Hybrid working is proving a hit with accountants, but many are not aware of the cyber security risks to them and their clients when sensitive information leaves the office.
Research from Forrester Consulting has put the dangers into perspective.
- Remote working will become permanent for 92% of businesses in the next two years.
- 67% of business-impacting cyber attacks target home workers.
- The average home network has eight devices to manage.
- 98% of homeworkers use a personal device for business every day.
Cyber criminals have many types of information in their cross-hairs, such as personally-identifiable data or financial information, such as tax returns, asset investments, intellectual property or corporate strategy documents that are accessed by teams remotely.
Bharat Mistry, Technical Director at online business security experts Trend Micro, says that as the financial services sector embraces more flexible and remote working, employers must be aware of the potential cyber dangers if they continue to allow people to work from home.
“For accounting firms with a large cloud footprint there are simply more workloads for hackers to target and more accounts and services to potentially misconfigure,” he said. “Many accountants have confidence in their security strategy, but for others, cyber concerns remain a barrier to fully adopting cloud technology. Accountants must invest in the tools to manage vulnerabilities.”
Indeed, as accountants shift to hybrid working and divert more of their operations to the cloud and adopt SaaS (software as a service) it will become harder to defend their online network.
Sean Deuby, Director of Services at cyber security consultants Semperis, says accountants need to remember that when identities are stored in the cloud they can be exploited by anyone online. His advice includes assigning access permissions to sensitive information and apps depending on someone’s specific job role.
“Organisations should strongly consider restricting who can approve applications or, at the very least, have clear guidance on what permissions should be considered appropriate,” said Deuby. “Taking a hybrid approach requires dealing with a much broader permission model. To do so effectively, financial organisations must establish strong governance of what apps are going to be turned on and what access rights individuals will get.”
With business operations housed directly within the internet, cyber criminals have more opportunities to bypass network security because there are more entry points and exposed vulnerabilities. It means accountants need a clear strategy for how they will defend their business and the sensitive data they hold before, during and after an attack by cyber criminals.
“For accountancy firms, guarding this boundless perimeter is a significant shift, but it is one that is necessary within a hybrid model. They must prepare for – and guard against – a much wider array of threats,” said Deuby.
Rise of Ransomware
One of the biggest threats to financial organisations is ransomware.
This is a type of malware that enables hackers to encrypt key files which accountants cannot access unless they pay the criminals money to release them.
Robert Graf, the founder of data integrity software company ProLion, urges accountants to invest more in security management to avoid becoming another ransomware victim.
He suggests a five-point plan for firms to reduce the risk of an attack:
- Don’t store proprietary data on personal laptops because this makes any remote worker a target
- Be stricter regarding employees’ digital profiles and what they post on social media about where they work and what they do
- Ensure passwords are as tough as possible to crack – and that employees change them regularly
- If someone is using a work laptop, invest in security tools that block access to certain websites to avoid being hit by a malware infection if someone visits a dodgy site
- Tell employees not to engage in online conversations with people they do not know and who might be trying to obtain personal or employer data
“Cyber criminals are like bank robbers. They go where the money is accessible and where it is easy for them to reap the benefits from extortion,” said Graf. “Now is the time for accountants that are adopting hybrid working to ensure their leaders, IT departments and human resources teams work together to reduce exposure to a potential hack.”
Four top tips to beat the cybercriminals
1. Invest in Virtual Private Networks (VPN)
This is arguably the most secure way to protect your business when the team are working remotely. These private networks allow end-to-end encryption so nasty third parties cannot access private data. The information is also securely transferred directly from the business to an employee. Data can be stored and easily accessed from the cloud.
2. Introduce multi-factor authentication
The experts say accountants need to act as if a data breach in unavoidable. Using two-factor authentication is a good way to manage who within the company can access certain information. The company decides who are the administrators and the users. Also, insist on strong passwords.
3. Set up firewalls and improve traffic management
Firewalls make perfect sense, and local firewalls mean that if someone is trying to access an accountant’s system from outside a designated location they will be blocked. Many accountants do not track where computer traffic is coming from. Is it actually coming from your employees? It is possible to track IP addresses to see if there has been a sudden surge in traffic from unrecognised addresses.
4. Ensure employees’ laptops have the latest antivirus software installed
It might sound obvious, but to protect against cyberattacks it is important to have the best and most up-to-date antivirus software on every employee device. The more secure they are, the more secure the business is.
One Accountant’s Security Strategy
One accountancy business following the experts’ advice when it comes to cyber security is Cubic Accountants in Berkshire.
Founder Gary Robinson said the company uses cloud software wherever possible and protects itself with two-factor authentication. It means that whenever an employee logs on – in the office or at home – they need to confirm using an app or text message code.
“We also use a desktop system which is hosted externally. The third party looks after the security maintenance and ensures the software is updated,” said Robinson. “When it comes to using Microsoft 365, we have bought the higher-level product which has bank-like security on it. This approach also means that no client or company information is held on any of the local drives.”
Cubic Accountants has installed anti-virus software on each machine and is planning to introduce a system where unwanted files are cleared at least once a year. The company also discourages the use of USB drives because they could be compromised if they are left in a computer.
Steve Hemsley Is a journalist, media trainer, and podcast presenter. .