ICAEW.com works better with JavaScript enabled.
The transcript for ICAEW Insights In Focus podcast episode 37: 'Insights In Focus: Protecting SMEs against cyber criminals'.

Did you know that accountancy practices are one of the top three sectors most likely to be targeted by cyber criminals? Larger practices devote big budgets and sizeable teams to protecting their systems, but what about smaller firms? How can they protect themselves and limit the fallout if they do come under attack?

It’s not hard to see why accountants are particularly vulnerable. Databases full of sensitive client information are a huge temptation to criminals and they know all about the yearly rhythm of an accountant’s work too. Attacks are most common during busy seasons such as financial year end, where mistakes are most likely to be made. The cost of a breach? Well, that can be huge, both financially and emotionally. Defending a business takes vigilance from everyone working for and with the business. But how do you make that a reality? To discuss that we’re joined by a professional who knows just how it feels to experience a breach – Jessica Pillow, director of Pillow May Accountancy – and also by Richard Jackson, partnerships manager at privacy and security experts Moore ClearComm.

Jessica, tell us a bit about your practice and what happened.

Jessica Pillow: We’re a practice of working mums based near Chippenham, and our cyber attack happened in August, when I was actually away in Vienna and a lot of my team were obviously rushing to get on holiday with their children, too. How it happened is that one of our clients had their email hacked, and then we had a request to pay out a large payment to a supplier. And rather than following what should have been standard bookkeeping procedures, because one of my colleagues was rushing on holiday that didn’t happen. What happened in this case was that money was paid out that shouldn’t have been. Because it was a bookkeeping systems fault, as well as obviously a cyber issue, we did manage to claim on the PI insurance, which was really helpful.

PL: And this was £45,000, I think, the loss?

JP: Yes, £45,000 was the requested money that got sent out. The insurers covered about £30,000, and the client said they wanted £40,000 to settle. Obviously it was an important client relationship so for me, it was very important that we did settle. I therefore paid £11,000, which was the £10,000 plus the excess on the insurance, and we have a turnover of about £300,000. So that’s quite a significant proportion of our business.

PL: Can I just ask, you’re on holiday? How did you feel when suddenly you saw the email, and you realised what was going on? What was your emotional response?

JP: It was a phone call from that client, actually, who alerted me to it and said: “All this money’s gone out.” And I was just – oh my god, what’s going on. So obviously I phoned my team, and I was literally about to get on a boat and go somewhere, which meant I was going to lose reception for about three hours – really not ideal. So I just had to explain what was going on quickly, instruct my IT firm to have a look and see what was going on. Then I remember just rushing as quickly as we could to get back onto wifi so I could find out what else was going on, speak to the insurers and do everything else. I’ve taken it really positively now, because we learned a lot about how we needed to define our bookkeeping better. Also, we now do a lot of cyber and phishing training, and obviously my team take it very seriously, because they know how it can happen.

PL: Richard, we know accountants are a key target. When are attacks most likely for that sector?

Richard Jackson: As with all sectors, really, you know there’s always going to be some seasonality within the work that’s undertaken. For accountants, there will be periods of time when they’re particularly under pressure and, as in any sort of human science really, you know that when we’re under pressure we’re less likely to be diligent, we’re more likely to make mistakes. And these are well-funded organisations. Cybercrime is now more profitable as an activity than the entire global drug trade. So that’s the context we’re looking at – there’s huge value. There is an element that is designed to be damaging in other ways than financial, but in the main, it’s financial gain that is the motivation for this.

PL: What sort of attacks do you see most often?

RJ: Depending on the research that you read, 80-90% of attacks on any organisation will be facilitated by people. So there will be a member of staff ­– an employee – that does something they probably shouldn’t do; for the most part this is by accident, in some instances with malicious intent. But it tends to be the phishing email; we have voice attacks now which are much more prevalent and also the use of text SMS, which is referred to as smishing and is coming into play as well. But for the most part, the kind of Hollywood cyber-attack movies where there’s a server being attacked are not as common as the others, the more subtle use of email as an entry point into organisations.

PL: In terms of target organisations, is size and issue? Because I think that perhaps there has been a perception that bigger firms are more at risk. But it doesn’t sound like that’s actually the case now?

RJ: No, I think smaller accountancy firms have taken the view that, why would they be an attractive target? Now, at the end of the day, this is a sector that has been hugely progressive about adopting technology. All accountants will use a variety of third-party suppliers for software or practice management, payroll, etc, which means that they then become exposed potentially to attacks through their supply chain. So they might not be directly attacked – we talk, for instance, about a 10-person accountancy firm and they might not perceive themselves as an attractive target in any way to a malicious cyber criminal, but the services that they use might be.

