How are accountants managing evolving cyber security risks?
How are accountants managing evolving cyber security risks?
Clients are relying too heavily on third party software providersAccountancy firms need to be aware of the hackers’ high success rateWe work with clients to explain risks and set up robust systemsInternal security is the foundation of external security
Accountancy systems are under constant, increasingly sophisticated, attack. Beware misplaced confidence – investment in cyber security should be a top priority.
Cyber-attacks that damage businesses and breach privacy regularly make the news. High profile hacks, such as M&S and Jaguar Land Rover, are reputationally harmful, as well as having a negative impact on the bottom line.
But it’s not just household names that are feeling the effects of shadowy cyber criminals. Any company with a digital presence is at risk of a hack.
So, how are accountants dealing with these new and evolving threats and are their clients paying more attention to the risks? We asked accountants what practical steps they are taking and if clients are requesting more input from them on cyber security measures.
Clients are relying too heavily on third party software providers
Rosie Armstrong, Senior Accounts Manager, LimeGreen Accountancy
Despite so many recent high-profile cases, we haven’t seen a noticeable increase in anxiety amongst our SME clients regarding their own cyber security. Given the size of the organisations which have suffered at the hands of hackers there could be a certain amount of misplaced confidence that, as smaller businesses, they’re not likely to be a viable target.
In the past, as the technology and legislation were new, we saw a natural wariness amongst clients. This meant that cyber security was a high priority for most businesses, and spending reflected that. With the proliferation of cloud accounting, and browser-based software generally, responsibility for the safety of information has moved from stand-alone computers and on-site servers to external data centres owned and operated by others.
The trend over time appears to have been a move away from the traditional spend on formal anti-virus software, perhaps in favour of reliance on what feel like robust security features such as biometric or two-factor authentication already built into the software that clients use. To a certain extent there’s a perception that a greater share of the responsibility for protecting data has been shifted onto the software providers.
A lot of work and money has been invested by clients in the past to get their cyber security up to scratch. Many clients feel that they already have the right systems in place, and in an economic climate where profit margins are squeezed, investment in cyber security appears not to be as high a priority as it may have been in the past. This means that clients may be missing important opportunities to review and update their systems in light of new threats.
Verdict: Be wary of misplaced confidence – small businesses are a big target for cyber criminals.
Accountancy firms need to be aware of the hackers’ high success rate
Kai Kashefi, Owner, Volobyte
Accountancy firms hold clients’ financial records, payroll data and direct access to HMRC systems. Making Tax Digital has pushed even more of this workflow online, and it now means your clients need to take security seriously. Most breaches don’t come from sophisticated attacks; they come from reused passwords, social engineering and unmanaged devices.
The scenario is depressingly familiar – LinkedIn got breached in 2012 and again in 2021. We all use LinkedIn. Millions of credentials were circulated online. Someone at your firm might have used the same password for LinkedIn as they did for Xero, their email or the HMRC portal. Criminals run automated tools that test those combinations against everything.
The success rate is higher than you’d expect. A security researcher walked straight into Trump’s campaign Twitter account with nothing but a leaked password. If a presidential campaign falls to password reuse, a small accountancy firm doesn’t stand a chance.
Compliance requirements like Cyber Essentials and GDPR matter – insurers check, clients ask about them in tenders – but passing an audit isn’t the same as being secure. I’ve watched firms tick boxes with spreadsheets and manual processes while running on-premises systems constantly targeted by attackers that require dedicated expertise most small firms don’t have.
Absolute security means cloud infrastructure built for modern threats, not legacy systems requiring constant patching, or worse – nothing at all dressed up with paperwork.
Verdict: Passing audit isn’t enough; companies must actively maintain their systems to stand firm against modern threats.
We work with clients to explain risks and set up robust systems
Mark Johnson, CFO, Gunpowder Limited
Our clients are predominantly Software as a Service (SaaS), so their own client-facing systems, internal systems and processes are continually under attack. And the attacks, such as phishing, are becoming more sophisticated.
Those with cloud products have to continually monitor the guardrails in place to prevent hacks and data leaks. We encourage them to have:
training;
clear policies, especially around work-from-home set-ups;
relevant insurance;
incident monitoring and response tracking;
robust data storage; and
back-up policies and procedures.
All my internal systems are ringfenced for clients with multiple multi-factor authentication set-ups and segregated logins. Plus data is held securely. To improve security, firstly, it’s important to keep humans in the loop. This requires training, ongoing and continuous reminders, and updates on all relevant policies and practices.
Insurances are usually the last thing to review as that is sometimes seen as admin and often forgotten until annual review. It is important to drive clients to understand that the risks are not just something for the IT department to worry about. We also advise penetration testing – a simulated cyber-attack against a computer system to find and exploit vulnerabilities before real attackers can get there.
Verdict: There are practical steps clients can take to protect themselves, but they must continually monitor the guardrails.
Internal security is the foundation of external security
Craig Dyer, Managing Director and Lead Accountant, C A Dyer Accounts
In terms of security at our firm, we understand that internal security is the foundation of external security, and we treat every employee, every partner and every system as a potential vector for attack.
To increase the standard of our cyber security, and in turn protect our clients, we have a three-part system. First, regarding technology, we ensure all points of data security for all team members and softwares are two-factor authentication as a bare minimum.
Secondly, With our people, we ensure team members and partners are not only trained, but are actively engaging with the security measures.
And thirdly, process is important. We have a clear methodology that is introduced as part of any new team member or partner induction.
Verdict: Social engineering is a key threat, so all team members are actively engaged with cyber security.
This article is sourced from the following link:
