According to the latest Zurich SME Risk Index, almost one in six UK SMEs have fallen victim to cyber-attacks in the past year, costing a fifth of victims over £10,000 and 1 in 10 over £50,000.
“Cyber security is a constant cat and mouse game between organisations and attackers, with new vulnerabilities being discovered and closed all the time,” says Adam Louca, Chief Technologist for Security at Softcat, a leading provider of business technology solutions and services.
“Accountancy and financial services firms, by their very nature, are subject to a host of different cyber security regulations which can make navigating data rules and keeping compliant a challenging task.”
Take cyber security seriously
“Neglecting your systems is a business risk, just like any other enterprise risk routinely discussed in the boardroom,” says Simon Kershaw, Development Manager at Wolters Kluwer UK.
“Updating your software regularly means giving it appropriate attention and investment. It should be a key IT task,” he says. “If you do this correctly your company will be in the best possible position to minimise cyber risk and ultimately to minimise business disruption so that your customers also don’t experience disruption to their daily business.”
Updating software and applying patches correctly may seem insignificant as far as daily tasks go, but in the long run, it may mean the difference between customer retention and churn, he says.
Adam Louca says it is essential to be transparent and make appropriate adjustments early enough to protect your business, your customers and the future of your business.
“Using unsupported or non-updated systems can make SMEs with smaller IT budgets an easy target, as seen in last year’s Wannacry ransomware outbreak, which used an old and insecure protocol to spread,” he warns. The vulnerability was widely known about and many recommendations made to disable the protocol, yet many organisations, for a variety of reasons, did not, causing the impact of Wannacry to be far greater than it could have been.
When software needs updating, security “patches” need to be installed.
“A good patching policy is essential not only to ensure the best functionality but also to guard against these threats as much as possible,” he says. “Cyber security is very much a complex chain that is only as strong as its weakest link, and it is of vital importance to ensure that all aspects of the IT estate are kept secure.”
From a security perspective, keeping software up to date is good practice and particularly vital for businesses, says Paul Bischoff, privacy advocate for Comparitech.com.
“A good portion of the updates available for any given software are likely to be security patches,” he says. “It’s important to implement updates as soon as they are available. Security updates are a bit of a double-edged sword in that they prevent hackers from exploiting vulnerabilities, but they also let hackers know where to look for vulnerabilities in software that hasn’t yet been updated.”
Timely intervention is vital
“Last year we saw one of the largest personal data breaches in history when the personal data of 147 million people was stolen from the US company Equifax,” says Neil Martin, marketing manager of Panda Security.
“What was the cause of such an enormous breach? The answer is simple: an application that hadn’t been updated. A vulnerability in the web application Apache Struts allowed hackers to access the data without any difficulty. And this theft could have been avoided: there was a patch available for this vulnerability months before the attack happened.”
This case is just one of many in which applications that needed updating have caused security incidents and serves to underline the importance of patch management in corporate cyber security, he says. This is something that has been confirmed in a recent study of 3,000 cybersecurity professionals carried out by Ponemon Institute and ServiceNow.
“The results demonstrate that a company that is able to detect a vulnerability quickly and apply a patch in a timely manner are less likely to suffer a personal data breach,” he explains. “Time is of the essence: the time between a patch being released and an attack that exploits the vulnerability has reduced 29% over the last two years. This means more pressure on IT professionals to apply patches as quickly as possible.”
What about the organisations you work with?
Once your own internal systems are secure, you should turn your attention to external partners, Adam Louca says. For existing affiliates, ask if they can share information about their own security and privacy policies.
“As we collaborate with business partners, we need to understand the threats to their environment, and how they manage risk, to establish how to defend ourselves,” he explains. “Each partner in a value chain needs to protect information to an appropriate level to give protections to all; the weakest link in the chain can impact everyone.”
When forming new partnerships, make cyber security a central part of the decision and contract signing process.
Protecting customer data
“All it takes is one weak point in your overall security system for the integrity of your entire IT system to be compromised,” says Will Craig, Managing Director of LeaseFetcher.
“Think of the sheer amount of personal data that could be stored online in your systems, from bank details, payroll numbers, national insurance numbers, and how easily it can be taken advantage of by unscrupulous people. This data is a goldmine for criminals if it can be reached easily.”
How to reduce risks on your system
Neil Martin says accountants should carry out a vulnerability scan on their systems. “If we don’t know what vulnerabilities there are in the system, there is a much higher possibility of them being exploited,” he says.
“Another problem that has been revealed by the study is that almost two thirds of companies have trouble knowing which patch to apply first since they don’t have enough information to be able to prioritize each patch. If they are unable to prioritize, urgent problems may go unresolved, while other less important problems are resolved first.”
Brian Palmer, tax policy expert at AAT says, “We want to help our members understand the importance of effective, up to date firewalls and security.”
Criminals are trying to harvest personal information from a variety of sources, rather than getting everything they need from one source. They gather data and sticking it together to build up a picture of an individual’s identity. By breaching the system belonging to an accountant or book keeper, they obtain a lot of good quality data quite easily.
Don’t think because you are a small organisation that you won’t be a target. Criminals won’t be able to steal the quantity of information from an accountancy practice that they would from a bank, airline or telecoms company, but they will get a lot of high quality information.
You should think not in terms of the cost of a new operating system or third party software, but about the cost to you, your reputation and your clients if you don’t stay up to date. Can you afford not to do it? If you are using an unsupported operating system you shouldn’t be connecting from your terminals to the internet.
The importance of educating your staff
Training can alert employees to new threats, policies and procedures, and mean staff can build up a knowledge base for addressing how to deal with attacks such as phishing.
“Your own people are often your biggest threat, in the form of accidental breaches, likely the result of insufficient training or awareness,” says Nigel Davies, director and founder of Claromentis.
“To ensure staff handle data sensitively, browse intelligently and work securely, security measures need to be part of day to day operations, from training people to never ignore auto-updates offered by ‘out of the box software’ to training for correct procedures when staff spot potentially compromised data.”
Marianne Curphey is an award-winning financial writer and columnist, and author of the book How Money Works. She worked as City Editor at The Guardian, deputy editor of Guardian online, and has worked for The Times, Telegraph and BBC.