Stephen Franklyn of Lithium Systems discusses why accountancy firms should prioritise cyber security and how they can take steps to protect both data and their reputation.
As we now live in a world of information technology, the risk to our business critical data continues to increase at an alarming rate, yet many business have only the vaguest concept of what cyber security is and what it means for them. The harsh reality is that all businesses are faced with threats on a daily basis. Any device that is capable of establishing an internet connection creates a potential opportunity for a cyber attacker to get inside your business and cause massive disruption to your data, your clients’ data and your reputation. So, PCs, laptops, tablets, smartphones and servers, including email, web and server applications, are all possible points of vulnerability and entry. Protection is similar to dealing with home security: you need to make sure that you have not only locked the front door, but that all windows, other entrances and all outbuildings are locked and secure too. The consequences of not doing so can be devastating.
Imagine, for a moment, losing all your firm’s information: accounts records that detail all your sales, billings, and all your customer and client data. The fact is that a third of all small businesses and 65% of large businesses have reported a cyber breach or cyber attack in the past 12 months, according to the government. In general terms, 1 in 4 businesses experienced a cyber attack or breach in the past year, a figure that translates into huge financial costs and disruption to everyday operations – to say nothing of reputational costs, which can be catastrophic for you, your business and your firm’s brand. Having your data stolen or compromised can mean that clients lose confidence in you and your operations. The question they will have in their mind is a simple one: can I trust this firm with some of my most important and sensitive information? Additional questions include: how is my data being stored and is it being kept confidential? And if I cannot trust their IT security, what else is there that they are not doing properly?
There is another factor to consider in all this too. Many clients are well ahead of their accountant in terms of embracing technology, mobile and cloud working. As an accountancy firm, you need to be ahead of your clients with tools and technology – not the other way around. You need to keep up with the rapid pace of change and be seen as a leader, making processes better and more secure. It is all about being able to evaluate new technologies and train staff in them – and anticipating and managing all cyber security issues as part of this. Going down this route makes good business sense and will serve to underpin your firm’s credentials as a trusted business adviser. Firms need to keep up with the pace of change, including changes relating to security, so they are perceived by clients as being ahead of the competition and “fleet of foot” in a rapidly changing environment. Your firm also needs to be several steps ahead of cyber security criminals.
Cyber Essentials initiative
It is to deal with precisely these kinds of issues that the UK government has launched a new initiative called Cyber Essentials, to help businesses of all shapes and sizes protect themselves against the very real risks that come from cyber attacks. Cyber Essentials was developed in partnership with industry, and deals with cyber security in two ways. Firstly, it outlines all the basic “controls” or actions that organisations need to address in order to mitigate the risks from common internet threats. Secondly, it provides an Accreditation Framework that allows organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. It is intended as something that organisations and businesses can build on as they progress to deal with more sophisticated and targeted attacks as part of their security strategy. Designed to be low-cost, Cyber Essentials and the more advanced Cyber Essentials Plus certificates are achieved through working with practitioners and accreditation organisations.
However, even if a business has a basic understanding of cyber security, we need to ask if it understands the controls that must be put in place. That is why the first port of call for any business should be an accredited Cyber Essentials Practitioner. They can help your business work through the audit process and get the controls in place to help you achieve the standard – and keep your systems under constant security review.
Which broad areas need to be addressed?
In general terms, a Cyber Essentials Practitioner will manage the following controls to raise your cyber security level.
Firewall rules should be applied to restrict network traffic to authorised connections. Firewalls need to be reviewed on an ongoing basis and no one should be able to access your administrative interface to your firewall from the internet, other than via carefully constructed protocols (in the case of a remote administrator or external service provider). Areas to be examined here include default administrative passwords and their robustness; rules that allow network traffic to pass through should require approval – old rules that are no longer required should be removed or disabled.
Computers and devices across your network need to be configured to reduce any inherent vulnerabilities and provide only the services that your business needs. Default installations are not good enough here as they often include an administrative account that has a predetermined, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications (or services). Auto-run installation features should be disabled, and personal firewalls also need to be looked at to block any unapproved connections.
User access control
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. That’s why the principle of least privilege should be applied to user accounts. A good IT support company will ask questions about who has access to information, why do they need that access and what are they using it for. Access privileges should be constantly reviewed to take account of events, such as people leaving or changing roles. Failing to do this runs the risk of real misuse of special access privileges and can allow a hacker to get right into the heart of an organisation and its business processes.
Malware, which includes viruses, ransomware, “worms” and spyware, is a major risk and can find its way onto your network through a user simply opening an infected email, browsing a compromised website or accessing an unknown file on a storage device. Malware protection software and configuration are vital weapons in a business’s armoury against such threats. Vigilance is key here, keeping everything up to date and covering all points of contact at which an organisation might be exposed to malware.
The latest security patches should be applied to deal as quickly as possible with vulnerabilities identified by software vendors. There are plenty of cyber criminals out there looking for such vulnerabilities – don’t let your organisation be one of their victims. Once known, vulnerabilities can be exploited by malicious individuals and groups to attack your firm. It is just as important to remove out-of-date software from computers and internet-connected devices as they offer another potential gateway for cyber attack.
Taking cyber security seriously and adopting processes and procedures that promote and uphold it across your firm can be the difference between commercial success and failure. Make no mistake – there are people out there who are dedicated to exploiting your vulnerabilities; these are people who, once they have secured your business data, will quite literally hold your business to ransom using ransomware. That’s why you should be involved in a continual review of all your IT policies, working with a reputable IT support company that can respond to your requirements, foresee problems before they impact on you and devise strategies to keep your business out of the clutches of those who would seek to harm it.
Stephen Franklyn is a director of Lithium Systems, and an outsourcing IT support and technology specialist.
Gavin Disney-May, chairman of MyFirmsApp, compares technological developments and their take up by accountants in the UK and in America
Justin Dolly of Malwarebytes looks at what accountants can do to protect their data and minimise cybersecurity risks
MTD cost estimates are not based on 'facts', and are 'disbelieved' by most small businesses and sole traders, says Lords committee chairman
Driving opportunity for all and empowering businesses for success are the key themes for the Sage Summit UK this year, which takes place on 5-6 April