NCSC Gateway to Ransomware Guidance
What would you do if your business files were lost to ransomware? Find out the latest advice from the NCSC (National Cyber Security Centre).
It will come as no surprise that we find ourselves delving into the area of online security and cybercrime. In Ireland, we are all only too aware of the recent HSE ransomware attack, however exposure to potential data breaches and other forms of online fraud are certainly not limited to large organisations. How many telephone calls and text messages do we all receive almost daily, trying to lure us into the next online scam or attempting to access personal or financial information, and that’s even before we step foot in the office! In fact, well over 40% of all cyber-attacks target SMEs. This is quite an alarming number given that most people reading this either run small businesses or deal with clients in this sector. Even tech savvy individuals can easily fall foul of the increasingly elaborate schemes being developed by cyber criminals globally.
Most accountants have spent much of the past 18 months responding to what has been an ever-changing landscape, both for our clients and ourselves as members in practice. During that time, we have had to interpret and react to many new government-led supports, with much additional reporting and compliance required as a result. At the same time, we have been working with organisations across all industries to help them move their businesses forward post Covid-19. It is little wonder that many accountants have not had the opportunity to fully reflect on the area of online fraud and how we may be exposed to it in our everyday work.
As members in practice, we are particularly vulnerable to encountering situations where either we, or our clients could quite easily become the next victim of cybercrime. The risk of loss of client data, inadvertent sharing of financial records or intellectual property being compromised are just some examples of serious risks we might face as accountants. Smaller businesses, often through lack of resources, may find they have less rigorous technological defences in place and an outdated awareness of potential threats. This can leave some companies extremely vulnerable to hackers.
Many CIMA members in practice own smaller firms and some of us operate as sole practitioners. With ever-increasing demands on our working lives, it can be difficult to keep ourselves updated on the latest developments while at the same time managing the administration of our own practices and most importantly, providing a high standard of service to our clients. Cloud based accounting, online file sharing and internet banking have become the norm. While rapid developments in these areas bring about significant convenience and open vast opportunities for accountants, they also bring with them a host of challenges and risks. Financial fraud has featured as a risk factor across many businesses for many years, but it is now almost impossible to mention fraud without reference to cyber security and these areas have become inextricably linked.
Working as management accountants in practice, we are of course obligated to familiarise ourselves with, and operate within strict guidelines in relation to anti-money laundering legislation. The topic of online security should feature as prominently throughout our day-to-day business interactions. It is no longer an area that we just occasionally read an interesting article on, or cover as part of ongoing CPD training. It is now something that none of us can afford to ignore or consider it to be just a ‘tick the box’ exercise. Unfortunately, the threat has become very real and something that is very much with us daily.
Many smaller firms completely underestimate the risk that fraud could have on their businesses. As criminals can easily automate attacks, it is not difficult for them to target thousands of smaller businesses simultaneously. These small businesses often have less stringent policies and procedures in place, less awareness of threats and less time and resources to invest into cybersecurity. All of this can make them an easier target for hackers compared to larger firms.
Despite the perceived high cost of implementing preventative systems, some straightforward and relatively inexpensive measures could greatly reduce an organisation’s exposure to cyber fraud. Investing a little time and money, and reflecting on the company’s approach to cyber security could pay huge dividends in the long run and is likely to be far less expensive than the cost of being exposed to an online attack. Purchasing suitable and up to date software may seem to be yet another cost burden on accountants or indeed on our clients but it should really be regarded as a necessary cost. Online attacks are becoming far more sophisticated and many smaller accountancy practices are often targeted by cyber criminals due to the fact that they don’t have the financial resources to invest in more sophisticated software to deal with cyber-related threats.
One basic but effective method we can adopt to help mitigate cyber risk is to firstly carry out a comprehensive health check of all devices and systems used in our businesses. It is important to ensure that all hardware and software is current, and any security updates are applied on a timely basis. We should take the time to audit our own access policies, who has access to data, do they require the same level of access to all data and is information sufficiently encrypted (even where it resides in-house only). Using password management software is a far safer method compared to storing passwords on spreadsheets, for example. As part of our annual insurance renewals, is now the time to consider some form of cyber cover? Employee training is without doubt key and having policies and systems around IT security that are robust, up to date and sufficiently understood by all staff is essential. The fact that 95% of cybersecurity breaches can be traced directly to human error is a worrying statistic.
We can also work with our clients to ensure that they have firstly identified the key risks relating to online fraud and that these risks are considered as part of their overall approach to risk management. We can advise them on effective controls in relation to having disaster recovery plans in place to allow for business continuity, in the event of a ransomware or phishing attack. Of course, as practitioners we need to ensure any client information that we hold is secure and that our internal policies are updated in this area.
Cyber security and the potential for online attacks must be considered a critical risk for anyone in business and particularly for accountants in practice. In the past, activities such as having the latest security software installed, or firewall protection was most likely seen as something the IT department was responsible for. Online security is no longer a mere operational issue, and it should feature as an area of strategic importance for boards and business owners of all sizes. Cyber security needs to form part of decision making at all levels within a business.
Date for your diary - Members in Practice conference 27 November 2021(online)
We are planning a special half day online conference on Saturday 27 November. This is open is to all CIMA members but will focus on two areas of interest to members in practice. Firstly, Brendan Twohig, Partner with M.K. Brazil, Waterford, will provide an overview on the most recent taxation updates. We will also be joined by a number of CIMA members in practice in a panel discussion. We will look at life as a member in practice, considerations for those thinking about working as a self-employed accountant, the challenges we sometimes face and how to build a business as an accountant. This promises to be an interesting and engaging event and we hope you can join us for this.
About Eric Rochford:
Eric Rochford qualified as a member of the Chartered Institute of Management Accountants in 2006, and subsequently became a CIMA Fellow in 2017. He has over twenty years’ experience in finance and senior management/director roles with a variety of businesses, from multinationals to startups, across a diverse range of industries including food, medical devices, construction, manufacturing and financial services. As a CIMA member in practice, Eric has a particular focus on the SME sector and early stage businesses.