Businesses have long been aware of the dangers they face from fraudulent activity, but until recently many have been guilty of underestimating the threat posed from cyber-attacks.
But the Bank of England’s recent systemic risk survey suggest this may be changing; 62 per cent of firms in the financial services sector now perceive this as a threat, making it the second most common concern, behind UK political risk, and level with geopolitical concerns.
Cyber attacks in the accounting sector
The hack on Deloitte, which came to light in September 2017 and exposed emails from hundreds of clients including the United Nations and four US government departments, as well as a similar incident with financial services firm Equifax, has illustrated just how dangerous this can be.
The problem is not confined to large players, though. Research by Beaming suggests 62 per cent of UK accountancy practices fell victim to some form of cybercrime in 2017, with the total cost to the sector more than £300 million.
Accountancy firms face a number of risks which can could have serious implications, either financial or reputational, or both. “The greatest threat to any modern business using the internet and email is that the personal or sensitive data it holds is corrupted, held to ransom or stolen,” says Sarah Adams, a cyber insurance expert at PolicyBee. “An accountancy firm is an attractive target because the returns are potentially greater. The chance to access innumerable accounts and harvest personal details from just one place is too great a temptation to ignore.”
Hacking is a major risk
One of the major risks comes from hacking, says Harry Chenevix-Trench, operations manager at Blackstone Consultancy. “Those parts of network security that require the most human intervention tend to be the weakest points,” he says. “This does not merely mean a weak password; it can also mean an employee clicking on a malware-infected link in an email or accidentally using a USB stick containing malicious code that creates a ‘back door’ into the company network.”
This is a particular threat in the accountancy space, says Liviu Arsene, senior e-threat analyst at Bitdefender. “Accountants that work with a lot of companies often receive emails with attachments pertaining to various documents, each email stressing its urgency,” he says. “It’s precisely that sense of urgency and routine that cybercriminals usually exploit to get victims to execute attachments or click on malicious URLs.”
Phishing attacks, where employees are duped into handing over passwords or other important information, are also becoming more common, and sophisticated. “Cybercriminals have realised that by targeting one financial account with lots of money in it they can make more money more quickly, so they have developed what is known as the business email compromise attack,” says Daniel Brody, product leader, fraud protection, at Cyxtera. “In this kind of attack, the cybercriminal pretends to be an executive or financial professional within an organisation to trick another employee into handing over money or sensitive information.”
Tips to protect your business
There are a number of steps firms can take to reduce the chances of being caught up in a hacking, ransom or denial-of-service attack. Sean Newman, director at Corero Network Security, says the best starting point is to ensure that all software, from computer operating systems to specific accounting packages, is checked regularly for new patches, and that these are applied when available. “If accounting practices offer their services directly online, then there is also the risk of falling foul of DDoS [distributed denial of service] attacks, including those increasingly used for extortion purposes,” he adds. “Ensuring that real-time DDoS protection is employed, either directly or by using a service provider which can offer protection as an additional service, can prevent the likelihood of this.”
A robust password policy is also essential. “As a minimum, passwords should be complex and changed on a regular basis,” warns Mitesh Patel, managing director of Fifosys. “It is often easily possible for an attacker to find the first part of a user’s details from a company website or LinkedIn, and then concentrate on hacking the password.” Companies should also consider multi-factor authentication, he adds, to cut off any transactions should passwords be compromised.
Steps also need to be taken to target phishing attacks. Staff education is a good starting point, but cannot be entirely relied on, says Fraser Kyne, EMEA chief technology officer at Bromium. “Asking people to be careful is like asking people not to drink alcohol and to get regular exercise,” he says. “Everyone knows that they should do it, but that doesn’t mean that they always will. And, unfortunately, it only takes a single mistake by a single user, and all the good work can be undone.”
Alongside this, it’s important to have a monitoring system in place to highlight phishing emails that come from similar domains, perhaps with just one letter or number different to the real address, says Brody. “This way, they are found before anyone can be tricked into clicking on them and handing over information,” he says.
Simon Heath, director at The Final Step, says effective backup is also important – something he does through Datto – as this can avoid the need to pay a ransom even if the business succumbs to a ransomware attack. “Ideally you want a solution that can recover from a range of different scenarios,” he says. “It might be the MD deleting a folder accidentally just before a meeting, all the way up to head office burning down.”
As well as ensuring their own systems are secure, accountants also have a role to play in advising clients. “As auditors, accountants are often keenly aware of how technology can affect the reporting of financial information, and cybercrime is no exception,” says Brody. “Additionally, the scrutiny that accountants place on clients during audits can also reveal previously undiscovered cyber-attacks. Indeed, some accountants have already expanded their service offerings to include cybersecurity consulting because it is so aligned with making sure financial information is properly recorded.”
Recent developments in finance and accounting also have the potential to make cybersecurity even more of an issue. John Gordineer, director of product at SonicWall, points to the growing use of the cloud; something that was also highlighted by the Bank of England. “As more applications move to the cloud, security must also transform to provide modern protection,” he says. “Simply identifying which cloud apps are being used is step one, and it’s then a case of establishing policies to eliminate insecure shadow IT apps from the organisation.” Open banking is also likely to lead to more reliance on the cloud, with financial information being shared by third parties.
The introduction of GDPR, which can see firms caught up in data breaches fined as much as 4 per cent of their global turnover or €20 million, will also force accountancy firms to take this more seriously, if they are not doing so already. “For accountants, the responsibilities go way beyond compliance,” says Sonia Blizzard, managing director of Beaming. “The most significant risk is that those who can’t be trusted to keep their clients’ data safe will soon find they don’t have any clients to protect.”
Nick Martindale is a freelance journalist, editor and copywriter. He regularly contributes to a wide range of national and business media, including The Telegraph, Raconteur supplements in The Times and HR magazine.