Part One: Understanding cyber security in accountancy

In June 2018, the UK’s technology sector was valued at over £180bn, making it one of the fastest growing industries in recent years.

According to Consultancy.UK, this “explosive growth outpaced the sluggish UK economy as a whole and will undoubtedly add to the emphasis placed on the tech sector when looking to achieve a successful Brexit.”

In October 2018, Philip Hammond announced that a Digital Services Tax will be introduced on UK tech businesses, recognition from the government of the lucrative source of revenue this new industry will be able to contribute to the economy.

“One thing to remember is that it is not always obvious that someone has come in and taken something or installed ransomware. They could be inside your system for months taking details and data before you know something is going on.”

Technology has become a necessity to modern life—both personally and in business. The financial sector has embraced technological innovation, introducing the likes of open banking, Making Tax Digital (MTD) for VAT, and advanced internal systems.

This is all highly positive for the UK and the economy, for it proves that productivity and growth can still occur, even in the face of political turmoil and uncertainty.

With this increasing reliance on technology, however, comes mounting threats to a business’ cyber security.

There has been a lot of discussion in accountancy around how the introduction of technology could affect the availability of jobs in both industry and practice, but now debates around cyber security awareness are taking centre stage.

“Accountancy businesses often think they are too small or not of interest to cyber criminals,” says Michael (Mo) Stevens, CEO at Shearwater plc (Xcina). “However, they often don’t realise that they actually have a lot of data and information – personal and financial – that is clearly of importance to the customer, but also of interest to the cyber-criminal.”

Who is at risk?

It is easy to assume that the majority of cyber-criminals will direct their attacks at the big financial franchises, such as national banks.

Consumer bank accounts, contactless payments, and online transactions are all areas of potential vulnerability that these criminals try to exploit. Nonetheless, accountants have access to information that is just as vulnerable to cyber-attacks.

A common method in which cyber-criminals launch an attack is through lost or stolen devices. As Stevens explains: “Devices – often with weak passwords – contain sensitive information. This is sold on the dark web for small amounts, but, as this kind of information is in high demand, the cyber-criminal stands to make a reasonable sum.”

He warns: “One thing to remember is that it is not always obvious that someone has come in and taken something or installed ransomware. They could be inside your system for months taking details and data before you know something is going on.”

“Accountancy is a traditional industry and its businesses are often departmentalised, meaning accountants tend to focus on accountancy and the high level of new legislation and regulations that come in, and it is not their natural stance to think about security.”

Patrick DeRuvo from Accodex takes Accountancy Age through two other common methods used by  cyber-criminals.

“Social engineering involves a bad actor trying to obtain confidential information or access a system,” he says.

“These hackers typically use phishing techniques to obtain information via phone, SMS, or email. The hacker will send the victim to a website that appears legitimate, possibly to update their personal information or login credentials. The hacker will collect this information and then login to the system themselves—they will hold it to ransom, transfer funds, or extract data.

“The second risk is an insider threat—this involves someone with legitimate access to a system turning rogue and using their access to improperly access data or embezzle funds.”

Resisting the technology revolution

In a previous long-read, Accountancy Age debated the resistance to change in accountancy—one area of change that firms were proving to be more resistant to was that of technological innovation.

“The biggest threat accountancy businesses face is a lack of resilience in the move to a digital environment,” Stevens says. “Accountancy is a traditional industry and its businesses are often departmentalised, meaning accountants tend to focus on accountancy and the high level of new legislation and regulations that come in, and it is not their natural stance to think about security.”

The question must be asked: is it fair to expect accountancy firms to educate themselves and their clients on the minutiae of cyber security?

Steven Connors – partner in governance risk and compliance at Haines Watts – tells Accountancy Age: “My general observation is that […] accountants are on a journey of discovery themselves. Many have only just started to take the security of data seriously, due to the onset of GDPR regulations.”

“Culturally, we have become digitally trusting.”

The General Data Protection Regulation (GDPR) came into effect in the UK on the 25 May 2018, thus marking the importance the government has placed on the protection of one’s data. Although this is more a question of the ethics surrounding privacy, GDPR has prompted accountants to think beyond this—to consider the security of their clients’ data as well as their right to privacy. However, it is far from a simple fix.

There is added pressure placed on accountants and lawyers to deal with cyber-attacks that their clients may have experienced. Therefore, it is imperative that both learn how to recognise and understand how cyber-attacks can be avoided in the first place.

Connors continues: “If that client contacts a firm of accountants, and the accountants don’t understand the issue, they are not going to be able to give very good advice.”

“I do feel that, in the UK, [cyber security] is a topic that we are taking very seriously—certainly over the last five years or so.”

Nonetheless, steps are being taken by accountancy firms and practices when it comes to their cyber security.

Fraser Nicol – partner in business technology consulting at Scott-Moncrieff – points out that “one of the most impactful things [accountants] can do is to help organisations talk amongst themselves about information security—assess what they are trying to protect, and why. The accountant acts as the bridge between ‘leading practice’ and real life.”

The head of the IT faculty at ICAEW, Richard Anning, believes that things have improved in recent years. He says: “Generally, things are getting better with the likes of ISO27001 at the top—and now there is Cyber Essentials, which was launched back in 2014. There is also a lot more work going on at the European level, with the network information and security directive, which became law in 2018.”

The UK standard of cyber security

Stevens sums up: “Culturally, we have become digitally trusting.” This is the heart of the problem when it comes to the standard of cyber security in the UK.  

Chris Hooper, CEO at Accodex, emphasises to Accountancy Age that the level of risk to a country’s cyber security correlates with the available wealth of assets and data. “The bigger the prize, the higher the risk,” he points out.

