Accountancy practices ‘not prepared’ for cyber risks – new research

Accountancy practices ‘not prepared’ for cyber risks – new research

Find out how your firm can take action to protect against cyber risks and avoid data breaches which can be costly

Accountancy practices ‘not prepared’ for cyber risks – new research

Nearly half of practices in the accounting, banking and finance sector are still confused by and unaware of GDPR rules.

And only one in ten see cyber-attacks as a leading risk to their business.

The figures were revealed in a survey by Aon, a professional services firm specialising in risk. 1,000 SMEs were polled in different sectors.

It follows a survey earlier this year from the National Cyber Security Programme that revealed that nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.

A target

Chris Mallett, Aon’s broking manager, said financial companies are too often “the weakest link” in the chain when criminals are trying to access sensitive data.

“Financial institutions are a key target for cyber criminals for two reasons,” said Mark Taylor. He is responsible for helping members understand the impact of technology at the Institute of Chartered Accountants in England and Wales (ICAEW).

“Firstly they hold a lot of personal information and they are also part of the supply chain for those wanting to target other companies.”

The growth of flexible working, with staff accessing data on-the-go, and an increasing reliance on third party software, have all increased the risk according to Aon.

The Bring Your Own Device culture can expose companies to increased risk of a cyber-attack if data is not properly encrypted or controlled. Yet the poll shows more than one in four practices in the accounting, banking and finance sector allow this.

Small companies at risk

The Department for Digital, Culture Media and Sport’s Cyber Security Breaches Survey 2018, released earlier this year, highlighted that the problem is particularly acute for smaller practices.

Mark Taylor said: “A third of small businesses and 68 percent of charities spend nothing on cyber security. This figure is far too high.”

But why do they consistently fail to address the issue, despite the abundance of awareness campaigns about it?

One reason is that bigger firms have more resources to dedicate to cyber security.

“Larger companies have the resources, skills and budget to implement complex and sophisticated cyber security, whereas smaller businesses lack the resource to invest in the necessary precautions,” he said.

Some smaller practices believe as a small partnership that they won’t be targeted. “Of course, it doesn’t work this way,” Taylor said.

Taylor said the ICAEW promotes data protection, cyber security and good practice across the accounting sector knowing cyber criminals carry out bulk attacks targeting thousands of companies in one go and follow up on their most successful hits. Those are often those with least protection, such as email accounts.

“The information they get is substantial and the money they can steal on the spot, for example via mandate fraud, can be substantial,” Taylor said.

Nick Gregory, chief marketing officer at IRIS Software Group, agreed that smaller companies without the dedicated IT teams bigger firms have tend to neglect what needs to be done to protect themselves.

Firms like IRIS can offer hosting, with secure servers which reduce the risk. They have also developed specific, secure communications portals for firm and client communication.

That means sensitive information such as tax returns and final accounts can be sent without the use of email.

“The usage for these types of tools is growing; IRIS OpenSpace is currently used by 3,000 practices and 500,000 SMEs,” he said.

A data breach

The Aon poll also found that four in ten of those surveyed are not aware that loss of personal information as a result of a cyber-attack or fraud is a data breach.

Many are not aware of the need to notify authorities about a breach that has an impact on individuals. Around one in three of those surveyed are not clear on the time limit for reporting. This can expose their companies to the risk of incurring huge fines.

Mark Taylor stressed that companies could lose clients if such a breach is seen to take place.

The EU rules known as GDPR came into force in May. They drastically increased potential penalties on companies found to have misused or mismanaged clients’ personal data.

Dr Emma Philpott is managing director of the UK Cyber Security Forum and CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government’s Cyber Essentials scheme.

She said that companies have focused on GDPR in order to get ready for that deadline, but the effect was all too short-lived.

“As soon as the deadline for GDPR passed too many thought that was job done and that’s where their responsibility ended,” she said.

And while big data breaches which garner media attention help raise awareness, they can lead to a kind of fatigue.

“[There’s a] sense that the time, cost and high-end security to tackle this is complicated and overwhelming, when in fact the basics don’t cost much.

“Educating staff doesn’t cost anything other than time.”

What professional indemnity doesn’t cover

Many companies do have professional indemnity insurance (PII) to cover for such eventualities.

But there are some costs it doesn’t cover – and specialist policies for cyber risks will also cover you for any damages you are liable to pay in the event of a data breach or security failure.

Specialist policies can also cover your legal costs.

What you can do right now – a checklist

Aon has prepared a checklist of easy ways you can protect yourself from cyber-attacks. These are:

  • Install anti-virus software or check existing software is up-to-date on all devices used for work
  • Check how your suppliers handle data and if they are GDPR compliant
  • Have simple, clear policies in place to create a cyber-conscious culture in the workplace
  • Be aware of what your obligations are if a breach does happen
  • Check what your PII or business insurance covers, and consider a specific cyber insurance if relevant

The ICAEW has also compiled a report into cyber security which includes a number of recommendations. Among its insights is the necessity of accepting that “some level of compromise is inevitable” and preparing for detection and response as much as prevention.

 

Related Articles

Data maturity: Why it should be on every finance professional’s agenda

Security Data maturity: Why it should be on every finance professional’s agenda

2w MHR Analytics, | Sponsored
The global fight against fraud and corruption: what role does the accountant play?

Audit The global fight against fraud and corruption: what role does the accountant play?

5m Lucy Skoulding, Reporter
Cybersecurity webinar: how protected are you and your data?

Security Cybersecurity webinar: how protected are you and your data?

8m Emma Smith, Managing Editor
GDPR: Don’t forget the human touch

Security GDPR: Don’t forget the human touch

8m Neil Patrick, Director of GRC and Centre of Excellence EMEA for SAP
Grant Thornton joins with Immersive Labs to increase cyber talent

Career Grant Thornton joins with Immersive Labs to increase cyber talent

9m Lucy Skoulding, Reporter