Accountants need to think about cybersecurity. That was the message from Peter Erceg, Senior Vice President, Global Cyber & Technology, at independent brokerage firm Lockton, who spoke at Accountex 2018 to a packed lecture theatre full of accountants and bookkeepers.
Peter forensically examined and explained three examples of cybersecurity breaches from 2017, all of which cost billions for the companies affected. Virtually all were caused by basic security failings, such as not patching systems for security holes or not checking that processes for patching worked correctly.
“The key thing about processes is making sure they’re effective,” said Peter, who went on to summarise his cybsersecurity mitigation advice as follows:
- Patch systems in a timely fashion
- Restrict user access
- Change passwords regularly
- Segment networks
- Upgrade software to the current version – or at worst the last-but-one release
- Remove data you don’t need
However, what specific advice is there be for accountants? Here’s our own suggestions.
1. Limit your liability – but educate your client
In a world where accountants are increasingly advising clients on which accounting software to use, due to initiatives such as Making Tax Digital or accountants simply increasing their service offerings, it’s vital that your firm also ensures your clients understands the lack of liability when it comes to computer security issues.
Cybersecurity liability should be thoroughly explained within any service/client contract, of course, but to avoid an unpleasant situation arising, it’s good practice for the accountant to educate the client from day one on the same basic security procedures that they have in place in their own practice.
This can be informal or formal – a simple friendly chat over the phone, or an organised session at the accountant’s practice that several clients attend.
For example, if you’re informed by your software vendor that a particular software package must be patched then sharing that information with your clients is unlikely to involve significant resources.
As always, it provides that vital way to keep in touch with your client to reassure them that you have their interest at heart and potentially create an avenue for further client offerings moving forward.
Making Tax Digital
Making Tax Digital is HMRC’s move to digitise tax and the goal is to help you get it right – whether you’re a business, accountant or bookkeeper. Learn about what it means for you.
2. Remove client data you don’t need
Peter mentioned this but for accountants, it’s a particularly important point considering the extremely sensitive nature of the data you hold, which might have commercial value too.
Secure deletion of client data that you no longer have a use for is not only an effective block for any cybersecurity breach, but it’s also legally mandated under the GDPR, which states that privacy must be implemented by design and default.
In other words, once a client leaves your practice, you can’t keep hold of client data just in case it might be required in future. Nor can you keep hold of client data for your own purposes, such as for analytics.
Put simply, get rid of any data as soon as you can. It might feel counter-intuitive at the time but it could prove incredibly prescient should the worst happen.
3. Monitor information about products you and your clients rely upon
Part of the work of a modern accountant is to be aware of information about security issues with software that they use. This might be as simple as subscribing to the software vendor’s email for an accounting package, for example. To help with this most firms regularly issue what they call Security Advisories – just google that in addition to the vendor’s name.
Don’t forget that it’s not just the accounting software that you’ll need to monitor. Nor is it simply tasks such as ensuring your operating system is patched as soon as possible. Anywhere the internet comes into your office will require attention.
Some photocopiers and printers, for example, are internet-connected nowadays – and you’ll need to remain on top of firmware updates for these too.
(If you’re wondering if it’s not just simpler to remove these devices from the network by unplugging the cable then, yes, this is often a simple solution if it doesn’t create usability issues for the business.)
4. Move your practice and clients to the cloud
Cloud software is automatically and invisibly updated to fix security issues, and this is a powerful incentive for making the switch to the cloud if you and/or your clients haven’t already.
Similarly, if your client data is stored in the cloud then you no longer have to take care of the security of your own server – which can be a task so important and time-consuming than it often involves hiring the proverbial “IT guy”.
Of course, switching to the cloud is no excuse for being ignorant about computer security. You’ll still need to know the basics of password security, for example. You’ll need to ensure your network and wi-fi are secure.
You and your staff will need to be educated about social engineering hacking too. However, there’s little doubt that using the cloud removes a significant amount of the traditional computer security requirements – and removes the worries too.
5. Stay on top of security – and be honest with clients
Peter mentioned the importance of adopting a mea culpa attitude should you find yourself in the unfortunate position of suffering a security breach. He explained that, if nothing else, it simply doesn’t look good if the first public admittance of a security problem is when a journalist or client contacts you asking about finding their data publicly available on a hacker site.
There’s often a knee-jerk response within businesses to avoid sharing information about security breaches, as if keeping it secret will somebody avoid damage. History has shown this is nearly always the opposite of the truth – and it’s an express route to creating ill-will and dissatisfaction with clients, in an industry where trust is paramount.
Again, if nothing else the GDPR changes how businesses respond to security breaches in any event. Businesses must notify supervisory authorities – such as the Information Commissioner’s Office (ICO) in the UK – within 72 hours of becoming aware of a breach.
If that breach poses a high risk to the individuals concerned, controllers must also notify the affected individuals without undue delay.
Similarly, a mature attitude within your practice of admitting that operational effectiveness will be affected by security issues and planning is better than simply not allocating time and resources to the issue.