When speaking with industry, it became clear that the UK is viewed as one of the global leaders in cyber security—because the country is one of the financial hearts of the world, this is an unsurprising consensus.

“We are definitely in the top three of four globally, but I think global standards need to improve quite a bit. There is no room at all for complacency.”

Partner and UK head of cyber security at KPMG, Paul Taylor, highlights that he thinks “the UK is actually leading the way worldwide in many ways.”

“I think the leaders in the cyber security space seem to come from the US and the larger markets—enterprises like Russia [and] Asia,” partner and IT risk, security, and control specialist at RSM UK, Sheila Pancholi, says. “I do feel that, in the UK, [cyber security] is a topic that we are taking very seriously—certainly over the last five years or so.”

The Xcina CEO, Mo Stevens, adds: “Coming from a security environment, I can tell you the government is doing a lot to protect its own digital environment—they are putting the emphasis in the right place.”

The government is investing a great deal of money and time into making sure UK businesses can learn how to protect themselves from future cyber threats.

“We have the National Cyber Security Centre (NCSC) and the UK is investing a lot of money in cyber security,” Taylor says. “The important things that are being invested in are skills and training—so the NCSC and industries working with NCSC are raising awareness to help people defend themselves.”

“GCHQ has spent an awful lot of money on developing cyber defences for the country,” Nicol adds.

“Although the government are spending a huge amount of money to help people, I think there is still a long way to go, and there is still a huge amount of risk.”

Despite all this investment by the government, and the efforts made to circulate awareness amongst businesses, as of October 2018, Hiscox revealed that there was an average of 65,000 attempted cyber attacks in the UK every day.

“I think that the global standard [of cyber security] is not that high,” Taylor admits. “We are definitely in the top three of four globally, but I think global standards need to improve quite a bit. There is no room at all for complacency.”

Your ability to protect your business against cyber-attacks effectively depends on the available resources at your disposal. For a Big Four firm like KPMG, for example, they naturally have more options.

The uneven spread of resources

According to Paul Taylor, KPMG UK has a team of around 300 trained individuals dedicated to making sure that they are protected against any incoming cyber-threats. The firm is therefore able to cover “all aspects of cyber security”: identity enactment management, cyber transformation systems, penetration testing, and crisis management and response.

Taylor reveals: “We run a benchmark exercise on behalf of one of the big retail banks in the UK. In that exercise we look at the cyber security approach and health of 11 retail banks, five international banks, and then eight insurance companies.”

“People that are qualified as cyber-specialists are rare and expensive. So, for smaller firms, there is the issue of who to turn to: who do you trust?”

Unfortunately for SMEs, they most likely do not have the resources to so efficiently analyse their own standard of cyber security, let alone the ability to assess the level of security of their third-party contingents along the supply chain.

“Although the government are spending a huge amount of money to help people, I think there is still a long way to go, and there is still a huge amount of risk,” says Scott-Moncrieff partner, Fraser Nicol.

The cyber threat to SMEs

“At the end of the day, there is only so much that any government can do to protect businesses,” Hooper tells Accountancy Age.

Although this is indeed the case, what can businesses do to combat this modern-day issue?

Ascertaining that cyber security specialism is a necessary qualification for the workforce coming into the accountancy field is one long-term and cost-effective method of addressing the issue.

Hooper agrees, for he says: “I think education plays a big role in all of this, and I think that’s where governments can add a lot of value, especially when it comes to businesses interacting with government systems online.”

By hiring the right people, an SME can begin to reform their internal infrastructure to best evolve alongside the changing landscape. The problem that arises through this method, though, is the fact that there are currently not enough skilled workers in this area.

ICAEW’s head of technology, says: “People that are qualified as cyber-specialists are rare and expensive. So, for smaller firms, there is the issue of who to turn to: who do you trust?”

“80% of breaches happen because of human error.”

Pancholi tells Accountancy Age that the size and reach of an organisation does not need to be an obstacle.

She says: “There are good practice controls that we would expect everybody to have in place: underlying robust security controls around your core business systems and making sure that your employees are educated in what the risks and threats are.

“How do you prevent a data breach or a cyber-attack? It is important to have controls and processes in place when you are subject to a data breach—making sure that you have got a culture whereby it is reported in a timely manner.”

For SMEs, it is more a matter of prioritising. It is vital that smaller businesses look at the entirety of their data and identify “the crown jewels” – the critical data.

Furthermore, a simple starting point for SMEs that are not of a size where they can comfortably maintain an effective internal security system would be to move their systems onto the cloud.

It is important to note that this will not absolve the business of any responsibility for the security of customer data, but it certainly allows for a stronger foundation when building up the company cyber security standards.

Is it all down to human error?

The responsibility of cyber security does not just fall upon the IT department of any given business. There is a danger in modern day society of assuming that technology will not fail us, and that people do not need to be held accountable if that installed technology fails to keep hackers from breaking into the system.

“You can have all the technology in the world but, if someone makes a mistake, it doesn’t matter.”

According to Stevens, “the misconception that cyber security is predominantly an IT issue presents a weakness that cyber criminals can exploit. 80% of breaches happen because of human error. For example, staff unwittingly allowing viruses or hackers into the system.”

The issue once again boils down to a lack of people in industry truly understanding how threats present themselves in cyberspace and how it is best to deal with them. As Connors from Haines Watts points out, it is the result of  “a mix between poor awareness and carelessness.”

“I think the human factor is the most important factor,” Taylor from KPMG concludes. “You can have all the technology in the world but, if someone makes a mistake, it doesn’t matter.”

Read Part Two: The future is online here.