ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Charities
    5. Coronavirus
    6. Corporate and financial reporting
    7. Business and governance
    8. Ethics
    9. Insolvency
    10. ICAS Research
    11. Pensions
    12. Practice
    13. Public sector
    14. Sustainability
    15. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Cybersecurity actions for 2022

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By David Fleming, Chief Technology Officer at Mitigo Cybersecurity

3 March 2022

Discover areas of your practice most vulnerable to attack and the steps you can take to become secure with this helpful cybersecurity action plan from our Evolve partner Mitigo.

Millions of cyberattacks will take place across the UK in 2022 and many thousands of businesses, including accountancy firms, will be seriously damaged as a result.

The advancements in, and availability of attack technology and the use of AI (Artificial Intelligence) means that criminals can now discover and evaluate weak points in every business, whatever the sector, regardless of the size. For firms to effectively plan a defence against the attacks they must first understand where their vulnerabilities lie.

Cybersecurity vulnerabilities in 2022

A successful attack can make money for the criminals in several ways. They may trick a human (staff/customer/supplier) into sending money to a fraudulent bank account. Or they may steal something valuable, such as sensitive confidential proprietary or client information, in order to blackmail you into paying a ransom for its return. That confidential information may still then be used to attack you or your clients or extort money from them. Ransoms are also frequently paid in order to regain business functionality, after criminals have encrypted data and systems.

The criminals first find a way into your business through the gaps in your defences (these are known as vulnerabilities). Mitigo assess hundreds of businesses a year and set out below are the areas we are currently finding provide most opportunity for the criminals.

Remote working

Staff working away from the office provide lots of attack opportunities. Have you specifically reviewed your remote working set-up from a cyber security perspective?

Have a look at our video on the subject for some pointers on how well you’ve set-up your remote working.

Cloud email accounts

Thousands of email accounts are hijacked weekly and exploited by criminals. There are two common areas that these criminals often exploit:

1. Authentication methods. Just relying on username and passwords is not enough. Typically, over 20% of untrained staff fall for the simulated phishing email attacks that we run for clients. This is how usernames and passwords are stolen.

2. Spoofing controls. Fraudsters can fake your email address. This is called spoofing. There are three domain records (SPF, DKIM and DMARC) that need to be properly configured by your technical support to stop this.

Business technology

Some of the biggest attacks last year were from poorly maintained technology.

Software patching

Having an effective patching regime is critical to your cyber resilience.  Two huge cyberattacks in 2021 took place when critical security patches were released by suppliers which in turn notified everyone (including criminals) of newly discovered software flaws.

Staff digital behaviour

Most successful attacks rely on human error at some stage, which is why staff training combined with proper governance is so important. Three key areas to consider are:

1. Passwords. How disciplined are you? Do staff use strong passwords, and do they know how dangerous it is to use work emails and passwords for non-work purposes? And do you really know if the rules you set are being enforced?

2. Information transfer. Are you really in control of the way data is transferred and stored? To keep your data secure, avoid transferring information via G-drives, Drop Boxes, and on WeTransfer.

3. Speed & trust. How quick are staff to trust and press links on their mobile phones? Might your staff fall for the criminals’ ever more sophisticated tricks?

Cloud services

At its worst, cloud can mean loss of control and lack of risk visibility.

Have a look at our video for some pointers on how well you’ve set-up your cloud services.

Supply chain weaknesses

Third parties who provide services to your organisation are often one of the weakest links in your cybersecurity. Most commentators are predicting a growth in supply chain attacks this year. A recent article from the NCSC provides a good explanation of the risks involved.

Cybersecurity action plan for 2022

When considering the steps to set out in your cybersecurity action plan, there are a few key areas to consider which can help secure your business from cyber-attacks.

Cyber security vulnerability assessment

You must start by identifying your biggest risks and the vulnerabilities that need closing.

The list of common vulnerabilities mentioned above is a good starting point for this process. Consider how well each of those areas has been set up. Do you have evidence that cybersecurity has been properly considered? Make sure you review where your valuable information is kept and the way your payments process operates, as these are common targets.

You may have heard of cyber security buzzwords like penetration testing, vulnerability assessments, and network security scanning which will all help you assess your vulnerability to attack. A good starting point would be to use our assessment tool.

Cyber security policy

Define how the business will work to reduce risk, e.g. what is acceptable personal use of a work device.

We recommend that you define your policy in key areas. Examples include - digital usage and behaviour, passwords and access management, and information storage and transfer. Then make sure all staff are aware of the rules and what is expected of them.

You must have a defined policy in place for software patching, back-up testing and virus protection to include clarity on actions and responsibilities. It is then important that you find a way of measuring compliance.

This may sound onerous, but it is absolutely necessary and it is an expectation of regulators and the ICO.

Vulnerability closure, strong controls, and alerts

Once you have completed the steps above, you need to make sure you close the vulnerabilities identified, that technical policies are implemented and that the right system controls are set up to protect you. It is essential that someone suitably qualified advises on how properly to configure your software and hardware from a security perspective.

The work here obviously depends on how your business operates, but here are just 3 examples of what we look for during our assessments.

1. Anti-virus software – is it on every device; is it being kept up to date; can it be locally switched off; has it been ‘loosened’ too much and is someone centrally viewing the critical alerts?

2. Windows network patching – are Windows patches being deployed on time to laptops, PCs and servers? How long can a laptop go without a critical patch being deployed?

3. Email account login failures – if you are on Office365 someone should be alerted to suspicious login attempts and you should be configuring the controls to restrict who has access to your systems.

Cyber security training

Make sure that regular training keeps staff alert to the risks. It’s time to invest in some really good cybersecurity training and we believe that getting simulated attacks done frequently will improve your cybersecurity culture.

Incident response training

Yes, the worst does sometimes happen. In most cases fast, pre-planned emergency response arrangements can massively reduce the impact on your business. Start by getting the key people in a room and discuss how you would go about dealing with a ransomware attack. Write down your plan, communicate it and practise it.


About Mitigo:

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our Evolve members.

Find out more about Mitigo’s cybersecurity services.

For more information contact them on 0131 564 3131 or email icas@mitigogroup.com


This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.

2-23-croneri 2-23-croneri
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: