The attitude of accountancy firms to cyber security is worrying, according to an Aon survey of 1,000 business owners. The survey found that nearly half of practices in the accounting, banking and finance sector are still confused or even unaware of GDPR rules, and only around one in 10 see cyber attacks as a leading risk to their business.
In fact, the cyber risks facing accountancy firms, such as a data breach, are ever increasing.
Cyber criminals are switching their focus to smaller companies, in recognition of the fact that accountancy firms hold significant amounts of data that may not be protected by multimillion-euro security budgets.
Even where the firm itself isn’t the ultimate target, criminals can view accountancy practices as the ‘weakest link in the chain’ when seeking access to sensitive data.
The growth of flexible working and the accompanying need to access data on the go creates additional vulnerabilities – particularly within small businesses, where ensuring data security awareness isn’t always a high priority.
The European rules known as GDPR, which came into force in Ireland in May 2018, drastically increased potential penalties on companies found to have misused or mismanaged personal data.
Certain types of breach have to be reported within 72 hours, for example, or companies can be hit with a fine. Although fines are expected to be issued as a last resort, they can be up to €20m or 4% of annual turnover.
This means the risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.
While many companies have professional indemnity insurance in place, there are often significant costs that professional indemnity won’t pick up. In the event of a data breach, firms will still need to cover the cost of responding to a breach themselves.
This can leave a business liable for hefty fees for notification services, forensic expert investigations, public relations consultants and the use of credit monitoring agencies to rectify problems and get them back up and running should the worst happen.
Protecting yourself against a data breach
With an ever-growing number of cyber security threats to consider, added to the sheer volume of data that accountancy firms deal with, it can be challenging to know where to start when it comes to protecting your practice.
However, there are a few key steps you can take to protect your firm – and the good news is, none of them require significant investment.
1. Protect your accountancy practice with IT tools
Cyber attacks can come in many guises, be it in the form of viruses, ransomware, keyloggers or rootkits. Installing antivirus software that regularly scans your system for threats and prevents your employees downloading potentially harmful malware is one simple way to reduce your risk of an attack.
Putting a firewall in place will help control all points where cyber criminals could access your system and prevent access to and from potentially malicious IP addresses.
If you don’t already have one in place, ask your IT team or consultants to recommend the best solution for your business.
Another tip is to install manufacturer patches as soon as they become available.
These patches are often issued by software manufacturers to protect against known weaknesses and vulnerabilities, so it’s worth making sure you keep your systems up to date. Once again, if in doubt, ask your IT team for advice.
2. Vet your suppliers
To ensure GDPR compliance, accountancy firms must understand and document not only their own data handling procedures, but how and where their suppliers handle personal data.
And, to meet the standards set out in the regulation, those processes must be well-documented, consistent and kept up to date.
The best way to achieve this is through a structured performance management process.
By formally surveying and capturing data on your suppliers – including any software suppliers – you can quickly identify any risks in your supply chain and put plans in place to address any gaps.
Perhaps most importantly, by documenting the process and results, you’ll always be prepared should questions come your way in the event of a breach.
3. Develop a cyber-conscious culture
Our recent poll of 1,000 SMEs carried out through OnePoll indicates around three in 10 accountancy practices allow staff to use their own devices for work.
What’s more, it revealed four in 10 don’t see personal information stolen as a result of cyber attack or fraud as a data breach, with one in three admitting they’re unaware of the time limit on reporting such a loss, exposing their companies to the risk of huge fines.
This demonstrates the importance of building a culture of cyber risk awareness.
The first step to creating a cyber-conscious culture is having simple, clear policies in place that address potential breaches.
These policies should include rules for keeping a clean machine (including what programs, apps and data employees can install and keep on their work computers, and how data should be indexed).
Such policies should also cover best practices for passwords, backing up work, clear procedures for notifying an appropriate staff member if strange things are noticed on an employee computer, and instructions to ignore suspicious links in email, tweets, messages, or attachments, even if an employee knows the source.
One of the most significant causes of data breaches is through phishing via employee email accounts. Specific policies need to be created for maintaining email security.
Encryption is also a must and should extend to all company mobile devices, and even employees’ personal devices, where they use these to access data.
Once you have your cyber security policies in place, it’s important to communicate them clearly to your staff. The key to firmly embedding a culture of cyber security in your firm is through engaging with your staff.
Communicate why it matters and give them the tools to keep your data safe.
Regular training can help with this, as can including cyber security in inductions for all new staff members. Also, make sure your senior people are leading by example.
4. Check your insurance policy
Even the most sophisticated cyber security doesn’t guarantee complete protection. Data breaches are, by their nature, unpredictable and so it is difficult to be fully prepared for every possible scenario.
If a breach does happen and there’s a risk of harm to individuals whose data has been compromised, your business is responsible for investigating its cause, notifying people affected and providing them with ongoing help, such as support helplines and ongoing credit monitoring – all within 72 hours.
Responding to a breach in a way that is compliant with GDPR comes at a price; costs can quickly spiral when you take into account the specialist – and often short notice – support you may need from cyber security experts, lawyers, call centres, IT and PR consultants.
For peace of mind, consider purchasing a cyber insurance policy. These policies can be surprisingly affordable and will ensure you’re covered not only for the cost of responding to a breach but also for the costs of damages and claims expenses you’re legally liable to pay in the event of a breach or security failure.
When arranging your policy, ask your broker to ensure your policy comes with a pre-approved panel of providers who can help you take immediate action in the event of a breach and notify those affected within 72 hours.
You should also check whether your policy covers any financial losses as a result of cyber crime, including ransomware claims.
A specialist cyber insurance policy will buy you peace of mind that, should the worst happen, you will be able to meet regulatory requirements as well as keep your business running.
By taking the steps outlined above, accountancy firms can protect against the ever-increasing risk of a cyber breach without having to break the bank.