By Lauren Razavi Accountancy resources What bookkeepers need to know about cybersecurity for their businesses 18 Jan 2017 In Hut 11 of Bletchley Park, a giant metal bookcase houses neat rows of mechanical wheels as they tick around. During the Second World War, this primitive computer was used by codebreakers to decipher secret German military communications and turn the tide of the conflict. Now, having been home to the world’s first ever computer hackers, Bletchley Park is opening a school for the next generation of codebreakers. Cybersecurity has become essential for professionals in any industry, but for bookkeepers and accountants, the risk of data theft or fraud is particularly high. Financial information and corporate accounts are especially attractive to cybercriminals looking to profit from digital carelessness. For smaller firms and independent bookkeepers, there can be a temptation to believe that they’re flying under the radar. “There’s a huge misconception that fraud and cybercrime only affects large organisations, but that’s because only those big businesses report it and get media coverage,” says Edward Whittingham, managing director of the Business Fraud Prevention Partnership. “Smaller companies, in particular bookkeepers and accountants, are typically less inclined to advertise the fact that they’ve been a victim, meaning you rarely hear about them being targeted.” Keep your software up to date, install anti-virus software and be sure to backup your data – most bookkeepers will be familiar with standard online safety advice. But as cybersecurity risks grow in sophistication, it now takes more than software tricks to keep digital fraudsters at bay. “The majority of cyber breaches are caused by employees within a business, so it’s really important that procedures, as well as the training and awareness, are in place,” Whittingham explains. “How you deal with an attack when it happens is as important as trying to stop it in the first place. Businesses must put in place incident response plans and know what steps to take in the event of an attack or emergency.” Incident response plans, sometimes known as disaster recovery plans, are procedures to be followed if companies become aware that sensitive information has been compromised. Government accredited schemes such as Cyber Essential assist SMEs and sole traders in establishing plans for mitigating the risk of cyberattacks. Seeking advice from trained professionals is the best way to develop incident recovery plans and learn how to securely backup sensitive information. But, no matter how prepared a company or organisation believes it is, the boldness, perceptiveness and ingenuity of attackers can still come as a surprise. If you’ve had an email address since the 1990s, chances are you’ve at some point received an intriguing email from an imprisoned Nigerian prince hoping to transfer his enormous wealth overseas. Known as phishing scams, such emails are designed to entice people into offering up valuable data such as bank account numbers and sort codes. But, over the years, these ploys have become a lot more nuanced. “Fraudsters are now using information made available on social media to identify potential victims,” says Whittingham. “We’re seeing more and more of what’s called CEO fraud, or ‘Bogus Boss’ emails. This is where the fraudster will impersonate someone senior who can be seen on social media as on holiday. They’ll use this information to contact junior staff and say ‘I’m not available on the phone at the moment, but I’d like you to send this money to this sort code and account number right now.’” It only takes a moment’s carelessness for fraud of this kind to succeed, and with attackers able to spoof email addresses seamlessly, it’s easy to understand how junior staff could be pressured into making costly mistakes. But perhaps more frightening than having data stolen or money fraudulently transferred is the possibility that hackers could lock companies out of their own data and hold it for ransom. “Ransomware is a type of malicious software which systematically encrypts the files on your computer so you can’t access them,” Whittingham explains. “For bookkeepers who have their client’s information hijacked in this way, it can be devastating. Unless they have that data backed up somewhere, there is no way to decrypt that information and they could be forced to pay extortionate sums to retrieve it.” In addition to regularly backing up important data, small firms must ensure that staff are knowledgeable about these types of attacks and are trained to verify the authenticity of suspicious requests. Today, kids grow up surrounded by the Internet, social media and digital interfaces. They learn to swipe their hands across smartphones before they can even speak, and by the time they reach school age, they begin learning how to code. Accounting professionals and bookkeepers may find it daunting to keep up with the ever-changing landscape of cybersecurity, but with the stakes so high and the next generation fast becoming experts, there’s no excuse not to take precautions. Lauren Razavi is an award-winning writer and content strategist, and managing director of communications consultancy Flibl. She has worked on projects for leading global brands such as NatWest, Google and Facebook, and her writing focuses on technology, finance, entrepreneurship and innovation. Follow her on Twitter @LaurenRazavi.