It is a common misconception that cyber risk only affects big businesses, as the headlines focus on significant security breaches encountered by major companies. However, in its Cyber Security Breaches survey, the government stated that 38% of micro and small businesses suffered cyber incidents in 2022. By the nature of their business, accountancy firms depend on electronic systems, making them particularly vulnerable to cyber-attacks. With many switching to hybrid working patterns, managing employees' security habits is a more significant challenge than ever.
The Federation for Small Businesses estimates that small firms face upwards of 10,000 attacks daily. Although the rewards may be less, cyber-criminals see smaller businesses as low-hanging fruit as they typically invest less in IT security and don't regularly train staff on cyber security risks. In their Cyber Security Breaches Survey 2022, the government reported that the average cost of a cyber-incident in the UK was £4,200. So regardless of the size of your business, it's critical to have measures in place to mitigate the risks associated with these attacks.
Applying the correct procedures from an internal compliance perspective, will ensure your business protects sensitive data for the safety of your clients. But what types of cyber risks does your accountancy business face, and how can you protect against them? This guide will explain the common types of cyber-attacks and practical steps you can take to reduce the risks and protect your business and clients.
Common cyber security risks and attacks
The amount of sensitive information your business holds on your clients: names, addresses, personal identification documents, financial information and bank account details, makes it an attractive target for cyber-criminals.
The rise of cloud accounting services and the shift to remote working since the Covid-19 pandemic presents opportunities for attackers due to poor security measures when using cloud based systems. So it is vital you are aware of the potential risks, and more importantly, how to prevent them.
A cyber-breach can happen as a result of many factors including, but not limited to:
- Online scams and phishing – an employee opening a suspicious attachment in an email or responding to a phishing attack with passwords or other security information.
- Malicious domains – the introduction of malware through a third-party system.
- Remote working – without the security protections that office systems provide – such as firewalls and blacklisted IP addresses – we are far more vulnerable to cyber-attacks.
- Out-of-date software – leaving the system vulnerable to attacks.
Since the first documented ransomware attack targeting the healthcare industry in 1989, which was spread by a floppy disc, cyber-attacks have evolved and become much more sophisticated as technology has advanced. In fact US-based company Aura, reported that there are now 17 different types of cyber-attacks that are commonly used. The two most common types of attack are:
Ransomware
Cyber-criminals use ransomware to encrypt an organisation's files. They'll do this by infiltrating an organisation’s network, through sending phishing emails with malicious attachments or links, or exploiting known weaknesses in software and operating systems to gain direct access. The attacker will then demand money to provide access to the files. These attacks are becoming more sophisticated and damaging to businesses because of the large amounts of money and resource needed to react, respond and recover.
Phishing emails, fake advertisements, fake websites and fake texts are common methods designed to tempt or trick victims into downloading malware.
Around one in five (21%) of the UK businesses who reported an attack in the government’s 2022 Cyber Security Breaches survey, stated they were victim to a more sophisticated attack such as ransomware or malware.
An attack of this nature can be incredibly damaging for your business, particularly if it prevents you from accessing critical data needed to service clients.
Phishing
This type of scam is when an attacker sends an email or message claiming to be from a trusted source. The recipient is tricked into revealing secure information, for example, passwords or account numbers.
When someone clicks on a phishing email, they could be unknowingly giving away login details, allowing an attacker the opportunity to defraud the organisation. The attacker may also install malware on their computer or gain access to sensitive data.
The risks of remote working
Since the pandemic, many accountancy firms have adopted remote working with employees based at home. Recent research from Infosecurity Magazine, shows that 86% of UK cyber security professionals said attacks increased due to employees working remotely. While remote working offers many benefits, it also creates greater cyber security risks including:
- negligent employees sending incorrect data;
- employees losing hardware containing sensitive data;
- increased risk from poor IT controls – employees using insecure Wi-Fi networks to connect to work systems and access sensitive data;
- data breaches from outside providers with inadequate security;
- using personal devices for work purposes – often unsecured, which can present serious security risks; and
- backdoor intrusion into the business through employees' social network accounts or by family members using the same device.
What practical steps can you take to protect your business?
When securing your accountancy firm's data, prevention is always better than cure. Implementing a robust cyber security strategy may seem overwhelming, complicated and expensive, but taking care of this now will protect your client's data and your company's reputation. It may also save you thousands in potential downtime and data compliance fines.
