Our Tech Essentials guides are designed to update members on the latest technology issues affecting and transforming the accountancy profession. This cyber security guide and checklist explains how to best protect yourself, your business and your clients from cyber risks and threats. You can also find additional information in our dedicated cyber security resource centre.
Using the guide
In addition to these 10 steps, we recommend using our cyber security checklist (found at the bottom of each step) to help track your business progress. Using both the guide and the checklist can help you reduce the likelihood of your business falling victim to a cyber attack and protect your organisation from the impacts of cyber crime.
By following the steps in this guide and checklist, organisations will be well placed to adopt the Cyber Essentials certification, launched in 2014 at Chartered Accountants’ Hall and backed by the National Cyber Security Centre and IASME Consortium. The CE scheme provides a robust framework for good cyber hygiene and is now a feature of many procurement processes, including being a requirement for many central government and public sector contracts.
1. Allocate responsibility
As with any business activity, in computer security it’s crucial to identify what must be done and who will do it. Overall responsibility should rest with a senior manager who has a broad view of all the risks and how to tackle them. Other individuals can handle particular aspects – for instance, installing security software.
Management should identify the information and technology that’s really vital to the business, where the big risks lie. For example, damage to your financial system or the loss of your customer list could lead to the failure of the business. Other information may be less important. Equally, some computers are probably more critical or more vulnerable than others. Identifying the risks, establishing what security measures already exist and whether they work – and finding out what extra ones are required – will help you to target your security efforts where they are most needed.
2. Protect your computers and network
Malicious activity could come from outside or inside your business. Attacks from outside, for example by troublemaking hackers or competitors, can be protected against by installing a firewall. This is software or hardware that examines all the computer communications flowing in and out of the business and decides whether it’s safe to let them through.
It can also be used to manage your staff’s internet activity, for instance by blocking access to chat sites where employees might encounter security risks. You can configure the firewall to allow or prevent certain kinds of activity.
There are several different kinds of firewall. The router supplied by your internet service provider (ISP) may already have one built in, or you can buy a software firewall solution.
Protecting against illicit activity from inside the business requires other precautions, but we’ll look at those later in the guide.
Also consider implementing email scanning to identify, flag and quarantine potential ‘phishing’ emails – this is now one of the more common routes for attackers to infiltrate systems and it is generally best not to rely solely on the vigilance of employees in this space.
3. Keep your computers up to date
Suppliers of PCs, software and operating systems such as Windows frequently issue software updates (patches) to fix minor problems (bugs) or improve security. It’s essential to keep all your computers and devices up to date with the latest patches. They can usually be downloaded and installed automatically. Remember that just one vulnerable computer puts all the others at risk – so it’s important to ensure that all available patches are applied to all machines.
4. Control employee access to computers and documents
Although your computers should be guarded by a firewall, you should still protect user accounts (each person’s identity with which they log on to a computer) and sensitive documents with passwords/passphrases.
Because each individual should have a unique username and a password, access to different parts of your IT can be limited to certain people (though some individuals may have more than one username and password, perhaps if they have multiple roles). This not only protects against accidental or intentional damage by staff to systems and information, it also provides further security against outside intrusions.
Operating systems, and most directory management solutions (such as Microsoft Active Directory) have built-in security options that can protect computers, folders and files. As you identified your biggest security risks and most vital information in step 1, you can decide whether password control for a given item should be basic (for instance, one password authorising access to an entire computer) or stronger (each document or application requiring a separate password).
Online, cloud-based file management solutions like Microsoft SharePoint or Google Drive can provide very granular control, with access management integrated with the wider user account. These tools can also give individuals the ability to manage file and folder access themselves, which can empower individuals, but does also need careful management at an enterprise level to ensure that appropriate overarching access controls are in place.
Some individuals designated as computer administrators (admins) may be given access to nearly everything, in order to perform technical work. You should keep the number of admins to a minimum and, where possible, ensure activity in administrator accounts is monitored.
Security software will usually generate records showing which employees have used particular computers or documents at different times. This can be useful for pinpointing problems, but access to these records should, of course, be tightly limited – otherwise people misusing the system could alter them to cover their tracks.
5. Protect against viruses
Malicious software or malware (a category that includes viruses, Trojans and spyware) may not always be as devastating as the headlines suggest. However, they can still dramatically slow down your systems and passing them on to customers will win you no friends.
Fortunately, there is plenty of protection available. Your computers may have been sold with anti-virus software (the generic term, although most products also protect against other kinds of malware). If not, you can easily buy it. Anti-virus software regularly scans a computer in search of malware, deleting any that is found.
Regular updates to head off new threats are key to anti-virus software. So this is one area where it does pay to stick to the big brand names and to ensure that the software is set to receive updates as regularly as possible (ideally daily).
The use of ransomware continues to be popular amongst cyber criminals. It is a very specific type of malicious software that encrypts data and instructs users to pay a ransom – usually in cryptocurrency that is notoriously difficult to trace – or risk their files being permanently deleted, or sensitive information being posted to the internet. Cyber attacks like this are widespread; Royal Mail’s international mail operations were severely impacted by a ransomware attack in January 2023, and an attack on Travelex in 2019 was cited as a key reason for the company entering administration just a few months later.
Public sector organisations are particularly vulnerable. In 2022, NHS services across England were significantly disrupted after one of its suppliers was attacked using the ‘LockBit’ malware. This left many hospitals without digital record-keeping systems for a number of weeks. The vulnerability of public sector organisations may, in part, be related to their tendency to rely heavily on older, less secure software and systems, making them easier to target.
Fortunately, the steps in this guide can help to mitigate the risks, and most anti-virus software will now scan for and quarantine any suspected ransomware activity.
