5 Practical Steps to Secure your Accountancy Firm’s Data for GDPR

With the clock rapidly ticking down towards GDPR go-live, this week I was reading the newly published government survey, “Cyber Security Breaches Survey2018: Preparations for the new Data Protection Act” and I have to say I was amazed by some of the findings. The survey was looking at how aware businesses and charities are of the incoming GDPR legislation and how they are actively preparing for the change. Having been immersed in GDPR, both for my own organisation and for our clients, for well over a year now, I was particularly surprised to learn that overall only 38% of businesses had even heard of GDPR! And among those aware of GDPR, only just over a quarter of businesses had made changes to their operations in response to GDPR’s introduction.

However, of those who had made changes to how they operate, 49% said that some of the changes made related to cyber security practices. This doesn’t come as a surprise to me as we are currently in the throes of conducting an independent cyber security vulnerability scan, or a more in-depth cyber security check-up, to many organisations as part of their GDPR preparations, and we are finding, almost invariably, that cyber security is an area where there are some deficiencies that need to be corrected.

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

Article 32 of the GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

It goes on to list some more specific measures which you may wish to consider, amongst others, which are:-

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

By the nature of data security, it is impossible for the legislation to be prescriptive, because the security threat landscape is constantly evolving, and as such, what constitutes a secure network today almost certainly will not constitute a secure network tomorrow.

Whilst the ICO (the data protection regulatory body in the UK) have produced guidance documents on many sections of the GDPR, there is not yet updated guidance around IT security for small and medium size businesses, so I thought it would be useful today to try and explain some practical steps for securing your data, in-line with IT industry best practice:-.

1. Cyber Security Defences
It is important to realise that there is no single product that will provide a complete guarantee of security for your firm. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security. The type of products you should be considering are likely to include:-

• Virus protection 
• Malware protection 
• Ransomware protection 
• Email filtering 
• Web filtering 
• Constantly updated firewall protection 
• Encryption of data in transit 
• Encryption of data at rest 
• Mobile working policies 
• Data loss/leakage prevention technology 
• Strong passwords 
• Two factor authentication 
• The ability to remotely wipe data from any user device that is lost or stolen 
• A system for securely wiping old servers and PCs prior to disposal 
• Regular or continuous vulnerability scanning 
• 24/7 monitoring against threats 

2. Implement an Effective Security Patching Regime
I recently wrote a detailed article on this subject, so won’t repeat myself here, but the full article can be found at -> https://accountancyit.blogspot.co.uk/2018/03/preparing-for-gdpr-key-considerations.html

3. Protect Data from Insider Threats

• Access control procedures (staff and third parties) 
• Starters and leavers procedures 
• Mobile working policies 
• Data leakage prevention 
• Ongoing staff education on cyber threats 

4. Implement Effective Data Backup Procedures

• A multi-layered approach to data backup to protect against different types of threats 
• Actively monitored backups 
• Backups tested regularly to ensure they are recoverable 

5. Review and Test your Disaster Recovery Procedures

• Up to date plans 
• Regularly tested 
• Deliver proven recovery times 

I hope this provides you with some useful practical insight into how to secure your data in readiness for GDPR. If you are unsure whether or not your current data security practices are adequate for GDPR, then the best thing to do is to contact me to discuss getting an independent vulnerability scan or full cyber security audit. This will give you a good benchmark as to whether or not you are doing the right things around cyber security management, and if you are not, give you practical steps to remediate any vulnerabilities prior to the GDPR go live date on 25th May. If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

 _________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

Preparing for GDPR: Key Considerations for an Effective Security Patching Regime

In recent weeks most of you will have heard media coverage around the discovery of serious security flaws, known as Meltdown and Spectre, which affect almost every modern computer, and could potentially allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM.

I therefore thought today that it would be well worth sharing some information on not just these particular threats, but the wider issue of patching computer systems in order to protect confidential and/or personal data against the latest security threats.

Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes.

Applying these patches is very important for a number of reasons:-

• It helps to reduce your risk of falling victim to ransomware attacks, which, as the Wannacry attack in the NHS demonstrated last year, are extremely disruptive and can cause major business problems through downtime and loss of data, not to mention reputational damage and regulatory consequences.
   
• Exploiting known vulnerabilities is one of the commonest ways that cyber criminals may hack into or compromise your network. Known as “commodity attacks”, they often lead to data breaches and ensuing reputational damage to the business, commercial impact with customers and again, potentially serious regulatory consequences. 

Which brings me nicely on to GDPR.

Those of you who read my recent blog “Preparing your Accountancy Practice for GDPR – 6 Key Steps to Take” will know that I touched on the importance of identifying threats to your data and investing in the right technologies and business processes to deal with those threats. And effective patch management forms one important part of the overall solution.

