Cybersecurity

Businesses must guard against security breaches

Everyone is talking about cybersecurity and ACCA is one of several organisations to have issued reports on this area.

What does it mean for businesses? 81% of large companies have reported some form of security breach, costing each large organisation on average between £600,000 and £1.5m, and attacks on SMEs are increasing dramatically. 

Reported cases (most cases will not be reported) show 2,460,000 instances of computer misuse, 404,000 of unauthorised access to personal information and the cost of fraud for UK businesses is around 3% of total business expenditure.

For many businesses there are obvious risks such as disruption of supplies, sales and the loss of cash, but two other areas stand out:

  • potential legal action from individuals and companies for loss of their data by a business
  • reputational damage, which can spell the end of a business.

What can be done? Lockton, in a recent article for practitioners, advised:

'Make sure you and your colleagues are aware of the risks and how to protect against them.

Simple steps you can take now to help protect your business include: 

  1. Keep cybersecurity front of mind - regular training and visual reminders around the office.
  2. Never reveal your bank account security information on a website or over the phone.
  3. Require two people to set up or authorise any high-value payments.
  4. Ensure your systems are up to date. At a minimum: do not use Windows XP; Internet Explorer v8 or run your systems on Microsoft Server 2003.
  5. Ideally do not use a free email account such as Gmail, Hotmail or Yahoo mail, or share documents with Dropbox (unless you encrypt the document first).
  6. Do not access confidential information on an insecure (un-password protected) Wi-Fi network.'

Clearly, education and being able to demonstrate that appropriate steps have been taken are essential requirements for both boards and practitioners.

Useful educational starting points are: 

  • Cyber Essentials
  • The Centre for the Protection of National Infrastructure, which provides a range of guidance documents and technical notes. It states that 'almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning.

The key questions to keep under constant review are:

  • Who would want access to our information and how could they acquire it?
  • How could they benefit from its use?
  • Can they sell it, amend it or even prevent staff or customers from accessing it?
  • How damaging would the loss of data be? What would be the effect on its operations?'

Useful guidance is provided by HMRC. It highlights the following as bogus email addresses:

  • services@hmrc.co.uk
  • service@hmrc.gov.uk
  • service.refund@hmrc.gov
  • taxes@hmrc.co.uk
  • taxrefund-notice@hmrc.gov.uk 
  • taxrefund@hmrc.gov.uk
  • refund-help@hmrc.gov.uk

HMRC also provides examples of emails, letters, text messages and bogus calls used by scammers and fraudsters to get your personal information.