6. Extend security beyond the office
Today’s employees often work from home or on the road using their own laptops, phones and tablets. It is difficult to extend the same level of security you can apply to office computers to these devices. But you can reduce risk by requiring approval of any personal equipment used for work. It should have the minimum of anti-virus software, password protection and (where applicable) a firewall.
To protect against unauthorised access to information when a device is mislaid or stolen, it is possible to remotely lock or wipe (delete all the information), even when you don’t have the device. This capability is built into most mobile devices using iOS or Android; software can also be bought to perform remote wiping, but this must be installed before the device is lost.
Ensuring the sensitive data is kept in an encrypted area of the computer or device will stop most attempts to access data. This is easy to set up using off-the-shelf software, and indeed Windows 10 and 11 have built-in encryption capabilities which ensure the entire disk is encrypted when the computer is off (which, notably, includes hibernation mode, but not sleep mode) – this does, however, need to be enabled as by default it is not.
Beware of the dangers when connecting to unencrypted public Wi-Fi, as hackers can intercept data. Check the hotspot is genuine and make sure file sharing is off and the firewall is on. If public Wi-Fi has to be used, best practice is to use a VPN service which encrypts the data transmission.
7. Remember to secure files stored on external or cloud devices
Removable disks and drives such as DVDs and USB sticks pose security risks in two ways – especially when containing sensitive information. They can introduce malware into your computers, and they can easily be mislaid.
For this reason, many organisations now block the use of external storage devices, or as a minimum limit their read/write capabilities and track who has possession of them. Ensure that, as far as possible, only disks and drives owned by your business are used with your computers, and that any external storage devices are encrypted. Discourage employees from using them in third parties’ computers (in internet cafés for example) and set up anti malware software to scan them whenever they are used in the office. Establish a routine to track who has possession of each disk or drive at any given time, and check that all documents are erased from them after use.
Additionally, where clients or customers need to share files with your organisation, they should be encouraged to do this by approved, agreed mechanisms, which typically would involve secure online file transfer rather than the exchange of physical media. Again, encryption should be employed where possible; there are freely available encryption tools that can be used to support this such as Gpg4win.
As touched on in step 4, cloud-based file management solutions can provide flexibility and agility to organisations, particularly supporting individuals in hybrid working, self-management of file and folder access, and the ability to access files on both mobile and laptop/desktop devices. With the right controls in place they can also be highly secure, including the ability to restrict individuals from copying or printing specific files. However, there are risks involved too, as in some cases it can be very easy to set permissions on files to ‘open’, which allows anyone with the link to the file the ability to access it. There are tools available that hackers use to scan the web for such files, to locate and steal sensitive information. Therefore, such solutions require a level of IT administration to govern what individuals can and cannot do, such as preventing the sharing of files outside the organisation.
Also be aware of the plethora of cloud-based file sharing platforms, and discourage/block employees from using any platforms which are not approved by the organisation.
8. Plan for the worst
Following the measures in this guide will help you protect against a major security breach. But no system is 100% secure, so it’s worth planning what to do if things went badly wrong.
First, define what is major for you. Something that puts a non-critical department of the business offline for a couple of hours probably isn’t. But something that prevents you serving customers or performing vital functions such as payroll will be.
Establish how you will know that there’s a problem. You shouldn’t have to wait for computers to go down; your firewall or anti-virus software, for example, may provide advance warning that something unusual is going on.
Plan your next steps. What help should you call in? A specialist computer company perhaps? Do you need to contact key customers or suppliers to explain that there is a problem? Can some functions be continued using other computers, or pen and paper, while your systems are repaired? Who else do you need to inform (such as NCSC or ICO)? Be aware of any legal obligations you have in this regard.
Ensure that it’s clear who is responsible for doing what in an emergency. Your plan can be laid out in a document and delivered in training sessions. It may incorporate elements of your plans for other disasters, such as a fire on your premises, and cut down versions can be applied to less damaging computer incidents.
Finally, consider whether insurance is required to cover for cyber risks, and if so, what it does and does not need to cover. Bear in mind that cyber insurance does not prevent a breach or attack, but can provide practical and financial support if the worst does happen.
9. Educate your team
Tell everyone in the business why security matters and how they can help using training sessions and written policy documents. This will encourage them to follow practices such as regular password changes.
Most will not have to actively work at security, they’ll simply need to be aware of risks – for example, knowing that they should never click on a web link or attachment in an email from an unfamiliar source. That being said, with increasing use of cloud-based file management solutions, it is incumbent on employees to be aware of their own personal responsibilities in setting appropriate file access permissions.
There are non-technical risks, too. One is social engineering, where hackers try to trick employees into revealing technical details that make your computers vulnerable. For example, a hacker might pretend to work for your computer supplier and claim they need passwords to perform maintenance. The casual atmosphere of social media sites such as Facebook could be conducive to such deceptions, so employees should be especially wary of discussing your systems and practices on social media.
10. Keep records and test your security
Security is an ongoing process, not a one-off fix, so it’s important to keep clear records. For example, the decision-making in step 1 of this guide could help you produce a list of all your hardware and software, along with an indication of how secure each item needs to be. Similarly, records of software patches and lists of authorised personal devices will help build up a picture of your business’s security status, spot potential weak points and figure out how any problems arose.
Keeping good records will also help you regularly test all your security measures, and ensure that you have functioning, up-to-date software. Any business is only as secure as its weakest link, and testing will make sure that no weaknesses are overlooked. Testing should also include regular phishing simulations, where emails are sent to employees that replicate the behaviour of typical phishing emails. This can then allow a more targeted education campaign to those employees who repeatedly engage with the simulated emails.