We’ve seen that over the last two or three years, with various practice management software providers that have suffered cyber attack, and the impact is directly upon their clients, and the clients of their clients, if you like. So when we’re talking supply chain, the ripples flow in every direction. And then there’s also the fact that not all attacks are targeted. We refer to drive-by attacks, literally testing defences, indirectly, to find chinks in the armour. But it’s a really interesting theme, that the pain of the consequences sometimes can be a trigger for understanding, and an acknowledgement that we will all be attacked. And then it’s a case of: how would we recover in that instance?

PL: So is that what it’s about? Obviously, there’s the ‘defence’ element, and then there’s tackling it when it happens and the ‘recovering after’ element, but is it largely about reducing risk now? And if so, what do people need to be doing?

RJ: If you think about risk, and impact, they are two different things. You can reduce the risk of anything happening by putting the right measures in place. But you can also reduce the impact by having a good recovery plan and accepting that it will happen, and therefore you need to have those plans in place. Because if any organisation believes that something isn’t going to happen to them, there’s a good chance that they also won’t have invested any effort and time in thinking about how to deal with it when it happens. If you adopt the stance that we will all be attacked, or we will all suffer the impact of an attack, then we naturally need to start thinking about how to manage that recovery. So in terms of defence, every size of organisation and accountancy firm should have measures in place to reduce it.

JP: Can I just say, it’s not too expensive, either. Because we’ve got a lot of IT, we’re outsourcing it all because we’re a small firm. But actually, it’s not that ridiculously expensive. I think it might be £100 a month, if it’s even as much as that. It’s not silly money at all. I speak to lots of accountants who have no IT support. And to me, that’s just ridiculous.

RJ: I think that it’s fair to say that we’re not talking about just accountants, but rather many organisations that don’t have contracted formal IT support. It can be a relative or a friend who looks after the IT for them – I see that quite regularly, that’s quite common. And as Jessica says, the actual investment is far less than the impact of something going wrong.

PL: We’ve talked about systems, the sort of thing you’ve been discussing, but obviously this is a people question, isn’t it, because as Jessica experienced, the breach came about because someone clicked on something they shouldn’t have clicked on, or did something they shouldn’t have done. So in terms of the human science end of this, and the cultural issues – what are your thoughts about that, Richard?

RJ: It’s a subject I have a huge passion for because it does relate to human science. If we start to understand people, and how we form trust, and how we trust implicitly from a young age, and the sorts of factors that come into play to help us form a decision about whether we should trust something, then we get a much better understanding of how social engineering works, which is essentially what phishing is.

For instance, everyone’s received HMRC fake emails, or from the Royal Mail. When they work, it’s because they look genuine. That is through powerful branding, a consistent message – the sorts of things that we would expect to see in there will help us to piece together factors so that we will then form a decision about whether we can trust something or not. It’s the same, for instance, as when we’re children, we form opinions about who we can trust based on their visual look in terms of what they’re wearing. You might be statistically more likely to trust someone who’s dressed in a suit than if they’re more informally dressed – that’s the kind of trust filters we’ve all got built in.

But awareness of the threat and awareness of what a phishing email looks like, an awareness of the impact, should be rolled out across every accountancy practice from top to bottom. And every person – particularly those who have access to email and are acting on behalf of the business – should be given some cyber security awareness and training, particularly about phishing emails, on a regular basis. Really, what we’re talking about there is building a human firewall, so it’s that first line of defence. If we acknowledge that the research suggests that 80-90% of attacks are facilitated by people, then that would naturally be our starting point. To get the most return on investment quickly, if you like, is to make sure that our people know what a phishing email looks like. Also, to have that flat structure where even the most junior person in an accountancy practice is confident and comfortable to maybe challenge a managing partner or a partner to check that something they’ve received is genuine – because authority plays a big part. Fraudulent emails, impersonating a CEO or managing partner, for instance, are more likely to be successful because people are less likely to challenge them.

It’s a fascinating subject, human sciences, and probably this is way too much for today’s podcast. But if we understand ourselves, then we can understand the mistakes we can make.

PL: So Jessica, what do you do under your roof now about training people about cyber risk?

JP: We have a programme with our IT company. Every two weeks, we have a little snippet of something else about phishing, or smishing, or all sorts of things on cyber, and it’s different for every person. It means that everyone’s being trained on different things all the time, and so the discussions are more wide-ranging when people talk about it. [The IT company is] also in the background sending phishing emails regularly, and I get the results of that every month as well, so I can see who the likely risks are. And actually, to be fair, my team are pretty aware at the moment.