In its annual Global Risks Report, The World Economic Forum found that businesses operate in a world where 95% of cyber security issues can be traced to human error. Despite advanced IT security, human factors such as workload, stress, lack of skills and cyber security awareness, and the increased use of the hybrid working model can all lead to issues.
Insurers are taking a more cautious approach to cyber related claims, tightening underwriting terms and asking more questions about a business's cyber operating environment. Adopting specific risk controls has become a minimum requirement of insurers, with businesses' potential insurability on the line.
Here are five cyber security approaches and procedures to consider that may impact your business insurability and mitigate risks:
Multi-factor authentication (MFA)
MFA is a way of proving to the service you are accessing, that you are who you say you are. Where a username and password alone used to be adequate, MFA adds an extra level of authentication such as a PIN number, verification code sent to your device, biometric identification or tracking of physical hardware. This makes it more difficult for attackers to gain unauthorised access.
Email and website filtering
Email filtering software can scan inbound or outbound email traffic for undesired content—spam emails or more serious phishing emails. The software detects an email (plus any attachments) and automatically filters it out, so they don't reach the user, or flags the email so the user is alerted to potentially malicious or unwanted content. Web content filtering can block and screen access to websites that users are not supposed to enter.
Secured backups
Encrypted backups are an extra security measure used to protect stolen, misplaced, or compromised data. Best practice backups are secured by isolating them from the network or implementing multi-factor controlled access and encryption.
As accountancy firms increasingly move to cloud-based backup solutions, secured backups can reduce recovery time in the event of a cyber-attack. A lack of available backups also increases the likelihood of a victim paying a ransom to recover systems and data, as they have no other options.
Incident response plans
The Computer Security Resource Center (CSRC) defines incident response plans as a "predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against a business's information systems". They need to be in line with other plans, such as:
- an IT disaster recovery plan (DRP) that describes how a business recovers data during and after a crisis or disaster; and
- a business continuity plan (BCP) that sets out how a business ensures essential business processes are available during and after a crisis or disaster.
Incident response plans are an integral part of increasing your cyber resiliency. An up-to-date plan provides efficiency, speed, and quality in response to cyber incidents.
Cyber security awareness training
This is an effective way to educate employees and IT users on cyber risks and threats, and is strongly recommended by the UK’s ICO. It helps individuals:
- Identify and recognise various attacks.
- Protect themselves and their business by preventing events in the first place.
- Do the right thing after an attack or attempted breach.
Top tips for businesses
Keep information safe
- Back up all your important files and store them independently from the live system.
- Always verify you are on a company's legitimate website before entering login details or sensitive information.
- If employees have to share sensitive information, ensure they only do so using secure means, such as encrypted or password protected emails and attachments, or approved file transfer platforms.
Check your software and systems
- Have the latest anti-virus software installed on devices used by your organisation, and ensure security patches are installed regularly.
- Secure email gateways to thwart threats via spam.
- Support employees in strengthening their home networks.
- Disable third-party or outdated components that could be used as entry points.
Be vigilant
- Update passwords and ensure they are strong – enforce robust policies where possible.
- Do not click on links or open attachments in emails you are not expecting to receive.
Protect your business with cyber insurance
A stand-alone professional indemnity (PI) policy will not usually cover losses such as the cost of identifying and fixing the security issue.
Fortunately, cyber insurance can help your business recover losses and associated costs resulting from large-scale breaches, business interruption, ransomware, and other cyber-attacks. Cover includes:
- loss of income as a result of a network interruption;
- costs to respond to cyber extortion events;
- loss of your money from phishing;
- investigation costs and specialist assistance to trace and fix cyber intrusions;
- payment card industry fines and expenses;
- costs relating to breach responses; and
- PR assistance to manage messaging following a cyber-incident – essential to protect the reputation of your business.
The risks of not proactively addressing accounting cyber security vulnerabilities are significant. Without robust protections, accounting firms risk the loss of revenue, clients, and reputation.
If you need further help with getting to grips with cyber security, a free initial discussion with an ICAEW Chartered Accountant is a good place to start. Visit businessadviceservice.com
For advice about cyber insurance or to get a quote contact Marsh Commercial, our Member Reward Partner on 0345 894 4684, or visit their website; The Institute of Chartered Accountants in England and Wales is an Introducer Appointed Representative of Marsh Commercial, a trading name of Marsh Ltd. Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). Not all products and services are regulated by the FCA. Copyright © 2023 Marsh Ltd. Registered in England and Wales Number: 1507274, Registered office: 1 Tower Place West, Tower Place, London EC3R 5BU. All rights reserved.