Personal data is one of the most sought-after and lucrative assets in the modern world. And like gold and silver in times gone by, that value draws criminal elements like a beacon. Cybercrime has exploded into a $10 trillion global industry. And accountants are right in the eye of the storm.
According to the UK’s Information Commissioner’s Office (ICO), it receives reports of data breaches from 100 accountancy firms every quarter. Not all breaches link directly to a cyber attack. But they do demonstrate vulnerability, and more importantly, place highly sensitive data – client financial records, payroll data, tax details – at immediate risk of exposure.
That vulnerability is a magnet to hackers. Two-thirds of UK accountancy firms report being targeted by a cyber attack every year, and 40% fall victim to multiple attacks.
The intersection between less-than-watertight data protections and unwanted attention from cyber criminals creates significant risks for accountants. Penalties for breaching data protection laws – which include a responsibility to protect sensitive personal and financial data from theft – can be fines up to 4% of turnover, or a maximum of £17.5m. Cyber attacks can cause massive disruption to operations, in some cases freezing businesses out of their own IT systems and making it impossible to function. And then there is the massive reputational damage that data breaches cause. Accountants have to be trusted as guardians of their clients’ data.
For all of these reasons, robust cybersecurity and data protection measures have to be an absolute priority for every accountancy firm. Here are three areas to focus on to tighten up your defences.
Training your staff
The biggest difference-maker in cybersecurity and data protection isn’t investing in sophisticated technical protections (although that matters, too). It’s raising awareness among your staff, and empowering them with the knowledge and skills to reduce vulnerabilities and identify risks.
95% of all data breaches can be linked in one form or another to human error. Those who wish to exploit security weaknesses prey on this ruthlessly. 91% of all cyber attacks start with phishing or other types of so-called social engineering – the use of fake emails, phone calls (‘vishing’) and other tactics to trick people into handing over sensitive information.
The best way to tackle this is to educate people about the risks of phishing, the common tell-tale signs of a scam to look out for, and what to do if you spot one. An approach to consider here is running phishing simulation exercises, where you send out fake emails to team members unannounced, monitor the responses, and use the findings as a learning opportunity. A simple but important form of phishing to simulate is business email compromise (BEC), where emails impersonate a trusted, often senior internal source, asking for passwords, client information or even authorising payments to an account provided.
Cybersecurity and data protection training should also cover other common risk areas like leaving devices unlocked, use of personal devices for work purposes, use of insecure public wi-fi and poor password protection. Educating employees about the importance of using complex, unique passwords on all company systems, and changing them regularly, can be backed up by introducing a company-wide password policy and password management software.
Managing access
Although a strong password policy (and all team members following it) is essential to protecting internal systems, most cybersecurity experts agree that it’s not enough on its own. Determined hackers have ways and means to phish for or decode even the strongest passwords – including so-called spoofing attacks, where they create fake webpages that look like the log-in for a genuine app, and trick people into typing in their log-in details.
That’s why multi-factor authentication (MFA) is now recommended for all internal accounting systems, from emails to financial software. MFA requires a minimum of two steps to authenticate a user and gain access – a password plus a second form of verification, such as a link sent to an individual’s email account or phone. This additional layer of security is highly effective at stopping unauthorised access, as even if criminals stole or hacked a password, they would still need access to an individual’s email account or phone to confirm their identity.
Even then, it’s also recommended that accountancy firms implement a hierarchical system of access control to all the apps and platforms in their digital control – meaning, you give people access to the apps they need and no more, with a direct correlation between seniority and the sensitivity of a particular app. The idea is to create the digital equivalent of security doors should an intruder gain access to your system – hacking a junior team member’s email doesn’t give a direct path to clients’ financial records, because that person doesn’t have access themselves.
For the most sensitive apps – i.e. those that contain sensitive client financial records – you should also consider combining the principles of MFA and limited access control using what is known as a zero trust arrangement. This means never allowing remembered credentials or automatic access for any individual on any device – to get in, they have to authenticate their identity each time they access the app.
Securing your system
Finally, while behaviour and governance are key factors in tightening up cybersecurity, you can’t ignore the technical side, either. Given that firewalls and antivirus protections are baked into most operating systems these days, it’s all too easy to take them for granted. But given the sensitive nature of the data accountants hold and how often they are targeted by cyber criminals, it’s recommended to take additional steps.
Start by upgrading to the latest business-grade antivirus software. This should include Endpoint Detection and Response (EDR), which proactively monitors and and addresses threats on endpoints like laptops – essential for devices that are used outside the office. If you haven’t already got one, you should install a firewall on your internet routers for network-wide protection. Best-in-class firewalls should include features like stateful inspection, which provides more sophisticated, context-based analysis of traffic flows compared to packet-based firewalls.
You also need to make sure that your data encryption is up to scratch, especially for sensitive client data. This includes encrypting data ‘at rest’, i.e. as it is stored in your systems, but also ‘in transit’, i.e. when it is transferred digitally between your apps. You should be using encrypted services for sharing all sensitive data. Finally, it’s critically important to keep up with updates and security patch management on all of your platforms. Cyber criminals are constantly looking for security vulnerabilities in software. Cybersec professionals employed by software companies are in a race against time trying to find these vulnerabilities first, and release updates to fix them. If you don’t keep your apps updated, you expose your systems to heightened risks.
