The severe damage caused by cyber attacks on major corporations such as Marks & Spencer and others has put cybercrime in the spotlight for big businesses keen to avoid a similar fate.
But missing from the conversation are small businesses, including small practitioners. According to the government’s cybersecurity breaches survey, 42% of smaller entities have experienced a cybersecurity breach or attack in the past 12 months, and these are just the ones that have been reported – the actual figure may be much higher. This is unsurprising when you consider that nearly a third (31%) of SMEs admit to having no formal cyber policies and, according to a recent survey of 1,000 SMEs, 39% had arranged no cyber security training for their teams. Again, these figures are likely to be conservative, as businesses are cautious to admit they have poor cyber defences.
SMEs increasingly form the digital surface through which attacks scale
Smaller entities are not just victims of cybercrime but increasingly form the digital surface through which attacks scale. This is of particular concern to small practitioners, which are vulnerable to attack as they hold monies on behalf of clients and store vast amounts of important data, including personal information. The latter is particularly appealing to cybercriminals.
One of the main means of attack on firms is ransomware – where hackers install software on a network and encrypt the firm’s data until a ransom is paid. The most common way hackers get in is through a fraudulent email purporting to be from a reputable company, although text messages and voice calls are increasingly being used to initiate attacks on accountancy firms.
Quick wins
Unfortunately, many of the national cyber frameworks remain too complex for most small businesses to implement. While the National Cyber Security Centre’s Cyber Essentials certification is an approachable standard for small organisations, and ISO 27001 certification and compliance with the EU’s NIS2 Directive are admirable goals, for a five-person accountancy firm the effort required is about as feasible as building its own firewall from scratch.
However, there are practical actions that practitioners can take to protect their firm and their clients.
- Understand your level of vulnerability to a ransomware attack. If you are attacked, how long can your business manage without access to its systems and data?
- Review or implement disaster recovery and incident response plans. Businesses with plans in place recover significantly faster and at lower cost.
- Ensure you have good backup systems. This will let you get up and running quickly in the event of an attack. Such systems should be tested regularly.
- Introduce mandatory two-factor authentication. It should apply across all devices, applications and log-ins, and to all staff.
- Understand who has access to your banking information. Review this information regularly and document it, so you have a record of who has been able to get into your bank accounts and financial information. Introduce and test robust processes and approvals for payments, account set-ups and account changes.
- Look at data segmentation and ensure staff have access only to what they really need. This will reduce the ‘attack surface’, so that if an attack does occur, the amount of data that can be compromised is limited.
- Encourage staff to use business-owned devices rather than their own computers or phones. Employees’ own devices may not have sufficiently stringent security settings.
- Implement cyber training for all employees. Raising awareness, dealing with the human factor and encouraging open rapid incident reporting are all vital.
- Know which third parties have access to your systems and how much access they have to your data and information. This is particularly important if you outsource your services. Do due diligence on suppliers of systems/services, including providers of accounting software and other IT.
- Ensure you are implementing all standard cyber protection. As a minimum, this protection should include a process for software updates and patching, email scanning, device encryption and malware protection.
By focusing initial efforts in these key areas, accountancy practices should have some level of protection against these rapidly evolving cyber threats.
