about SMSF scams and wider super scams.
In the following video interview BGL managing director Ron Lesh says the biggest problem with cybersecurity for SMSFs is not necessarily the trustee doing the wrong thing, it’s a lack of knowledge of how you can be taken advantage of online.
This interview took place at the 2022 SMSF Association conference where SuperGuide were guests of the SMSF Association.
Transcript
What should SMSF trustees be aware of when thinking about cybersecurity?
Look, I think the most important thing is two factor or multifactor authentication, which pretty well all the software does have. And hopefully all the investment platforms that they're dealing with also have important from where? Not only from what's in the fund itself, but what data is coming into the fund from the investment platforms. And most of them now have got multi-factor authentication.
The biggest problem with cybersecurity is not necessarily somebody doing the wrong thing, trustee doing the wrong thing deliberately because they know it's a lack of training. And I highly recommend for trustees that if you're going to be doing stuff online generally you need to have some training around cybersecurity.
You need to understand what phishing is because that's really the biggest cause of problems for people with computer systems and that's really, I think the key. And in our organisation we do a lot of training of staff to try and cover all this sort of stuff.
Because if you don't understand the basics of what you got to look for in an email or look for in an SMS or look for in whatever communication type you're getting, then you are going to click on things you shouldn't click on and they are eventually going to cause you problems.
How can SMSF trustees be sure that their accountant, adviser or investment software has the right cybersecurity protocols?
Yeah, it's a good question. I don't think they really can. They can ask the questions. I suppose the trustee could develop their own security questionnaire or steal one from someone on site and ask this of all of the people they deal with, you would hope that the software suppliers that they're dealing with and the professionals that they're dealing with have got proper professional indemnity and cyber insurance because it is really important. And I did talk about that at the breakfast yesterday.
It is very important that people have got combined insurances and that they're covered for the events that they need to be covered. But all of that is useless without the training. So you really want to make sure that whoever you're dealing with is training their people. Now, most of the investment platforms, they're reasonably good. They've got multi-factor authentication, don't use dates of birth and kids names and things like that as your passwords, use statements or use exotic characters because you don't want something that's easy to guess or easy to brute force if somebody's trying to really get into your stuff.
But the other side of it is you've got to look where the risk is. So what's the risk of somebody getting into your software or your data? Can they steal any money from you? And the answer is no, because the software doesn't have the ability to transact if they do something through your investment platform, potentially, yes. They could steal money if you had cash in the platform or they could sell securities or something like that if they get into it. So it is important that you do have proper authentication on those.
Do you know of any cybersecurity insurance that is available for individuals or trustees?
Yeah. I can honestly say I haven't looked. I would bet if we're not seeing it already, we will soon see it in home insurance policies that there'll be something around cyber and I think there's already some of the smarter ones. As a trustee, individually, you don't need huge amounts of cover because the professionals you're dealing with should have that cover. Maybe that's the question you need to be asking is if you're a trustee and you're dealing with a platform or you're dealing with a professional firm, just ask them the question about professional indemnity and cyber insurance.
Lesh ensures that all BGL employees conduct relevant cybersecurity training, which is something all employers, especially those who work in platforms and technology, should consider providing for employees.
BGL uses international organisation KnowBe4, which offers training for employees of organisations all over the world, including Australia. “As part of employee training, KnowBe4 also offers a home user course for individuals to share with their families at no additional charge,” KnowBe4 senior public relationship manager Amanda Tarantino told SuperGuide.
