It may seem, as you sit at your desk, that the bad things are far away, when in fact they could be inside your IT networks, stealing company or customer data. For accountants, trusted by clients with sensitive information, such a security breach could be disastrous.
The number of security breaches affecting UK organisations actually fell during 2013, but average costs for the worst breaches increased, according to the 2014 Information Security Breaches Survey, conducted by PwC for the Department for Business, Innovation and Skills (BIS). The average cost of the worst security breaches affecting small business during 2013 was between £65,000 and £115,000, up from £35,000 to £65,000 in 2012.
The survey revealed a mixed picture. In total 45% of the smaller organisations surveyed were infected by viruses or malicious software, known as malware, up from 41%. And 12% detected network breaches (down from 15%); plus 4% knew data or intellectual property had been stolen (down from 9%).
Just over half of all organisations surveyed suffered their worst security breach of the year either as a result of inadvertent human error (31%), or deliberate misuse of systems (20%). The former often takes the form of staff unwittingly downloading malware that exploits “zero day” vulnerabilities (not yet known to the software vendor) within commonly used software, when clicking on compromised web links, websites or email attachments.
The malware may then lie dormant for weeks or months before being activated remotely to remove data or steal user credentials that will help the attacker infiltrate other machines on the network.
Organisations of any size may also suffer as a result of widespread security vulnerabilities, such as Heartbleed, which affects a widely-used security technology called OpenSSL and could allow attackers to steal information including user names and passwords for email, instant messaging and virtual private networks used by employees to access company networks remotely.
Although smaller organisations are less likely to be targeted individually, staff within accountancy firms are as likely as anyone to fall for well-crafted phishing emails sent in bulk. These may be disguised to look as if sent by a business partner or government agency, detailing a change of bank details, or a request for credit card or bank details needed to provide the recipient with a refund of some kind. “Ransomware” is also a problem. For example, Cryptolocker encrypts an organisation’s files then displays a message on affected machines demanding payment by a set deadline, threatening to delete the private key that will decrypt the data if payment is not made. One interviewee told me about a company struck by Cryptolocker just as it was undergoing due diligence for a corporate sale. “The sale went through successfully, but the pressure the client was under was extraordinary,” says the source.
Accountants may also suffer from computers being taken over to form part of a botnet: huge networks of infected computers used to conduct cyberattacks on other targets or to distribute spam email.
Unlikely as it may seem, attacks are sometimes targeted at individual, small or medium-sized accountancy practices. This may be because an accountant completes payments for corporate clients, suggests Ollie Whitehouse, technical director at security specialist NCC Group. Accountants managing payroll services might be targeted for payroll data. Others may be selected as a first step towards targeting high net worth individuals on the client list.
Richard Anning, head of the IT Faculty at ICAEW, says accountants need to consider carefully what kind of information they may be holding that could be of interest to an attacker. “Ask yourself, what is it that the firm has that, if lost, would be embarrassing: client data, commercial data, details of clients’ transactions – even a client list,” he says.
Data loss may also breach UK and EU data protection laws. A visit to the Information Commissioner’s Office (ICO) website shows that organisations can expect to be fined: up to six figure sums for repeat offenders, but also fines of several thousand pounds for a single, serious breach, such as the loss of a laptop containing customer data.
Tim Holman, cyber security consultant and CEO at 2-Sec, and president of the Information Systems Security Association (ISSA) UK, highlights the value of data compartmentalisation, which means that if an attacker gains access to one machine their chances of accessing data elsewhere on the network are small. Whitehouse recommends two-factor authentication to control access to the most sensitive data, using a hardware token or supplementary identity verification via SMS alongside user names and passwords. And simply encrypting data is also a very good way to ensure its security.
There are other simple measures an organisation can take, such as ensuring that anti-virus (AV) software is kept up to date. “Go for a paid AV product that not only protects your network but also web and email use,” recommends Mick Paddington, security advisor at Trend Micro.
Cloud computing services offered by third party companies should be protected by very strong security technology, but it is worth spending some time considering the different levels of protection appropriate for different datasets stored or backed-up in the cloud, based on the governance, risk and compliance (GRC) requirements that apply to them. The Cloud Security Alliance’s GRC framework may help guide the decision.
Holman advocates regular face-to-face security awareness training for staff. He stresses the need to teach good habits when it comes to working remotely. “Accountants often take work home, or work in public places like cafés – they should not be leaving data accessible when in those places,” he says.
Another potential security headache is staff use of their own smartphones or tablet computers in a Bring Your Own Device (BYOD) arrangement. These devices can easily act as a conduit for malware – even if simply plugged into a USB port on a connected PC or laptop to be charged up. Locking down such ports and disabling Bluetooth on corporate hardware is one way to counter the problem.
If company or customer data is going to be stored on these devices they should be protected with software that will enable the hard drive to be wiped remotely if the device is lost or stolen.
Sonia Blizzard, managing director at IT specialist Beaming, believes one good way to eliminate or minimise such problems is to insist that staff use separate equipment for business activities. She also recommends that staff who bring their own devices to work should only be allowed to connect to a secondary wireless network not used for business purposes. They should not check personal email via the office network, partly because this is a likely source of email-borne threats, but also because “people tend to be less vigilant when using personal email – they’re more likely to click on what look like legitimate links supposedly sent by friends”.
However, although staff need to understand the damage that could result if they ignore security risks, it is also important to create a working culture in which they feel they can own up to mistakes, because it is so important to reduce the amount of time that malware is on the network. There is no shortage of free sources of advice on cyber security (see below), including ICAEW, which regularly runs workshops and events focused on this subject; and is currently working with BIS to create new online security training resources.
If an organisation does suffer a security breach there will always be some financial cost. At the very least it will be necessary to call on external expertise to advise on how to mitigate the effects of the incident and reduce the chances of future breaches.
But the best way to avoid even more extensive costs is to tell clients what is happening swiftly and honestly.
“Companies that survive these attacks are the ones that communicate and explain what happened,” says Blizzard. It is also worth considering whether you need to help clients improve their own IT security to ensure that their mistakes do not expose you to additional risks.
The brutal truth is that some organisations will be severely damaged by cyber security breaches. You have to do all you can to ensure that your company and your clients will not be among them.
This article was first published in Economia.