In fact I was recently reading a blog by the Information Commissioners Office (the data protection regulator in the UK), which defines their stance around patching in relation to GDPR, and I quote:-

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.” 

This statement brings clarity to the importance of applying security patches to your systems in a timely fashion. However, this may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.

There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.

Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.

There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. There has already been much speculation around how much the updates for Spectre and Meltdown may slow down computers, and over the years I have seen several updates that have caused problems on customer’s networks. Having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.

Finally, your cyber defences are only ever as good as your weakest link on any given day, so when it comes to patching, getting 99% of your devices updated is just not enough. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.

I hope this article has provided a useful insight into both the importance of, and the potential complications around, patching your computer systems. Here at Connexion we have highly structured processes and methodologies to deliver patch management to our customers, which include providing timely deployment of patches to all devices, clear visibility and alerting of any device that is missing a patch, and structured change control and rollback plans to minimise the risks around patch deployment. If you would like to find out more, please do not hesitate to contact me for a no obligation conference call on 0118 920 9600 or email james.stratton@connexion.co.uk.

 ________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

GDPR Compliance for Accountancy Practices: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Accountants hold much personal data, such as tax information and payroll data, which identifies individuals by name or reference number, and as such falls under the scope of the GDPR. In my previous article I talked about 6 key steps to take in preparing your practice for GDPR, the first of which was about understanding your data. This is a fundamental pre-requisite as until you understand what data you hold, and where it is stored, it is nigh on impossible to protect it adequately, as the GDPR demands.

And, the reality is, that in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which could be copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your accountancy practice to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Partners/Directors have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for accountancy practices. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help. We are currently working with accountancy practices on a wide range of GDPR readiness solutions, including carrying out GDPR cyber readiness audits, benchmarking current cyber security with an independent vulnerability scan, and implementing technologies and business processes to address vulnerabilities in cyber security defences, data backup strategy and disaster recovery provision.

If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/

 ________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

Preparing your Accountancy Practice for GDPR – 6 Key Steps to Take

With Making Tax Digital having been at the forefront of most accountants’ minds in 2017, and then the tax return season being upon us once again, many accountants have found little time to think about GDPR yet. However GDPR comes into force in May 2018, and as such time is fast running out to get your practice prepared.

I therefore thought it would be useful to put together some information on this topic, including 6 key steps I would recommend taking to prepare your practice for GDPR.

By way of background, the new EU general data protection regulation (GDPR) represents the most radical change in data protection legislation in the last 20 years. It has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

The regulator (in the UK this is the Information Commissioners Office) has the power to levy substantial fines of up to €20 million or 4% of your annual turnover, whichever is the higher, to organisations that do not comply. In addition, if you experience a data breach, there is an obligation to notify the data protection authority, and in some cases the consumers affected, within 72 hours. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

So what do accountancy firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and the resulting fines and reputational damage that would be caused.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection.

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for accountancy firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that we can help. We are currently working with accountancy practices on a wide range of GDPR readiness solutions, including providing GDPR cyber readiness audits, benchmarking firms’ current cyber security with an independent vulnerability scan, and implementing technologies and business processes to address vulnerabilities in cyber security defences, data backup strategy and disaster recovery provision.

If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/

 _________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

Effective Cyber Security for Accountancy Practices – Why a Structured Approach is Paramount to Managing Risk

With cyber attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cyber crime is now a massive issue for all businesses. Accountancy firms are not immune, as the data breach at Deloitte earlier this year illustrated, when hackers breached the firm’s email system and accessed client information. Indeed accountancy firms can be particularly at risk given they are dealing with much confidential client material, such as individual’s tax affairs.

As such, I frequently get asked by my accountancy sector clients for advice on the best ways to manage the risk around cyber security, so today I thought it would be useful to share some information on this important subject.

Cyber security breaches are now a widespread issue, with the government’s Cyber Security Breaches Survey 2017 revealing that 52% of small firms and 66% of medium sized firms had identified a cyber security breach or attack in the last 12 months.

The types of attacks experienced are diverse, ranging from fraudulent emails such as "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

Protecting confidential client information is vital to any accountancy practice and as such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Partner/Director involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

And this is where a structured approach to IT management becomes critical. With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage an accountancy practice’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures? How is your system backed up and how long would it take to recover it in the event of something like a ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?

To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for accountancy firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.

And in my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies. Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen. Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to accountancy firms.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in accountancy practices, including both leveraging IT to make time and efficiency improvements as well as managing risk around digital threats and ensuring compliance with key legislation such as the GDPR. In the meantime, if you are concerned about your firm’s vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/laccountancy