ICAEW.com works better with JavaScript enabled.

DIY not a cyber security solution

Croydon President Andrew McKenzie-Smart explains why he invested in external IT security, and it was not just to comply with GDPR.

Andrew McKenzie-Smart

June 2018

I have always taken my client data security seriously, although dealing with it in a growing practice makes the challenge grow exponentially, with new staff to be trained, new clients to be taken on with their data obtained, as well as dealing with the clients who sadly leave.

Early on in my practice I decided that it would be far more secure if I operated the business through a remote hosted desktop operating in the cloud, rather than relying on my home computer. This operated for a few years successfully maintained by ourselves until we received a cyber attack.

Despite being successfully repelled with no loss of data integrity, I decided to engage a specialist IT firm to provide the cloud-based service we needed. I realised that if I relied on my own in-house IT capabilities, then we were likely to be behind the times with the IT security needed to operate in an increasing interconnected world.

Engaging a specialist third party experienced in this sector provided me with IT support when needed at no additional cost, with flexibility of location for our activities, and more importantly a far more secure operating environment for our activities.

But then the IT firm itself has been the target of a cyber attack. The firm confirmed the data it held was not compromised by the attack, and that the servers had been recovered from backups successfully. However, this has led me to review the operations we have and how I can continue to best protect my firm and my client data.

We have introduced physical security measures to ensure that the client data we hold is disposed of securely, as well as monitoring the physical data coming into and out of our office.

I am mindful though that when I attended a cybersecurity event last year that we ran in Croydon, Michael Stout, a cyber security expert set out the following as the best practice in this area:

  1. Strong training on cyber security so that all staff are aware of the issues and the need to be vigilant regarding data security.
  2. Strong and reliable IT policies and procedures that include regularly changing passwords and access codes.
  3. Robust physical and virtual access security, so that data doesn’t just walk out of the offices.
  4. A variety of back-up systems to prevent system failure. 
  5. Insurance cover so that if the worst happens a catastrophic data breach is not fatal to your business.

GDPR doesn’t change our obligations, or any of the above practices to minimise the risk of data loss, but it does considerably increase the financial cost (up to 4% of turnover or €20m, whichever is the greater) of such data breaches.

Andrew McKenzie-Smart is President of ICAEW Chartered Accountants Croydon

Liked this? Read these:

London Accountant

Go to London Accountant for more features, news and opinion.
Follow us on Twitter @ICAEW_London and join us on LinkedIn: LSCA and Croydon.
Subscribe to ‘regional updates’ to receive more articles.