Here’s how to protect your business from cybersecurity breaches

aat comment

One of the most significant emerging risks for accountants is the rise in cyberattacks, from hacking to phishing scams. This is how accountants and IT support specialists are taking precautions.

There are many types of cybersecurity risks. Unfortunately, phishing scams in particular are growing more sophisticated.

These are attempts to extract financial or personal information and credentials or to hack into systems and networks. Phishing uses a form of social engineering, a psychological manipulation technique, to trick their targets into divulging sensitive information or installing viruses and malware.

In the past, it was relatively easy to spot phishing communications due to incorrect spellings and far-fetched stories. But these days, social engineering has become far more sophisticated, often cloning reputable websites and, even more sinister, using deepfake AI technology. Deepfake technology uses AI-generated images, videos or audio to convincingly mimic a real person, either famous or known to the individual.

There are well-known examples where businesses have fallen for these scams. One was British engineering firm Arup, where a finance employee was tricked into sending over £20m during a video call which used deep fake technology to pose as the company’s senior management.

Cyber threats are real and growing. According to official government statistics, 50% of UK businesses and a third of charities have experienced some form of cyber attack in the last twelve months. Of these:

  • 84% of businesses and 83% of charities were targeted by phishing scams
  • 35% of businesses and 37% of charities were targeted by hackers impersonating organisations via email or online
  • 17% of businesses and 14% of charities were victims of virus or malware attacks.

And research by ISMS.online recently revealed that malicious deepfake technology has become the second-most common business security threat in the UK.

So how are accountants addressing this increasing threat? We spoke to AAT members and an IT support specialist to find out their best practice approach.

We use zero-trust principles to verify users, multi-factor authentication and application allowlisting

Liz Smith, Business Development Director and IT Director, Lugo

Lugo provides IT support for accountants. We’re most concerned about phishing, ransomware and data breaches. Phishing can trick users into sharing sensitive information, while ransomware locks your data until a ransom is paid. Data breaches can result in exposing confidential information.

We use zero-trust principles to verify users and devices, and ensure all unnecessary software is removed to prevent vulnerabilities. We also recommend working towards Cyber Essentials to strengthen defences.

Accountants should be aware of the risks associated with financial data, such as invoice fraud and phishing attempts that target client information. Unapproved software increases the risk of security weaknesses. Regular updates to devices and limiting access to only necessary software helps minimise these risks. We suggest making use of free tools like the NCSC’s Basic Cyber Security Check to identify gaps in your protection. Remember, you don’t need to outrun the bear, just the person next to you!

We apply multi-factor authentication and use application allowlisting to control which programs can run on our systems. All devices are regularly restarted to ensure security updates are applied, and we ensure everyone uses only one device, such as a business-grade laptop, to minimise the attack surface. User education on spotting threats, along with continuous monitoring, keeps us prepared for potential cyber attacks.

Verdict: We use zero-trust principles to verify users, multi-factor authentication and application allowlisting to control which programs can run on our systems.

I never ignore software update reminders – it’s the easiest way to prevent cyberattacks

Anita Rasheva MAAT, Founder, AD Accounting and Business Solutions

One of the biggest threats I worry about is phishing scams. Nowadays, scammers can impersonate clients, suppliers or colleagues. It’s alarmingly easy to accidentally click a link or download an attachment that appears legitimate but ends up infecting your computer with malware.

Another risk is ransomware attacks. I’ve heard several stories of businesses, even smaller ones, whose systems have been locked down by hackers demanding payment to release the data.

Accountants and bookkeepers need to carefully consider the vulnerabilities in their systems. Smaller businesses are often seen as easier targets because they might not have the same security measures as larger firms.

Measures I’ve put in for my business include:

  • Staff training: Staff need to be well-versed in the basics of cybersecurity (e.g. how to identify phishing emails, creating strong passwords).
  • Regular software updates: Outdated software often has security vulnerabilities that hackers can exploit. I never ignore update reminders – keeping everything up to date is one of the easiest ways to prevent attacks.
  • Use of strong, unique passwords for all my accounts and platforms.
  • Enabling two-factor authentication (2FA) whenever possible which adds an extra layer of security.
  • Regular data backups, both cloud-based and physical on external drives.
  • Firewalls and antivirus and anti-malware software.
  • Cybersecurity business policy. This outlines the steps for data protection and how to respond in case of an incident.

Staying proactive is key. Cybersecurity is constantly evolving, and it’s crucial to stay ahead of emerging threats. I attend workshops and seminars and subscribe to regular updates.

Cybersecurity is an area that accountants can’t afford to ignore. We’re handling some of the most sensitive information out there, and cybercriminals are always looking for opportunities to exploit any weaknesses. Any breach could have serious financial and reputational consequences for both us and our clients.

Verdict: Outdated software has security vulnerabilities so I never ignore update reminders. It’s one of the easiest ways to prevent cyber attacks.

Staff undergo cybersecurity training to identify red flags

Sarah Hedley, MAAT, Brickbooks and Payroll

Accountants must be vigilant against cyberattacks as they handle sensitive financial data, making them especially attractive targets for hackers. The main risks include data breaches, identity theft and financial fraud, which can severely impact both the business and its clients. Cybercriminals can use phishing, malware and ransomware to exploit weaknesses, so it’s crucial for accountants to stay informed about emerging threats.

To protect our business, we undergo cybersecurity training to identify phishing attempts, suspicious links, and other red flags. We have a clear reporting procedure for any potential cyber threats, ensuring immediate action is taken. Our software systems are kept updated, and we use two-factor authentication to secure access to sensitive information.

We use cybersecurity software that includes firewalls, antivirus protection, and encryption for client data and accounting platforms. Passwords are securely stored using management tools, and regular data backups are performed to safeguard against ransomware. By staying aware of risks, we aim to minimise the potential impacts of cyberattacks on our business and clients.

Verdict: Staff undergo cybersecurity training to identify red flags.

Would you like to contribute to future articles like this one? If so, please get in touch with Annie Makoff-Clark at [email protected].

Cat Hall is AAT Content Editor, members and technical .

Related articles