IE_YPrac_CyberOutsource_CPD_2

Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

This article was first published in the April 2019 Ireland edition of Accounting and Business magazine.

The statistics reveal a worrying trend. The Irish Computer Society’s national data protection survey reports that over 50% of Irish businesses have experienced a cybersecurity breach or attack over the past 12 months, while government figures put the figure in the UK at 40%; and research from Accenture suggests that the number of targeted cyber attacks has more than doubled in Ireland over the past year.

Accountancy firms hold an immense amount of private data, and cyber attackers are well aware of this fact. Tax documents, direct-deposit information and national insurance numbers are just some of the sensitive data held by firms – data that can often stretch back years for long-standing clients.

Key target

Accountancy firms are accordingly a key target for hackers intent on capturing documents containing confidential information held on servers and on employees’ personal devices. Phishing is a common method used to entice email readers to click on a message that appears legitimate but is in fact fraudulent, opening the door for hackers to steal data or infect firms’ systems. Malware, a malicious type of software, is often unknowingly installed by accountants through visiting a website or downloading an attachment that infects their computer. Once downloaded, malware can often be benign before it starts stealing passwords, pilfering sensitive data or taking over systems.

Even though the financial and reputational risks – not to mention the potential for hefty data protection fines – are great, many firms still lack the IT manpower and expertise to monitor, detect and combat security threats effectively and consistently. IT departments at many firms still rely just on perimeter security such as firewalls or antivirus software, but these rudimentary systems will not repel more complex cyber attacks. What is needed are integrated, advanced security ecosystems to detect threats before they become a significant problem.

Building such capabilities in-house, within a firm’s IT department, can be a tall order, especially for smaller firms. One solution is to partner with a managed security service provider (MSSP). While handing over responsibility to a third party may seem worrying, with careful analysis of the firm’s requirements, coupled with a robust procurement process and appropriate due diligence, this option can reduce cost and risk as well as providing peace of mind.

MSSPs are better equipped than accountancy firms to combat cyber threats and can act as a valuable expert partner for firms’ IT directors. Leading MSSPs have an arsenal of detection and response tools and are trained to handle time-consuming and dedicated 24/7 security monitoring, detection and incident response.

Trust

Of course, leaving most of your cybersecurity protection to a third party requires a massive degree of trust and faith. That is why accountancy firms should not rush the process of selecting and vetting MSSPs.

To work effectively in a partnership, an MSSP must act as a natural extension of your internal IT team. If this is achieved, then a practice’s IT department benefits from the additional capacity and can direct more internal resources into programmes that generate revenue for the business.

However big or small your practice, an ad hoc approach to cybersecurity should be avoided. A firm’s relationship with its MSSP must be one that is long term – your MSSP partner needs to have deep insights into the unique threats you face if it is to deploy the most effective protection. By becoming an extension of your business’s IT department, an MSSP can be embedded within your firm’s practices and processes.

Firms who consider this option need to be completely transparent with their chosen security service provider, so the supplier can develop a comprehensive understanding of the challenges they are facing in the cybersecurity context. Using these insights, an MSSP will be able to deploy a security programme that is closely aligned with the firm’s needs.

Mutual interests

Managing complexity, reducing risk and optimising costs are the key benefits that MSSPs can bring to accountancy firms. An MSSP must have these objectives in mind when it is working with your practice, as this is the most effective way to build a trusted relationship.

With such a wide selection of security suppliers to pick from during the selection stage, much of the discussion with potential MSSPs can easily veer into technology-based dialogue. However, firms should take a comprehensive approach and discuss implementation timelines, incident response and ticketing processes, regular reporting and security metrics for greatest  effectiveness.

By engaging with an MSSP, an accountancy firm is investing in a long-term service partnership to improve security outcomes. By taking the time to ensure that your managed services provider understands your needs and offers your firm the right solution, you will ensure that your IT systems – and, by extension, your clients’ information and your firm’s reputation – are in safe hands.

Pat Sweet, AB editor