Accountancy practices ‘not prepared’ for cyber risks – new research

Accountancy practices ‘not prepared’ for cyber risks – new research

Find out how your firm can take action to protect against cyber risks and avoid data breaches which can be costly

Accountancy practices ‘not prepared’ for cyber risks – new research

Nearly half of practices in the accounting, banking and finance sector are still confused by and unaware of GDPR rules.

And only one in ten see cyber-attacks as a leading risk to their business.

The figures were revealed in a survey by Aon, a professional services firm specialising in risk. 1,000 SMEs were polled in different sectors.

It follows a survey earlier this year from the National Cyber Security Programme that revealed that nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.

A target

Chris Mallett, Aon’s broking manager, said financial companies are too often “the weakest link” in the chain when criminals are trying to access sensitive data.

“Financial institutions are a key target for cyber criminals for two reasons,” said Mark Taylor. He is responsible for helping members understand the impact of technology at the Institute of Chartered Accountants in England and Wales (ICAEW).

“Firstly they hold a lot of personal information and they are also part of the supply chain for those wanting to target other companies.”

The growth of flexible working, with staff accessing data on-the-go, and an increasing reliance on third party software, have all increased the risk according to Aon.

The Bring Your Own Device culture can expose companies to increased risk of a cyber-attack if data is not properly encrypted or controlled. Yet the poll shows more than one in four practices in the accounting, banking and finance sector allow this.

Small companies at risk

The Department for Digital, Culture Media and Sport’s Cyber Security Breaches Survey 2018, released earlier this year, highlighted that the problem is particularly acute for smaller practices.

Mark Taylor said: “A third of small businesses and 68 percent of charities spend nothing on cyber security. This figure is far too high.”

But why do they consistently fail to address the issue, despite the abundance of awareness campaigns about it?

One reason is that bigger firms have more resources to dedicate to cyber security.

“Larger companies have the resources, skills and budget to implement complex and sophisticated cyber security, whereas smaller businesses lack the resource to invest in the necessary precautions,” he said.

Some smaller practices believe as a small partnership that they won’t be targeted. “Of course, it doesn’t work this way,” Taylor said.

Taylor said the ICAEW promotes data protection, cyber security and good practice across the accounting sector knowing cyber criminals carry out bulk attacks targeting thousands of companies in one go and follow up on their most successful hits. Those are often those with least protection, such as email accounts.

“The information they get is substantial and the money they can steal on the spot, for example via mandate fraud, can be substantial,” Taylor said.

Nick Gregory, chief marketing officer at IRIS Software Group, agreed that smaller companies without the dedicated IT teams bigger firms have tend to neglect what needs to be done to protect themselves.

Firms like IRIS can offer hosting, with secure servers which reduce the risk. They have also developed specific, secure communications portals for firm and client communication.

That means sensitive information such as tax returns and final accounts can be sent without the use of email.

“The usage for these types of tools is growing; IRIS OpenSpace is currently used by 3,000 practices and 500,000 SMEs,” he said.

A data breach

The Aon poll also found that four in ten of those surveyed are not aware that loss of personal information as a result of a cyber-attack or fraud is a data breach.

Many are not aware of the need to notify authorities about a breach that has an impact on individuals. Around one in three of those surveyed are not clear on the time limit for reporting. This can expose their companies to the risk of incurring huge fines.

Mark Taylor stressed that companies could lose clients if such a breach is seen to take place.

The EU rules known as GDPR came into force in May. They drastically increased potential penalties on companies found to have misused or mismanaged clients’ personal data.

Dr Emma Philpott is managing director of the UK Cyber Security Forum and CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government’s Cyber Essentials scheme.

She said that companies have focused on GDPR in order to get ready for that deadline, but the effect was all too short-lived.

“As soon as the deadline for GDPR passed too many thought that was job done and that’s where their responsibility ended,” she said.

And while big data breaches which garner media attention help raise awareness, they can lead to a kind of fatigue.

“[There’s a] sense that the time, cost and high-end security to tackle this is complicated and overwhelming, when in fact the basics don’t cost much.

“Educating staff doesn’t cost anything other than time.”

What professional indemnity doesn’t cover

Many companies do have professional indemnity insurance (PII) to cover for such eventualities.

But there are some costs it doesn’t cover – and specialist policies for cyber risks will also cover you for any damages you are liable to pay in the event of a data breach or security failure.

Specialist policies can also cover your legal costs.

What you can do right now – a checklist

Aon has prepared a checklist of easy ways you can protect yourself from cyber-attacks. These are:

  • Install anti-virus software or check existing software is up-to-date on all devices used for work
  • Check how your suppliers handle data and if they are GDPR compliant
  • Have simple, clear policies in place to create a cyber-conscious culture in the workplace
  • Be aware of what your obligations are if a breach does happen
  • Check what your PII or business insurance covers, and consider a specific cyber insurance if relevant

The ICAEW has also compiled a report into cyber security which includes a number of recommendations. Among its insights is the necessity of accepting that “some level of compromise is inevitable” and preparing for detection and response as much as prevention.


Resources & Whitepapers

Why Professional Services Firms Should Ditch Folders and Embrace Metadata

Professional Services Why Professional Services Firms Should Ditch Folders and Embrace Metadata


Why Professional Services Firms Should Ditch Folde...

In the past decade, the professional services industry has transformed significantly. Digital disruptions, increased competition, and changing market ...

View resource
2 Vital keys to Remaining Competitive for Professional Services Firms

2 Vital keys to Remaining Competitive for Professional Services Firms


2 Vital keys to Remaining Competitive for Professi...

In recent months, professional services firms are facing more pressure than ever to deliver value to clients. Often, clients look at the firms own inf...

View resource
Turn Accounts Payable into a value-engine

Accounting Firms Turn Accounts Payable into a value-engine


Turn Accounts Payable into a value-engine

In a world of instant results and automated workloads, the potential for AP to drive insights and transform results is enormous. But, if you’re still ...

View resource
Digital Links: A guide to MTD in 2021

Making Tax Digital Digital Links: A guide to MTD in 2021


Digital Links: A guide to MTD in 2021

The first phase of Making Tax Digital (MTD) saw the requirement for the digital submission of the VAT Return using compliant software. That’s now behi...

View resource