Something phishy about an email your business received? That's only the beginning. Here's why adopting the right strategies to prevent cybercrime is crucial for your accounting firm.
Accounting firms are increasingly aware of the serious impact cyber breaches can have on their operations, ranging from large fines to potentially fatal reputational damage.
Additionally, new regulations have put cyber safety in the spotlight, with the European Union’s General Data Protection Regulation and Australia’s new mandatory data breach reporting regime making cyberthreats a critical business issue.
Data indicates where the problems lie. According to the Privacy Rights Clearinghouse, the top causes of data loss in 2017 were hacking or malware and unintended disclosure, as well as portable devices and physical loss. These are the threats on which accountants need to focus to ensure their clients’ data, as well as their own, remains safe, when putting together a cybersecurity strategy.
One of the best ways accountants can protect their information is with an integrated IT security system, as opposed to layers of unintegrated software products, says Marty Ward, vice-president of product marketing at IT security firm Sophos. Ward suggests investing in advanced technology such as “deep learning neural networks”, an advanced form of artificial intelligence that can predictively detect and block new threats.
“To build a robust cybersecurity solution, accountants must examine how data may be able to leave the organisation, and limit opportunities,” Ward says. He also recommends having a plan for lost and stolen mobile phones, tablets and laptops. This includes device encryption to ensure data is safe while people work remotely.
It’s important for accountants to understand problems may arise if a firm assumes its cloud service provider includes IT security in its solution.
“Security for the cloud is a shared model – the cloud service provider protects the infrastructure it owns, but it doesn’t protect your data running on that infrastructure,” Ward says.
Cloud service providers expect their customers to secure their data, just as they would pro tect their data on-premises. In practice, most businesses have a hybrid security solution that includes both on-premises and cloud security.
The human element is also an essential part of cybersecurity. Andrew Aitken, senior solutions consultant, DWM Solutions, stresses cybersecurity starts with education.
“Make sure staff are educated on the basics of data security, such as how to use passwords and the internet properly,” Aitken says.
“Ensure they understand what a hack looks like to stop breaches before they happen. Firewalls, anti-virus software and all the security tools in the world are useless if someone gives up their credentials. Educate people on the right thing to do.”
CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
Old, new or both?
Accountants have been among the early adopters of internet browser-based cloud technologies. While this has produced business benefits, it has been difficult for some practices to make strategic decisions about how to invest in new technologies, while also managing traditional server-focused IT service providers.
“Many firms have a foot in both camps, where they still have some apps on a server managed locally alongside core business applications based in the cloud,” says Jamie Beresford, CEO of IT security firm Practice Protect Online.
The best way to manage this is to apply a strategic planning process, thinking long term about the business’s data storage and safety requirements. Use a cost-benefit analysis to explore whether the business is comfortable moving the entirety of its data into the cloud, or whether a hybrid model involving traditional servers and some cloud storage is preferable.
Loads of logins
The average accounting firm staff member has more than 20 app logins to manage across their working and personal lives, according to Beresford.
“The biggest threat to keeping client privacy safe is ‘password sprawl’, whereby staff use the same password across their personal and work life,” Beresford says.
“A tool that consolidates these into a single login and allows a firm to maintain control over where, when and from what device data is accessed, is essential.
“This is important from a policy perspective, but also from a professional indemnity insurance or investigative perspective, in the event data is breached and the source of the breach or perpetrator needs to be pinpointed. Selecting a tool that is specific to the accounting industry with specialist on-boarding and support is paramount.”
Putting the right measures in place
The Australian Cyber Security Centre’s “Essential Eight” mitigation strategies are a good place to start figuring out how to measure cyber risk. They include strategies like patching and multi-factor authentication.
However, one of the most important measures is to understand the cost to the business if it experiences a cyber breach, Aitken says.
“Determine what it would cost to have your business information systems down for a day. That’s a very important number,” he says.
“If the firm could lose A$1 million if systems are down for a day, then spending A$100,000 to A$500,000 on security is a good investment because it’s less than the cost of the risk.”
Unfortunately, it’s a case of when, not if, a business will face a cyberattack, so IT security must be a top priority for every accounting practice. Without proper protection, a breach could be fatal to the firm.
Find out about the Australian Cyber Security Centre’s “Essential Eight” cyber risk mitigation strategies.
87 million reasons to protect your data