How you can mitigate the increasing risk posed by cyberattacks
Accountancy practices are a lucrative target for cyber-criminals due to the large amount of sensitive client information and monetary data they process and store. After all, why would a cyber-criminal attack an individual business when they can target one that holds the information of multiple businesses?
According to Accounting Today, ‘With the increase in the remote workforce and ongoing Covid-19 pandemic, there has been a 300% increase in cyberattacks on accounting practices of all sizes.’ Consequently, your practice needs to ensure it can withstand the attention of the cyber-criminal when, and not if, they come knocking.
In the past few years, accountancy practices have faced the growing risk of ransomware, which is a specific strain of malware that can gain entry into a organisation’s network through multiple entry points. It is typically deployed via a phishing email in which a malicious link or attachment is included for users to click or download, giving cyber criminals access to your practice’s complete IT infrastructure and the sensitive files and data contained within it.
Once deployed, ransomware encrypts data and systems, and these cannot be decrypted without a pre-set key which your practice would have to purchase from the cyber-criminals. The costs can range from hundreds to millions of pounds, and we are seeing more and more practices affected. The catch though, even if you do pay, you still may never receive a key to decrypt your data – cybercrime does not come with a guarantee. The risk of paying also means that the cyber-criminals are more likely to revisit: if you paid a ransom of £25,000 last year, what are the chances you would pay again this year?
In recent years ransomware has matured and as a result the level of damage it can cause to both your practice’s IT systems and the reputation of your business has massively increased.
So, what is the solution to this problem? Unfortunately, there is no silver bullet when it comes to protecting against cyber-criminals, but a number of steps can be taken to ensure that your practice is in the best position to defend itself against attack.
A cyber audit should include analysis of IT infrastructure, penetration testing, vulnerability scanning and governance and policy advice. It will identify risks and vulnerabilities within the business that could be exploited by criminals. These will be categorised, allowing you to develop a road map to improve your cyber security across the business. It could also link to the achievement of Cyber Essentials, Cyber Essentials Plus and IASME certification.
Ensuring you have the right governance and developing your incidence response and business continuity policies will enable you to work through the ‘what if’ scenarios and have the right procedures in place if an attack takes place. Undertaking Cyber Essentials, Cyber Essentials Plus or IASME accreditation is a great low-cost, first step on your cyber resilience journey.
Building a cyber-conscious culture across the business is essential. Improving your employees’ ability to be cyber aware should be a continuous exercise as hackers become more sophisticated - most cybercrime is focused on an employee’s inability to identify threat. Remote working has exacerbated the human element of a successful attack and effective ongoing training should be part of your cyber protection armour.
Your clients, third-party partners and suppliers can be used as a threat vector into your business. Improving awareness with clients and checking cyber credentials of both clients and suppliers should be mandatory in your onboarding procedures.
Ensure that your IT provider is looking after your IT systems correctly, that your systems are up-to-date and default settings altered. Your cyber audit – or undertaking Cyber Essentials, Cyber Essentials Plus or IASME accreditation – will identify issues and your cyber partner should work with your IT provider or internal team to update and patch as and when required.
Find more resources and information on governance and cyber essentials accreditation, cyber audit, awareness training, vulnerability and penetration testing.