Are accountants responsible for data breaches?

SMEs are increasingly becoming the target of cyber criminals because of the amount of data they hold, and accountancy practices are no exception.

We look at whether accountants can be held responsible for security breaches of their systems.

If you thought only large organisations like TalkTalk, Equifax, or BA were the target of cyber criminals, think again. Increasingly, smaller firms and SMEs, including accountants, face an onslaught of phishing and cyber-attacks because they are seen as a “gateway” to information and likely to have fewer security barriers.

As a result, accountants need to review their current protection, and think about the sensitivity of the information they hold, and how to keep it safe.

No organisation is safe

Traditionally, it has been big banks and financial services companies who have spent tens of millions of pounds on complex and ever-changing security systems in order to try to keep ahead of the cyber criminals. Organised gangs of computer hackers are constantly trying to break through banking security in order to empty the accounts of customers.

Other organisations, such as the National Health Service, email providers, and retailers also face daily attacks from hackers. As big business works to improve security, the criminals are turning their attention to smaller companies.

Don’t think that because you don’t have large amounts of cash in the company accounts that you will be immune. It’s not just money that criminals are after money.

While stealing cash is their end game, finding and downloading personal information is a very valuable currency that enables them to pull off complex frauds at a later date. The more information they have, the better a picture they can build of the person whose bank account they intend to target.

When hackers broke into credit report agency Equifax and stole the details of 143 customers in the US, they didn’t take any money. Instead, they accessed data such as Social Security numbers, birth dates and addresses. All these are key pieces of information which are useful to a fraudster who wants to penetrate banking security.

Data protection is enshrined in law

In addition, data breaches are now punishable under EU law, and there are hefty fines for non-compliance of new GDPR rules (see below).

David Morrow, director and founder of Fraudfit, says some types of fraud are practised by scraping the internet and creaming off information to create a profile of an individual, which is then sold.

“The more detail you have, the better the profile that can be constructed.” Hacking into the databases of companies might provide additional data which could be used to construct a profile of the person who will be targeted.”

Social media also provides a rich mine of personal information – showing contacts, friends, addresses and birthdays. Make sure you have your privacy settings locked down, and be careful about the kinds of information you post.

SMEs are now a target

Chris Mallett, a cyber and data breach expert with AON, the global insurer, says the government’s most recent study into cyber security breaches showed nearly half of all SMEs have identified a cyber-attack or breach in the last year.

“The cyber risks that face accountancy firms are ever increasing,” he says. “Criminals are increasingly switching focus to SMEs. They recognise that accountancy firms hold significant amounts of data that may not be protected by network security frameworks with multi-million pound budgets.”

Even where the firm itself isn’t the target, criminals often understand that an accountancy firm may be the ‘weakest link in the chain’ when looking to get access to sensitive data.

Social engineering, invoices and CEO fraud

Now that so many of us use social media on a personal basis, our lifestyles and friendship networks are openly viewed across the web. Gaining information and trust by using public information is known as “social engineering” and is a widely-used method in cyber crime.

Interpol says that targeted frauds, which have a high level of sophistication and are aimed at specific companies, often find out details about the financial director, head of the company, and managers and employees who are authorised to handle cash transfers.

“The criminals use this data in order to impersonate the head of company and coerce employees into making an urgent and high-value cash transfer to a designated bank account,” it explains.

Fraud today is no longer exclusive to stealing details, with online criminals becoming increasingly more sophisticated. This includes using malware, affiliate fraud and page-jacking, which are more effective on smaller ecommerce platforms that do not have the same level of security systems as their corporate counterparts.

Brother UK’s senior business manager, Frazer Whitehead, warns that security threats are growing and becoming increasingly sophisticated. “Those firms that hold large volumes of data are especially likely to be at risk, such as accountancy firms and financial services companies,” he says.

“Given the sensitive information handled by many companies – especially in the financial services sector – quality encryption and security need to be of the highest standard and print devices are no exception.  Any cloud-based device is at risk, so endpoint security is essential – protecting every device on the network rather than focusing solely on smartphones, laptops and desktops.”

The problem of human error

Chris Mallett says that an increasing need for flexibility in working practices and a desire to access data ‘on-the-go’ creates additional vulnerabilities.

Human error regularly ranks as a major cause of data breaches, as does the reliance of firms on third party software suppliers presents yet another threat.

“The data breach that hit Sage in 2016 affected around 280 different businesses, with cyber criminals recognising the potential to maximise data stolen through a single cyber-attack,” he says.

Jason Howells, Barracuda MSP Business Director EMEA, says that although mass attacks are common, cyber criminals are increasingly investing more and more time in heavily researched, highly targeted phishing attacks.

“They work because they’re believable: cyber criminals spend a huge amount of time making them look as realistic as possible,” he says.

This might involve posing as a senior member of staff, or even the financial director or CEO of an organisation, and asking a junior member of staff to make an urgent cash transfer or send sensitive documents.

Tricking companies into sending invoice payments to the wrong people costs UK companies about £9 billion a year. Vocalink Analytics, the data insights business of VocaLink, a Mastercard company, says young entrepreneurs are particularly at risk. It found that 55% of business owners in the 18-25 age group have been victims of invoice, mandate or CEO Fraud.

Nearly half of all SMEs have identified a cyber-attack or breach in the last year.

Your data is valuable

Alex Williams, director of cyber security at Daisy Group, an independent provider of IT, communications and cloud to UK businesses and SMEs, warns against underestimates the value of your systems and data.

“It’s the customer data a small business holds which can be gold to cyber criminals,” he says. “Cyber criminals are unlikely to be interested in stealing a window cleaner’s equipment, but they would likely be interested in the security codes the cleaner uses to access a customer’s building.”

Small businesses should opt for IT and technology services that have security built in as standard and use a provider that will ensure updates are implemented promptly on their behalf.

“It would be impossible for a business with limited resource to manually update a firewall at the rate threat vectors change, but by working with the right provider, protection will be updated automatically as new threats emerge,” he says.

“SMEs who once believed they were not big enough to be targeted by cyber criminals have woken up to the real threats they face on a daily basis,” says Jonathan Whitley, director for Northern Europe at WatchGuard Technologies.

“As well as good firewall, every network needs a full arsenal of scanning engines to provide visibility, threat intelligence and protection against spyware and viruses, malicious applications and data leakage – all the way through to ransomware, botnets, advanced persistent threats and zero- day malware.”

The consequences of non-compliance

In addition to protecting your business interests and ensuring your customers trust you, it is essential that you protect your data in order to avoid facing hefty fines.

Tough new rules that govern the way companies collect, store and reuse customer data came into force in May this year.

The rules are known as the General Data Protection Regulation (GDPR) and govern the collection and processing of personal information of individuals within the European Union (EU).

Public bodies and organisations dealing with large amounts of sensitive data must appoint a Data Protection Officer (DPO) who is responsible for protecting data and reporting any breaches. If a company doesn’t follow the rules or doesn’t report a data breach in the allotted time, they will be fined. Fines for breaching GDPR are significant.

While not every processor of information will need to appoint a Data Protection Officer (DPO), it’s important to check whether you need one via the Information Commissioners Officer (ICO). 

The penalty is up to €20 million, or 4% annual global turnover for non-compliance, whichever is higher.

Marianne Curphey is an award-winning financial writer and columnist, and author of the book How Money Works. She worked as City Editor at The Guardian, deputy editor of Guardian online, and has worked for The Times, Telegraph and BBC.

Related articles