Multiply the number of client records you hold in your IT system by $300. The figure you come up with could be close to the cost you if you were a victim of a cyber-attack.
If you lost access to, or security of, this data:
- Your staff would be unable to perform their work
- Every client will need to be informed, their records restored and reviewed for integrity
- Your entire IT network would be compromised
- Your reputation will suffer
- You may lose the trust of some clients who will choose to go elsewhere
A cyber-attack is any activity that infiltrates your computer systems or IT networks in order to steal, control, destroy or alter their contents and/or operations. Any component in your system, such as your wireless router, emails, cloud storage systems like Dropbox and OneDrive, mobiles synced to your networks, staff logging in to the office from home, are a potential doorway for an attacker to enter.
Client records are the backbone of the accounting practice
The cost per records breached rises as the sensitivity of the information increases. To compare, the cost of a data breach is $172 per record for the retail industry up to $355 for healthcare organisations. A retailer can continue to trade without its client records, an accountant cannot.
Any industry that depends on data will be of particular interest to a cyber-attacker which makes it unsurprising that the financial services sector records the joint-highest instance of cyber-crime (26% according to a survey by Grant Thornton). The PwC Global Economic Crime Survey in 2014 identified that 45% of the financial services sector had been a victim of cyber-crime. As automation of data processing increases, the attractiveness of accountants to cyber-criminals also climbs.
Most people recognise the seriousness and the potential damage of a cyber-attack but according to Grant Thornton, only half of firms have put a strategy in place to deal with the threat. A possible reason for the complacency is the misconception that vigilance and regular system upgrades will prevent an attack. If you consider however the average delay between the time of an attack and detection is 205 days, clearly vigilance is no defence. Remember, too, that hackers are becoming more sophisticated and breaches are much more difficult to detect. It is also worth noting the results of an IBM study that found almost one third of attacks were initiated by a malicious insider.
Although your best friend’s wife’s uncle may be very good with computers, the days when this would suffice as an IT solution are long gone. Ensure your IT services are provided by dedicated specialists who have developed processes for assessing and upgrading the integrity of your entire system. Cyber insurance should be as standard an insurance as your professional indemnity.
Beware the risks from the inside
As almost one quarter of cyber-crime is initiated through inadvertent errors, your internal systems and practices are a key defence against an attack.
- Teach staff to recognise phishing emails. They can look identical to a genuine email but there are a number of indicators that will generally give them away. The first is to look for the sender email. The image below is an actual scam email. Although in this sample, the problem is obvious, others may be more subtle, for example, you may see accounts@agl[dot]accounts[dot]comwhere the difference to a legitimate email address is harder to spot – especially when you are busy.If you use your mouse to hover over any links before clicking, you can see whether the links go back to the genuine website. In this case, the link points to a site unrelated to AGL.Most genuine emails will include the registered recipient’s name, another give-away that the email above is a scam. If that is missing, be cautious.
Phishing messages also play on fear, such as telling you a service is about to be cut off or you have been reported for a crime or professional breach, possibly leading you to act without thinking.
- Leaving devices and computers logged in and unattended is an open invitation to the malicious-minded. Train your staff to log out and ensure systems time out. Remind your staff that the inconvenience of logging back in is minor compared to the risk of giving access to the wrong people.
- Watch where you log in. To anyone on the lookout, observing someone logging in is an easy way to gain access to a system.
- Your staff will often use the same email addresses, passwords or access the same sites between work and home, so even though their devices are not connected to your practice they can still pose a risk. Encrypting and installing anti-virus software on all mobile devices that are used by your staff is a low cost investment.
- Put policies in place to enforce strong passwords and dictate whether passwords can be used for more than one account, i.e. a password can be used only once. Also make set up authority levels in your systems and avoid allowing too many people access to all data systems without appropriate checks and balances.
Remember that criminals can be very creative so it is important to train staff and upgrade your practices regularly to stay one step ahead of them.