Suffering a data breach at your practice can cause business disruption, professional embarrassment and loss of reputation.
It will also mean many wasted hours trying to sort out your computer system, and could land you with a heavy fine. We look at the steps accountants can take to reduce their risk of being the victims of a cyber-attack.
Awareness is key
A recent Verizon Data Breaches Investigations Report suggested that 90% of data breaches start with a phishing or social engineering attack.
Often these are designed to trick employees into clicking on a link in an email or text message, inadvertently downloading malware, spyware or a computer virus. Or they might receive a phone call or email request from their bank, important customer, or senior member of staff asking for a large invoice to be paid urgently, or a substantial cash transfer to be paid immediately.
“By making employees smarter about attacks, they can become a human firewall and a good anti-phishing education programme can reduce click rates on malicious links from 40-50% down to below 10%,” says Jonathan Whitley, director for Northern Europe at WatchGuard Technologies. However, it can be hard to spot a malicious email.
“Attackers are gathering more intelligence on their victims, friends and colleagues who interact with them,” he says. “There is also an increase in so-called CEO fraud where the attacker impersonates senior management. We need to change the culture in organisations around phishing. We need to move away from the blame culture, so it is OK to make a mistake and learn from it. It only takes one user to spot and report a phishing email to protect other users in the company and go from ‘zero to hero’!”
Oz Alashe, CEO of cyber security awareness platform, CybSafe, says that educational theory, behavioural psychology, and cutting-edge technology should form the bedrock of how managers at accountancy practices train their staff to be alert and help keen their systems secure.
“We know, for example, that training should be regular, and it’s well documented within educational psychology that people digest information better in smaller, regular bites,” he says. “Training should recognise that people learn in different ways.”
Cyber ransomware like Wannacry or Cryptolocker creates more damage in SMEs, says Gianluca Bisceglie, founder and CEO of Visyond cloud-based automated spreadsheet and presentation software. He says ransomware typically prevents users from accessing their system or personal files and demands a ransom payment in order to regain access. For SMEs this can be a major problem due to the absence of a security culture and expensive security countermeasures which bigger enterprises tend to invest in.
“These types of attack are obviously more lucrative when targeting firms in financial services or accounting as they hold a lot of sensitive and valuable data – and the same types of attacks are carried out in both big and small companies,” he explains. “SMEs have to fill the technological and strategic gap and reach the same security levels of big companies although they may have limited budgets.”
Even assuming cyberattacks are taken care of, there are human errors and distractions to deal with, especially in accounting and financial services (or the finance and strategy functions in general), where handling sensitive information is the norm.
“The moment your sensitive spreadsheets or presentations are sent via email, you have no guarantee this is going to stay confidential,” he says. “You may have built a scenario for a client and accidentally share it with the wrong person or, simply, the role of that person may change over time.”
Another potential area of threat involves managing password security and closing down accounts when someone leaves.
Ian Kilpatrick, EVP Cyber Security for Nuvias Group, says that if staff don’t have good cyber hygiene at home and at work, then companies are more likely to experience fraud and hacking.
“There are many solutions available to provide testing and training – products which address phishing, for example, such as Knowbe4 and Phishline,” he says. “These regularly test users’ awareness of phishing and provide remediation training.”
Security patches are vital
Managers also need to ensure that security updates from vendors are patched onto their computer system.
“Running a business without up-to-date security software is the same as leaving the windows to your office open overnight,” says Rory Duncan, Head of Security at Dimension Data. “Not everyone is going to be interested, but those looking to break in have had the hard work done for them.”
He says patching and software updates are part of a small business’ armour against emerging threats because they fix the known vulnerabilities that hackers are looking to exploit.
“From mobile phones to business applications, any systems holding sensitive company data must be protected by secure passwords,” he explains. “The rise of social media and vast number of logins has meant hackers can build a profile of an employee of a target organisation on services they access personally and begin to guess passwords.”
If the hacker can work out your password on one site, they are in a much better position to gain access to your data or systems on other platforms.
“While they might not be interested in the end-user data directly, they can use your system as a route into the larger business network, opening the door to more valuable data on customers and suppliers.”
Protecting your data gives you a business advantage
Bruce Penson, managing director of Business IT support company, Pro Drive IT, says it is competitive advantage to be viewed as a ‘safe company’. Your business can benefit from identifying ways to protect your equipment, reputation and customer information.
