ICAEW.com works better with JavaScript enabled.

Cybersecurity in the accountancy sector

27 October 2020: How well prepared is the accountancy sector for cybersecurity attacks? What kind of attacks are being experienced by firms? And what impact have major breaches had?

Accountancy sector survey

A new survey commissioned by the National Cyber Security Centre (NCSC) aims to find out the answers to these questions. Focusing specifically on the experience of the accountancy sector, the survey results should help firms benchmark themselves against wider industry experience and also help organisations such as ICAEW provide support on cybersecurity which is more targeted and useful. 

Taking part is completely voluntary, but it is a good chance to input on this important topic. Any responses you give will be completely confidential and cannot be traced back to you or your organisation. It should just take five minutes and you can respond at this link. More information about how your data will be used can be found online here.

Recent research on cyber-related costs and regulation

This latest survey comes on the back of a variety of research published by the UK Department of Culture, Media and Sport (DCMS) on cybersecurity. One clear message from this research is that organisations usually have difficulty quantifying the costs and benefits around cybersecurity, which leads to a lack of commercial incentives to implement good practices. 

For example, one project specifically looked at the costs of cybersecurity breaches. The researchers developed a cost tool to capture and categorise the wide range of impacts of breaches, which was then piloted in 15 organisations. 

The research highlighted some of the key challenges in doing this effectively. The number and range of potential costs were large, resulting in a long and complex tool. It required expertise from across the organisation to fill it in, including IT, finance, senior management and business operations. 

Businesses also struggled to identify some areas of cost, such as staff time and the opportunity costs of spending time dealing with breaches. To make progress here, the research suggests that the tool would need to be simplified, and more guidance or help from experts such as accountants would be useful to enable businesses to complete it correctly.

The impact of GDPR

These kinds of difficulties are leading the UK government to look more closely at regulatory or corporate governance solutions, rather than relying on economic drivers for improving security. The positive impact of regulation was reinforced in another piece of research published by the UK government, which looked at the impact of GDPR on cybersecurity practices.

This research found that most organisations had improved their cybersecurity over the previous three years, including board-level prioritisation and increased spend. While there was a range of drivers for this, GDPR was the most important. These changes were also being sustained in most organisations.

However, there was still plenty of scope for improvement. Most changes had concerned cyber-risk management and governance, data security and systems security. There were fewer improvements in procurement and supply chain management. Improvements were also focused on data protection rather than wider aspects of cybersecurity. This, therefore, highlights some of the risks of regulation, which can focus activities on compliance with regulation rather than broader thinking about the risks.

You can take the National Cyber Security Centre survey by clicking here.