The scale of the cyber security challenge faced by accountants was highlighted in research published by telecoms firm Beaming earlier this year. The Digital Transformation in Accounting report, based on interviews with senior figures from 50 accounting firms in the UK, found that almost two thirds (62%) had fallen victim to some form of cybercrime in 2017, with the total cost of recovering from incidents estimated at £341m.
Data breaches and malware were the most commonly cited threats, affecting 34% and 18% of respondents respectively. More than half of the firms surveyed planned to increase their investment in cyber security.
Securely and confidentially
Recognising that cyber security is as much about organisational culture as it is about implementing effective defences, ICAEW launched an online “safe space” in June where members can disclose cyber attacks and discuss cyber security issues securely and confidentially. It was developed in conjunction with the National Cyber Security Centre (NCSC).
Mark Taylor, technical innovation manager at ICAEW’s IT Faculty, says accounting firms are particularly vulnerable to financial director-type fraud. This is where a criminal pretends to be someone senior within the firm and contacts (typically by email) an employee – often an assistant to a senior manager – requesting a money transfer based on some credible reason it needs to be done promptly.
There are a couple of steps firms can take to reduce their exposure, he says. “Firstly, they need to ensure that everyone within the organisation is aware of how these attacks occur and the types of attack they might be subject to.” Once they are prepared, the firm can start thinking about defensive measures. These could include something as simple as taking additional steps once a money transfer request is received, such as asking whether the transfer needs to be done so quickly or calling the person who appears to have initiated the request.
Mailboxes are another common target, says Jamie Beresford, CEO of software firm Practice Protect. “With all the focus on financial apps, accountants are taking a less diligent approach to securing their mailbox, which typically has years of data and a significant digital footprint to allow a scammer to impersonate the accountant for fraudulent purposes.”
Because accountants have access to data such as personal information and bank details, they should consider themselves at high risk of scam email attacks or similar “fake support” attacks that start with a phone call, explains Bruce Penson, managing director of IT support firm Pro Drive.
As long as the basic preventative measures (such as antivirus, firewalls and software updates) are in place, by far the most effective way of protecting the business is regular training of staff, he adds. “Some firms see this as a one-off exercise but to have an impact it needs to be regular and delivered through different mediums to ensure it is reinforced.”
Preparation is essential says KPMG partner and UK head of cyber security, Paul Taylor. “Well known forms of defence such as firewalls are not enough to rely on, but they will help improve resilience. Every firm needs a response plan for risks, so it knows who to contact and how to contact them.”
Knowing what data you hold, where it is and the sensitivity of it is vital since you can then take steps to protect it. Basic IT hygiene will also stop the majority of attacks – patching, network design and basic configuration of devices are important says James Hampshire, cyber security senior manager at PwC, who refers to the importance of a well-rehearsed plan that can kick into action when a breach occurs.
He agrees that business email compromise is a likely form of attack. “Given the amount of business done by email, accounting companies should always be on the lookout for compromised accounts within the firm or spoofed email addresses being used to disrupt payment processes, for example by asking to change the bank details for a fund transfer.”
Firms are also vulnerable to ransomware. These attacks often don’t discriminate by business type, size or sector and have the potential to be extremely damaging.
According to the Beaming report, 62% of accounting firms are planning to invest in cloud-based infrastructure this year. Firms that use the cloud need to apply the same risk assessment and controls as they would for any other outsourced arrangement, suggests Philippa Kelly, head of ICAEW’s Financial Services Faculty.
This is particularly important if you are undertaking regulated business as your cloud provider won’t be regulated in the same way, she adds. “Given there is high concentration in the cloud market, it is important to understand where you fall in any sort of recovery plan the provider has in place should things go wrong, which should be set out in your service level agreement.”
Employees should be trained on best practice and robust systems and permission policies must be in place, according to Sonia Blizzard, managing director at Beaming. “Accountants need to work out the rules around the data they have access to and if they are going to use cloud applications they need to fully understand where that data is stored and how it is backed up and managed.”
Robust cyber security comes down to knowing your people and ensuring they know how to work safely, securing devices and locations and using technology to enforce security across both in-house systems and the cloud environments your data touches.
“As the use of cloud systems potentially allows access to anyone with the correct login details, accountants and their clients need to ensure their people are trained and use the right kinds of passwords and techniques such as two-factor authentication,” adds Blizzard.
Help clients stay secure
There is a role for accountants in offering advice to clients about how they can secure their own systems, suggests ICAEW’s Taylor. “Accountants understand concepts such as confidentiality and privacy and can take the lessons they have learned from protecting client data and pass this onto their clients,” he says.
Accountants have the option of obtaining certification to demonstrate their compliance with good cyber security practice. Cyber Essentials is a government-backed standard and it is estimated that putting in place the controls specified by this standard could reduce the risk of cyber attack by up to 80%.
“I would not be surprised to see the accreditation bodies in the accountancy sector follow those in the legal sector such as the Law Society, which has made Cyber Essentials a requirement in the latest release of its Lexcel practice management quality mark,” says Penson.
Ask for advice
Beresford says clients who have been the target of cybercrime regularly ask firms he works with for advice. “With the majority of breaches being due to human error it is no longer an IT issue and clients are going to accountants for guidance,” he says.
Assuring clients that their financial data is secure often involves explaining data protection systems and processes to clients at the start of an engagement, adds KPMG’s Taylor. Accountants can also invite clients to visit their offices to demonstrate staff appreciation of data security.
“Clients should be able to see some obvious signs that the firm takes data protection seriously, for example locked computers and secure areas,” he continues. “Data protection goes a lot deeper than that, but a physical tour can form an important part of building trust.”
Independent assurance undertaken by internal audit or a third party firm will further boost client confidence, adds Hampshire. “Proactive communication to clients about the security of their data and GDPR compliance will stand you in good stead,” he says. “Don’t wait for them to ask.”
Effective cyber security comes down to communication, ensuring you choose the right technology partners and demonstrating that you take the issue seriously, says Blizzard. “Just as accountants will take great care to make sure the cloud software providers they recommend to clients do the right things to remain resilient to attack, clients expect their accountant to follow best practice, have policies in place and be willing to explain those policies if asked.”
To join up to the Cyber Security Information Sharing Partnership visit icaew.com/cisp