Hardly a week goes by without yet another report of a high-profile cyber security breach affecting companies worldwide. And the incidents are increasing: a recent global survey conducted by PwC shows that the number of attacks reported by midsize companies – those with revenues of between £64.5m ($100m) and £645.6m ($1bn) – in 2014 jumped 64% since 2013.
These attacks come at a great cost. A single data breach costs US companies more than $500,000 on average, according to PwC. In the UK, ‘the average cost of the most severe cyber security breach for a large organisation now starts at £1.46m, although that figure doesn't take into account the impact a breach has on an organisation's reputation and relationship with its stakeholders,’ says John Berriman, chairman of PwC's cyber security practice.
Smaller businesses are equally likely to suffer, with the cost of a severe breach reported at between £65,000 and £115,000, according to PwC research for the UK’s Department for Business, Innovation and Skills
Accountants and other financial institutions are particularly attractive to cyber criminals. In fact, PwC estimate that financial institutions are over 30% more likely to be targeted than other companies.
‘It’s because they deal with high-value commercial data and sensitive financial information on a daily basis,’ explains Frank Morey, chief executive of security consultancy Virtus Risk Management. ‘There have been a number of targeted attacks against the industry, most recently the Morgan Stanley breach that resulted in 900 of its high-net-worth clients’ information appearing online.’
Earlier this year, Russian security company Kaspersky reported probably the biggest organised cyber attack on financial institutions to date. A multinational gang of cyber criminals infiltrated more than 100 banks and other financial organisations across 30 countries, siphoning off £645.6m ($1bn) in total directly from the banks rather than from their customers.
Accountants, both in practice and in industry, must therefore understand how to identify and respond to cyber security risks, rather than ignore the issue in the belief that cyber security is the domain of their IT departments or that their organisation’s software will prevent any breaches.
‘Products such as SAP and Oracle have built-in cyber security systems that can mitigate the risk of data breaches, but it’s still essential that you are continually alert in your day-to-day work,’ says Phil Sheridan, managing director at Robert Half UK.
In the past, the main risks of data breaches were from the loss or theft of data held in hard copy.
‘Now that data is stored in many different electronic formats and methods, the risks have evolved and confidential and private information can be wrongly obtained by third parties in a number of ways,’ says Mark Brown, executive director at EY Cybersecurity & Resilience.
‘These include deception-based access to IT information, the hacking of phones and devices, malware that can capture and send private data, or phishing emails that asks for information such as IDs and passwords.’
Matt White, senior manager in KPMG’s cyber security team, says: ‘Hacking and phishing attacks are often triggered by an employee innocently clicking on a link in an email.’
Opening dubious email attachments is another common way for malware to enter an organisation. ‘Word, Excel and PDF documents all present an easy way to embed a malicious code that can be exploited later,’ says Greg Sim, chief executive of security technology company Glasswall Solutions.
In fact, while cyber attacks are growing increasingly sophisticated, the main reason for security breaches is lax security awareness among employees. Bad password behaviour is one example. Research from password management firm Meldium shows that 90% of employee passwords are so predictable they can be cracked in six hours. Moreover, 18% of employees share their passwords with others.
Many employees also have their work emails automatically forwarded to personal email hosts. But hackers often look for corporate data through personal email, which is easily accessible to them because personal email services do not have the same security measures as corporate email services.
While no organisation is immune from cyber threats, there is much that can be done to prevent breaches.
‘Cyber security encompasses anything related to the storage or transmission of data – how it is protected and accessed, or prevented from being accessed,’ says White. However, he adds that cyber security may not be a simple task: ‘Different countries have different regulations and laws about how information and data is used, with many “internet-related services” traversing multiple boundaries, so it's not that straightforward.’
This is where accountants can help their clients.
‘Accountants are well placed to advise on the steps a business should take to protect itself – cyber security isn't just about technology and computers: it involves people, information, systems, processes and culture too,’ says Berriman.
PwC is trying to make organisations more aware and better prepared.
‘For example, our Breach Aid incident response service helps organisations prepare for and respond to major incidents, and the legal and regulatory fallout of a breach,’ explains Berriman. ‘Also, our London-based cyber security labs enable us to monitor, assess and respond to threats on our clients' networks and systems.’
There is also much that accountants can do to protect themselves and their firms.
‘To be ready for the broad range of threats, accountants need to understand IT security policies at their firms, including policies and processes that they need to follow to ensure safe online practices, as well as procedures on reporting and dealing with breaches,’ says Brown.
‘Accountants may also need additional training on cyber awareness. Prevention, as with most things, is far preferable than cure.’