With cyber attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cyber crime is now a massive issue for all businesses. Accountancy firms are not immune, as the data breach at Deloitte earlier this year illustrated, when hackers breached the firm’s email system and accessed client information. Indeed accountancy firms can be particularly at risk given they are dealing with much confidential client material, such as individual’s tax affairs.
As such, I frequently get asked by my accountancy sector clients for advice on the best ways to manage the risk around cyber security, so today I thought it would be useful to share some information on this important subject.
Cyber security breaches are now a widespread issue, with the government’s Cyber Security Breaches Survey 2017 revealing that 52% of small firms and 66% of medium sized firms had identified a cyber security breach or attack in the last 12 months.
The types of attacks experienced are diverse, ranging from fraudulent emails such as "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.
Protecting confidential client information is vital to any accountancy practice and as such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Partner/Director involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.
And this is where a structured approach to IT management becomes critical. With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage an accountancy practice’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures? How is your system backed up and how long would it take to recover it in the event of something like a ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?
To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for accountancy firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.
And in my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies. Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen. Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to accountancy firms.
Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in accountancy practices, including both leveraging IT to make time and efficiency improvements as well as managing risk around digital threats and ensuring compliance with key legislation such as the GDPR. In the meantime, if you are concerned about your firm’s vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.
If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/laccountancy
No comments:
Post a Comment