PL: Richard, what sort of advice would you offer in the area of embedding that culture so people feel they’re not going to be blamed, there won’t be terrible consequences for them if they realise they’ve made a mistake, they should come forward and say so quickly?

RJ: Yes, it’s all about culture. And that is something that can’t be forced. You have to create a trusted environment where people can feel they can be open, and they can report – and also that, if they report something that doesn’t actually turn out to be malicious, that that is also celebrated. Because it tells you that your team is prepared to put their hands up, and they’re prepared to come to you even if they have only a 5% concern that it might not be genuine. If you’ve got a workforce that is deciding for themselves that something doesn’t or does need to be reported, then it’s very difficult to monitor that threat and time is of the essence.

It’s a little bit like lean manufacturing – you only really hit that sweet spot when you see the real return on your investment, when you have 80% of people bought in and invested. And that’s very much the same with the human firewall. It’s not a group of five or six people in a team or in a business of 100, running around trying to get everybody to buy into it and putting posters up, etc. It really does need everyone in the organisation to understand the importance. It’s not just a periphery issue these days, it’s a core business fundamental. It’s not something to be embarrassed by – everyone will be attacked, or will suffer the impact of an attack. If you liken it to the context of a tradesman who has the tools stolen from a van overnight, I’m sure they locked their van, but it’s now something they accept is going to happen to them. It’s similar in a way – this is just something we live with now. We just have to do what we can to mitigate the impact as and when it happens.

PL: We talked about supply chain being a vulnerability earlier on; extending that culture into a supply chain can be more complex?

RJ: It can, yes, and I’ve been involved in recent webinars with ICAEW about supply chain and how to understand the risks within your supply chain, how to assess those risks with those who supply services to you, and all manner of steps that can be put in place to do that. But that’s, I think, especially prevalent with accountancy, because everyone is reliant on such a variety of services and provisions – such as, for instance, your CRM [customer relationship management], which contains so much personal information that may have been in there for years in some instances. Minimisation of data – that’s a great example of keeping only what you need.

But your supply chain – we’ve had issues earlier in the year when one of the well-known practice management software providers did suffer a malicious cyber attack. Even now, in September, October, their clients are still receiving phishing emails, I think, on the back of that. So the important thing there to be aware of is the UK GDPR [General Data Protection Regulation] requirements in respect of whether you’re a data controller or a data processor; just because you’re using third parties to perform activities on your behalf does not mean that removes your responsibility. That’s very important. If you’re an accountancy firm using five or six different software platforms for different elements of your business – they all potentially pose a risk. Something could happen and it could then ripple through to you and your clients and cause you financial or reputational damage which is very difficult to reverse once these things go wrong.

PL: Cyber criminals are the definition of agile, aren’t they, and in tricky economic times it’s a perfect moment – they’re always looking for new opportunities, new methodologies. What are you seeing lately that’s new, Richard? What’s in your eyeline right now?

RJ: It is ever-changing. I think if we look at, for instance, the last couple of years as more of a prolonged period, we’ve seen, I think 300% increase in attacks on CPA firms – on accountancy firms – that was reported by Accountancy Today. We know that accountancy is now a top three target sector. There’s definitely a correlation between the increase in malicious attacks and COVID with people working from home or working to a hybrid model. And I know that many firms will now have processes in place to mitigate and reduce the risks of that. As we go into Christmas, seasonality, we will most likely see a peak in attacks towards that third week in December – and for accountants January is definitely a high-risk period, when everyone will be incredibly busy rushing to deadlines. You only have to look at LinkedIn and see the accountants on there telling everybody how busy they are, and how much they’ve got to do. This will inevitably – because we’re talking about human beings – reduce their diligence in respect of what might hit their inboxes and organised cybercriminals know this, and they will ramp those attacks up.

PL: I’m going to wrap this up by asking for your best piece of advice?

RJ: Invest in your people definitely, and build that human firewall. As an organisation, we provide the right kinds of technical support and guidance as well. But I think in terms of an immediate focus, make sure that your people know what a phishing email looks like and try and develop that open, transparent culture.

JP: I think, for me, it’s probably about really, if you do get an issue, even if it’s a minor issue, just trying to learn from it and then trying to put in a sort of system or process or something to mitigate it.

PL: Jessica, thanks very much for sharing your personal experience. And Richard, thank you for your insights on what accountants can do to protect themselves. That is it for this episode. The next Insights podcast will be out in early November. We’ll be looking at developments in the energy sector with ICAEW Head of Business Simon Gray. The next In Focus podcast will air later that month.