“Cyber attacks are costly,” he says. “Apart from direct thefts, there’s cost involved in cleaning up affected systems. Getting things running again is another headache. For online customers, the dreaded ‘website server can’t be reached’ message signals consumer panic. For businesses relying on trust in trade, there’s a direct loss.”
Deepak Prabhakara, CTO and founding engineer at data-driven cybersecurity platform Red Sift, says there are a number of technology solutions available to help SMEs and startups protect their networks as well as their customers’ data.
“There is no one magic answer, instead a layered approach to security is the best line of defence – think malware detection, email security, encryption and anti-phishing technologies,” he says.
Failing to protect data could land you with a heavy fine
Under the new General Data Protection Regulation (GDPR) rules, which came into force this May, public bodies or organisations dealing with large amounts of sensitive data or systematic monitoring must have a Data Protection Officer who is responsible for reporting any breaches.
GDPR governs the collection and processing of personal information of individuals within the European Union (EU). If a company doesn’t follow the rules or doesn’t report a data breach in the allotted time, they will be fined. Fines for breaching GDPR are significant: up to €20 million, or 4% annual global turnover for non-compliance, whichever is higher. Even when we are no longer part of the EU in 2019, any company that trades with the EU or has customers or business interests with an EU company, will be bound by these rules.
Know which parts of the business are at risk
Implementing an IT cyber security plan for your business can seem daunting, but it is really just a matter of getting expert advice, Bruce Penson says. Ask the experts what security controls and products you need to service your assets, information, and customer trading processes. Do you operate remote access to your servers and how should you secure that information? What regulatory compliance is necessary and in what part(s) of the world?
Ensure your system is reviewed, or get an outside agency to monitor and act on any threats, regularly reviewing your cyber security. Expertise is vital, as your business expands. It does require regular strategic reviews, and an allocation of budget.
Alastair Johnson, CEO and Founder of Nuggets, says security is not a one-off procedure that can be ‘done’ and forgotten about.
“On the contrary, it’s a persistent and strategic understanding of systems and the various bugs, viruses and other attack vectors that can be gamed by malicious actors – remember that data held by businesses is incredibly valuable, so hackers are incentivised to get hold of it.”
Fraud is now the UK’s most common criminal offence. That’s the startling finding from the Annual Fraud Indicator 2017, which reveals that fraud is costing the UK economy £190 billion a year.
The study, compiled by Crowe Clark Whitehill, Experian and the Centre for Counter Fraud Studies at the University of Portsmouth, shows that private sector fraud costs the UK economy £140 billion, while fraud in the public sector is estimated to cost the country £40.4 billion in 2017.
Six steps to security
Chris Mallett, a cyber and data breach expert with AON, the global insurer, says the government’s most recent study into cyber security breaches showed nearly half of all SMEs have identified a cyber attack or breach in the last year.
He says there are a few key steps that firms can take to protect themselves that don’t require significant investment in cyber security systems:
- Protect against malware – be it in the form of viruses, ransomware, keyloggers or rootkits – by installing anti-virus software that regularly scans your system for threats and prevents your employees downloading potentially harmful malware
- Have a firewall in place to control all points where cyber criminals could access your system, and prevent access to and from potentially malicious IP addresses
- Install manufacturer patches as soon as they become available – these patches are often issued by software manufacturers to protect against known weaknesses and vulnerabilities
- Vet your software suppliers to ensure that they put data security at the top of their agenda
- Develop a cyber-conscious culture – make sure all employees take data security seriously by avoiding easily decipherable passwords, correctly indexing data and double and triple-checking before they send data outside of your firm
- Consider purchasing a cyber insurance policy – even the most sophisticated cyber security doesn’t guarantee complete protection and if a breach does happen, cyber insurance provides access to a range of critical breach response services that help you meet regulatory requirements and keep your business running
“By taking the sensible steps above, accountancy firms can protect against ever-increasing cyber risk without having to break the bank,” he says.
Marianne Curphey is an award-winning financial writer and columnist, and author of the book How Money Works. She worked as City Editor at The Guardian, deputy editor of Guardian online, and has worked for The Times, Telegraph and BBC.