Accountancy firms are undeniably attractive targets for cyber criminals. They are known to hold reams of sensitive personal data, and their clients are frequently other businesses; a single attack could yield a vast resource of data across many companies.
While larger firms may appear as a higher value target, smaller companies can often be seen as an easier option due to an assumed lack of security investment. However, without all the basic cybersecurity controls in place, accounting firms, both large and small, can be vulnerable to some of the most common attacks. Only about 5% of all cybercrime is targeted, the rest is indiscriminate and opportunist.
Common cyberattacks use freely available tools which are simple to use but can affect many thousands of businesses or individuals in one go. 90% of cyberattacks start with an email commonly known as a phishing email.
These untargeted attacks exploit basic weaknesses that can be found in many organisations such as poorly configured systems, software that hasn't been updated and old computer systems that are no longer supported by their suppliers.
Even if a firm has the basics in place, cybercriminals can find their way in by using an insecure but trusted supplier. Some of the most publicised attacks have been as a result of a breach in the business's supply chain. Businesses must remember that they are only as strong as their weakest link and so need to also take an interest in the security of their suppliers.
Besides the obvious financial loss for both clients and practice, the impact of a breach causes huge stress and damage to client relationships, increased insurance premiums and many indirect financial costs.
What is Cyber Essentials and how can it help?
In 2014, the National Cybersecurity Centre (part of GCHQ) introduced the Cyber Essentials scheme as part of its mission to make the UK the safest place to do business online, and to offer businesses a simple and affordable way to tackle cybersecurity.
The government-approved scheme includes five technical controls that will reduce the impact of common cyberattack approaches by up to 80%.
A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. Having received a major overhaul just this year, the evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cybersecurity; it is now widely considered the minimum level of cybersecurity for all businesses.
Cyber Essentials works in the format of a verified self-assessment questionnaire. Organisations log onto a secure portal to answer a series of questions that address the scope of the assessment, their employees, devices and work location. They will also answer questions that address the five core controls, which include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.
A Cyber Essentials assessment costs £300 plus VAT for a micro-organisation (0-9 employees). Small, medium and large organisations will pay a little more, on a sliding scale that reflects the complexity involved in assessing larger organisations.
The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cybersecurity and an opportunity to improve. For organisations that require a higher level of assurance, Cyber Essentials Plus starts with the Cyber Essentials questionnaire but the technical controls are then physically audited to verify that they are in place.
The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the government-approved minimum level of cybersecurity in place and can be trusted with their data and business. Many contracts stipulate Cyber Essentials as a prerequisite.
Cyber Essentials will:
Help you to take control of your cyber risk
Although many accounting firms outsource their IT support to third party providers and think that will take care of the problem, it must be emphasised that cybersecurity is not the same as IT and is not an IT problem. No matter who is looking after your technology, cybersecurity remains the risk and the responsibility of the senior management within your company and should always be a high priority.
Demonstrate your commitment to keeping client data safe
Reputation is a valuable asset and customers are demanding evidence of a trusted, secure service provider for their sensitive data. They are increasingly aware of the threats from cybe-crime and they do not want their username/passwords compromised or their data stolen or their account hacked. Accountants need to show that they are taking cybersecurity seriously.
Provide a level of cyber liability insurance
If your firm is UK-domiciled with a turnover under £20m and you achieve Cyber Essentials certification covering your entire organisation, you will be able to opt into the included cyber liability insurance. This does not involve any additional cost or forms and the insurance cover includes a 24hr technical and legal incident response service. Professional indemnity polices that used to protect accounting firms if they suffered a cyber breach are now changing their terms to restrict or exclude cover due to the high number of claims.
Help and support
The Cyber Essentials Readiness Tool is an online tool with basic level guidance on the five key technical controls and related topics written in 'plain English'. This tool is free of charge and accessible in the form of a set of questions on the IASME website.
The process of working through the questions will inform an organisation about their own level of understanding and what aspects they need to focus on. They will be directed towards appropriate guidance and, based on their answers, be presented with a tailored action plan and detailed guidance for their next steps towards certification.
IASME is the Government's Cyber Essentials partner, and responsible for delivering the scheme, with a network of nearly 300 certification bodies who are located all around the UK and Crown Dependencies. For in-depth and bespoke support, contact one of the certification bodies who are trained and licensed to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification.
More information
Find out more about the requirements for infrastructure and question set.
Apply for Cyber Essentials.