Eight things accountants need to know about cyber crime
As hackers up their game and attacks become more common, more varied and more sophisticated, Nick Huber assesses how to protect your data and the financial rewards of helping clients do the same.
Don’t say you weren’t warned. The list of well-known companies whose IT has been hacked is growing. One of the most serious was the cyber attack on TalkTalk in October. Hackers gained access to personal and financial details of what’s estimated to be tens of thousands of the telecom company’s customers, although at the time of writing the incident was still being investigated.
After TalkTalk announced that it had been hacked its shares fell sharply and the company’s chief executive, Dido Harding, struggled to reassure customers, investors and the media that the company was getting to the bottom of what had happened. Just a few days later a second telecoms company, Vodafone, also said that it had been the victim of an attack by hackers.
Cyber attacks are becoming more common, more varied and more sophisticated. As John Chambers, executive chairman of Cisco, the US network equipment company, said: “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”
The attacks can dent profits as well as reputations. Cyber attacks cost UK businesses around £34bn a year, a report from the Centre for Economics and Business Research and Veracode, a computer security company, estimated. Just over half (£18bn) of the total comes from lost revenues due to successful attacks. The remaining £16bn is companies’ increased spending on IT as they strengthen their defences, the report said.
1. Evolving threats
How are cyber threats changing? And what can companies and their accountants do to minimise security risks? “Cyber attackers demonstrate considerable agility and adaptability. In some cases, savvy attackers used increased levels of deception by hijacking companies’ own infrastructure and turning it against them,” said Symantec, one of the biggest suppliers of security software, in a report earlier this year.
The Symantec report also said that advanced cyber attackers, in 2014:
- used legitimate software on compromised machines to continue their attacks without risking discovery by anti-malware tools
- used a company’s management tool technology to move stolen IP around the corporate network
- built “attack software” inside their victim’s network, on the victim’s own servers.
Governments are also behind some cyber attacks, it has been alleged. In October, the deputy director of the US National Security Agency, Richard Ledgett, warned of the increasing danger of destructive cyber attacks by states. “If you are connected to the Internet, you are vulnerable to determined nation-state attackers,” he told the BBC.
Biometric technology, which identifies a person by their unique physical or behavioural characteristics, is increasingly used as a convenient alternative to a password, authorising online payments or gaining entry to a building.
Convenience may have drawbacks, though. Some security experts reckon that hackers will focus more on stealing people’s biometric data as it becomes more widely employed. However, biometrics can also be used to tighten security.
“It helps [companies] have a deeper understanding of whether they’re dealing with the right customer so the customer doesn’t have to go through so many two-factor authentication steps – for example, asking the customer what was the last transaction they made … putting your bank card into a card reader after you’ve given a password,” says Ryan Wilk, of NuData Security.
The company’s technology analyses online financial transactions. It sends a real-time report to the bank, giving them a percentage estimate on the risk of fraud.
3. Cyber Protection
Biometric security isn’t mainstream yet, though. How can you or your clients improve security in the meantime?
First, get an overview of your IT. Keep an up-to-date inventory of your hardware – your devices (all servers, workstations, laptops and remote devices connected to your business network) and software (particularly the stuff that has security vulnerabilities and software that’s not authorised for business use). This should make it quicker to find and fix IT after it has been hacked.
Next, review the information your business holds, work out what’s the most important information (for example, designs for an innovative new car if you’re a car maker or customer credit card details if you’re a bank). Make protecting this information a priority.
Don’t rely on one type of security technology, such as anti-virus software on workers’ desktops, Pinson-Roxburgh says. Add more controls like anti-malware technology and email gateway security controls (technology that blocks spam emails and also helps to prevent the loss of data).
4. Bring your own device
More employees are using their own smartphones and tablets for work, which can improve productivity and make it easier to work out of the office. It can also cause IT security problems if workers download customer data and other intellectual property, and possibly viruses, onto devices that may not be as secure as ones supplied by their employer.
More than half of North American and European companies are developing rules for “Bring Your Own Device Programs”, according to Forrester, a research company.
David Paine, director of technical services at Castle Computer Services, says that one of its customers, a legal practice with offices in the East of Scotland, gives workers “read and write” access to data on a mobile device but doesn’t allow them to extract it outside the corporate network.
5. Cloud Security
Cloud computing − large networks of web servers and datacentres that are run online rather than on customers’ own computers – is increasingly popular in business, including for email system customer-relationship management and accounting software and document-sharing applications such as Dropbox.
Storing data online is usually cheaper and can be a useful backup for data stored in company offices. If there’s a fire or major IT failure at your company, retrieving data from the cloud can be done quickly. But take care. Companies are responsible for any security breaches on the part of the supplier holding their data, so it’s important to check the supplier’s arrangements for security and data backup/business continuity.
6. Accounting for IT security
David Reynolds, CEO of the International Association of Accountants Innovation and Technology Consultants, has written a new guide on IT security and data protection, published by ICAS, for accountants and their clients.
“Accountants need to get their own houses in order first,” he says. “The big problem for most firms of accountants is that they’ll do payroll bureau for lots of their clients, so they hold personal data, such as bank account details and National Insurance numbers that are considered sensitive.”
Because accountants are classed as “data controllers” by the Information Commissioner’s Office, the UK’s information watchdog, they have to meet more stringent requirements for information security. If they lose clients’ data, or if the data is hacked, accountants could be fined up to £500,000 for breaking the Data Protection Act. The European Commission is updating its legislation on data protection.
7. Advisory Opportunities
Cyber threats could also be good news for accountants.
“The reality is that there’s no one explaining IT security to small and medium businesses,” Reynolds says. “[There is a] huge opportunity for accountants to provide new services [to] … engage with clients and have sensible discussions about information security.”
Security training doesn’t have to be overly technical. It’s useful for accountants to know how to install a firewall but they probably don’t need to know how to write computer code.
Accountants can use the ICAS IT security guide to help business clients identify their most important information, how serious the security threats are to that information and any gaps in security, such as staff who need training in IT security. Employees are often the cause of accidental leaks of data.
8. Data Control
Keeping track of who is accessing what IT is another important part of information security, says Ramses Gallego, Dell’s security strategist and evangelist.
Companies can reduce the damage caused by successful hacks by encrypting their most important information (for example, credit card data for banks or patient records for hospitals). “It’s only a successful attack if they can get out of your castle with commercially sensitive and valuable information,” says Gallego.
A good business continuity plan can also help minimise the damage if security fails. The plan, which should be tested at least once a year, can help maintain business functions or get them up and running again quickly if there is major disruption, such as a fire or flood, serious illness among workers, or a massive cyber attack.
Business continuity plans vary but most will focus on three things: people (are staff trained to take on different jobs if a disaster happens and colleagues are injured or killed?); premises (relocating workers to another company building if the head office is damaged/destroyed, or enabling them to work remotely); and technology (running computer systems from backup locations).
The business continuity standard, ISO 22301, by the British Standards Institution, can help business assess whether their plans are good enough, and IT suppliers can also help.
Paine says: “You should define what is classed as a disaster for your businesses, how quickly you need to be operational and identify key people and systems which are mission critical to the operation of the business. Your service level agreement with your provider should reflect these. As each business is different so is a business continuity plan – it’s all about understanding your objectives.”
As technology becomes more advanced so do hackers and organised crime. The mass of information and claim and counter claim about security threats and technology to deal with them can be confusing. But with a little research and initiative, accountants can help business clients be prepared for the worst hacks and boost their fees at the same time.