As an accountancy firm, you hold a huge amount of confidential and sensitive information. Personal details on clients, banking and social security information, confidential material about businesses and their staff: all of this data presents a massive problem.
Why? Because this information is highly valuable to cyber criminals. They know you hold it, they know who you are, and they will be trying to find ways into your IT systems to get access to it. Today’s cyber criminals are no longer hobbyists or ‘geeks’ sitting in a darkened room behind a computer. They are organised gangs with a considerable amount of knowledge and access to more sophisticated IT resources than a typical SME could ever hope to own.
This presents a real problem for accountancy firms — one for which many are inadequately prepared.
There is good news though. It is possible to make very real improvements to your defences and significantly reduce the risk of a breach without the need for complex technical solutions. In this eBook, we are going to cover five simple changes you can make at your accountancy practice to protect it from cyber criminals.
1. Take control of your passwords
With all the different websites and apps we use in both our personal and work lives, we have a lot of passwords to remember. Memorising all of them is an almost-impossible task. Yet with many breaches of firm’s IT systems coming as a result of staff reusing passwords or having easy-to-guess ones, it is an area that accountancy practices cannot afford to ignore.
The UK Government recommends using password managers to address this problem. A password manager stores your valuable passwords in a secure online vault to keep them out of the prying hands of cyber criminals. Our favourite is LastPass, which costs just £3 per user per month for the business version. As well as providing an area for your team to store their passwords, the business edition of LastPass also alerts you to staff storing insecure passwords or reusing them for other websites — ensuring you can maintain best password practice across your firm.
If you are not ready to commit to spending at this stage, LastPass also provides a free of charge service — you can follow our handy guide on how to set this up. There really is no excuse: make sure you setup your password manager today!
2. Switch on two-factor authentication
As we have already discussed, the most common form of data breach comes from passwords being stolen. For web-based accounts and applications, this is a problem as once a cyber criminal has your password and email address, they will also have access to any accounts that use them.
Using automated software, they will quickly find these accounts — meaning they will have gained access before you are even aware you have a problem. At the moment, the most effective way to stop this is to enable two-step authentication. You most likely already use this on your online banking — where you might have to supply a randomly generated code in addition to your password. Most websites and web-based applications will have the option for two-step authentication at no additional cost. Where available, you should ensure this is activated and enforce it for your entire organisation.
This is absolutely essential if you use Microsoft Office 365 or Google Apps. For more information on two-step authentication, view these simple-to-follow guides from the popular two-step authentication app Authy.
3. Use an ‘External Email Banner’
Time and time again, we’ve commented on the fact emails are the source of most cyber security breaches.
As such, it can be very useful to identify any emails you receive that are from outside of your business. If you can do this and you receive an email tagged as being from an ‘external sender’, but it appears to come from a colleague of yours, there is a good chance it is a fraudulent email. Adding a simple banner such as the one below is a very short job for your IT team and should cost you nothing — yet it could save you a fortune.
4. Train Your Staff
It is a well-publicised fact that almost all cyber security breaches require some kind of human interaction to be successful. It is, therefore, somewhat puzzling that the majority of SME accountancy firms do not have a regular cyber security training program in place — especially when you consider that CPD courses and anti-bribery training are deemed so important. Part of the issue is that cyber security training is considered expensive, time consuming to deliver and not at all engaging to the people receiving it. But this is far from true. Some systems cost from as little as £2–3 per member of staff per month and deliver cyber security training in short, digestible blocks. These ‘short and snappy’ training sessions will not take up large amounts of your billable time but will still get the message across in an engaging way.
5. Keep Your Team Aware
One of the challenges in any firm is keeping the threats from cyber security fresh in the minds of your team whilst they have their day jobs to focus on. Although training undoubtedly helps, often this is seen as a ‘point-in-time’ initiative in response to a breach or security incident occurring. Once the memory of this has faded, awareness amongst staff often does too.
The good news is that this is easy to address and even better, it should cost you no more than a little time to administer it. Here is our suggested approach: Nominate a member of staff to be your ‘cyber threat co-ordinator’. This should not necessarily be someone from IT. Ideally, it would be the person involved in running your office and organising staff communications: most likely your practice manager. Your co-ordinator should sign up to some email feeds on the latest threats — a good starting point is the government backed Action Fraud site and the security training service DynaRisk. Your co-ordinator should also review some online blogs such those from the Independent, which offers an easy-to-understand news feed on the latest cyber security threats. The information from these feeds should then be used to create content in staff newsletters, presented regularly in team meetings, posted to your intranet or circulated via email or an instant messaging feed.