ICAEW.com works better with JavaScript enabled.

Set ‘human firewalls’ to be cyber safe

Author: ICAEW Insights

Published: 17 Jun 2021

Good cybersecurity succeeds and fails on people, so it's essential for chartered accountants to create and foster a strong security-aware culture in their organisations.

Accountants hold the keys to the crown jewels when it comes to highly sensitive data, says Lockdown Cyber Security CEO Karen Morrall. A chartered accountant, Morrall started her career in audit and moved into business, working as a finance director before running her own business. 

Technology and data became an interest as time went on – particularly when it came to cybersecurity and risk management. Morrall and William Taaffe, the company’s COO, co-founded Lockdown Cyber Security in February last year. 

“I wanted to set up a business with Will as our skill sets are very much aligned. We look at cybersecurity through the lens of a finance or business professional, which is a different view to the norm. We saw a gap to train organisations and business leaders to understand cyber risk. It’s often assumed people know what cybersecurity is but often they don’t”.

Risk level is ‘higher than ever’

Cybersecurity has never been more important, says Morrall. Businesses are under constant threat of attack and many are suffering from previous cyber incidents. Many business leaders are still unaware of the scale of the problem or even choose to bury their heads in the sand when it comes to cybersecurity. But this problem is real and is not going away. 

According to the latest figures from the Department for Digital, Culture, Media and Sport, four in 10 businesses (39%) and a quarter of charities (26%) reported having cyber breaches or attacks over the previous 12 months. That number is higher among larger entities, such as medium businesses (65%), large corporations (64%) and high-income charities (51%). Organisations need to understand what cybersecurity is and how to build their cyber defences and make the right decisions.

The risk level is potentially higher than ever, according to the report. Businesses are finding it harder to administer cybersecurity measures during the pandemic. Fewer businesses are deploying security monitoring tools or undertaking any form of user monitoring. Of those that have experienced attacks, 27% of businesses and 23% of charities experience them once a week. 

“Criminals don't care who they attack – nurseries, educational colleges, charities, hospitals – it happens to everyone, not just the big guys. And even the big guys haven't always got it covered.”

The most common attacks by far, according to the report, are phishing (83% of businesses and 79% of charities respectively), followed by impersonation (for 27% and 23%). Notably, these are attacks that rely on human error in order to succeed. 

‘We focus on the biggest cyber risk: people’

“You're only as good as your weakest link,” says Morrall. “Cybersecurity is technology, but it's also process and people. We focus on the biggest cyber risk: people. More than 80% of attacks are people-related; it's essential to create a strong security-aware culture through continuous training, simulations and setting the right tone and behaviours. A strong ‘human firewall’ is equally as important as your technology defences. Not all companies get that.” 

Lockdown Cyber Security provides training services, sourced from providers of SaaS solutions and classroom training developed in-house. The company is working with ICAEW to provide cybersecurity training, and Morrall spoke at ICAEW’s recent Virtually Live summit

One of the statistics that really shocked Morrall during her career as an accountant was that cybercriminals will often hide in a business’s system for an average of 207 days before being detected. 

“A CFO is in charge of financial governance within an organisation, along with the board of directors,” said Morrall. “With the increased frequency and sophistication of cybersecurity attacks and threats at play, this means that without the right cyber defences, potentially you may not be able to rely on the data integrity of the information in your accounting systems. How can we tell our board and our stakeholders that our accounts may not actually be true and fair? That the risk of a criminal’s software sitting in our systems for on average 207 days, potentially manipulating or corrupting our data is fair? This is truly scary. So we need to be proactive when it comes to cybersecurity, not reactive.”

Challenges and fixes

One of the biggest challenges that businesses have is how theoretical a lot of security protocols are, explains Taafe, and many are out of date. “It’s great on paper, but the moment it becomes a real-life scenario with all of the implications and emotions involved it becomes a different story. A cyber-attack stimulates an emotional response – usually panic. When people panic, they tend to make bad decisions or fail to follow protocol. You need to do more than think about cybersecurity. Have you tested the incident response plans that you've put in place to ensure that they work and are robust?”

The adoption of cloud technology for various business applications, from communication to storing data, creates additional security issues. As the number of applications requiring security broadens and many go off-premise, the number of potential points of vulnerability increase for cybercriminals to potentially exploit. 

One area for security consideration is password protocols. Lots of people, for example, ‘daisy chain’ their passwords, using the same username and password across multiple applications or systems. It only takes one to be exposed for a business to become extremely vulnerable, says Taafe. 

“When a business has IP on the cloud and they haven't necessarily looked at password privileges, what essentially you're doing is putting all of your information on really secluded spots of the internet. You only need one revision of a user’s access for attackers to potentially steal more than they may have had access to otherwise. It's such a broad and difficult problem to nail down.”

What easy fixes can businesses use to improve their cybersecurity? Training is essential, as are regular software patches and updates; they are often required to fix weaknesses, Morrall explains. But one of the biggest improvements you can make is to introduce multi-factor verifications, which makes it much harder for cyber attackers to access your data. 

“Make sure your people change passwords frequently, make them more complicated, and make sure passwords are different on each platform they use. No passwords used for personal use should be carried over for business use. Don’t make it easy for cybercriminals, make it difficult. Use passwords that are unconnected; a combination of letters, numbers, cases, signs etcetera. And make sure your security has layers across people, process and technology.”

Lockdown Cyber Security’s first classroom training session takes place on 26th July. This course will help provide finance professionals with insight and help their understanding of this complex subject matter.

Watch Karen Morrell’s Virtually Live keynote: Don’t bury your head in the sand when it comes to cybersecurity.

Staying ahead in a digital era

ICAEW's Finance in a Digital World is a suite of online learning modules to support members to develop awareness and build understanding of digital technologies and their impact on finance.

FDW promo