ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Charities
    5. Coronavirus
    6. Corporate and financial reporting
    7. Business and governance
    8. Ethics
    9. Insolvency
    10. ICAS Research
    11. Pensions
    12. Practice
    13. Public sector
    14. Sustainability
    15. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Why cyber risk management is not the same as IT support.

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Lindsay Hill, Chief Executive Officer at Mitigo Cybersecurity

20 January 2022

Firms are suffering cyber breaches by assuming that cyber risk management is provided by their IT support.
Trusted ICAS Evolve partner Mitigo looks at the questions every firm should ask themselves about their cybersecurity.

Cybercrime is increasingly sophisticated, and methods of attack constantly evolve. Accountancy practices are a prime target. Attacks pose a serious risk to data and system security, business resilience, client relationships and confidentiality, and business reputation. Security should be right at the top of any business risk register. Firms must adopt proper cyber risk management systems and not assume that their IT function has it covered.

Ask yourselves these questions about your cybersecurity.

1. Who is currently undertaking and documenting your cybersecurity vulnerability risk assessment?

This is now a legal requirement under the Data Protection Act 2018 and it is the essential first step towards security. It should be undertaken periodically by someone with cyber risk management experience. They should know the current methods of entry and forms of attack, such as email account takeover and ransomware. The risk assessment will provide you with an understanding of your vulnerabilities. It must of course include scanning and probing for vulnerabilities in your technology and its current configuration. But that alone is not enough. It must also include assessing the risks associated with people and the way they use the technology; your systems of work; your interaction with clients and suppliers; the platforms you rely upon; and so much more.

2. Who is configuring your security?

Your vulnerability assessment will provide visibility of risk. A cybersecurity professional can now determine how to configure your technology appropriately. This is a specialist job - configuration must provide protection against attacks without interfering with daily functionality. Firewalls, anti-virus, email set-up, logins to cloud platforms, personal devices, remote connections, back-ups, access rights, user privileges, logs and detection alerts are just some of a long list of areas requiring attention. Equally important is advice on the other organisational controls and governance necessary to protect you against the risks identified.

3. Are you meeting your legal, professional, and regulatory requirements?

Does your security adviser really know how to comply with your legal obligation to take appropriate technical and organisational measures for the security of personal data, and to review their effectiveness on an ongoing basis? And do they know your professional and regulatory obligations? Are they satisfying your record keeping obligations?

4. Who is providing cybersecurity awareness training to staff?

This is about making all staff aware of the types of dangers which exist, including the tricks being used to gain access to credentials, your systems, data and finances. Some estimates reckon that over 60% of breaches are caused by staff error. So regular training is a crucial aspect of any firms’ defences. It is also now a legal obligation. And you should test that the training is working, by simulating attacks. We have frequently found that before training, over 25% of staff will click on phishing emails, but that figure reduces to under 5% after training.

5. Have you got the right policies and procedures in place?

Your systems are most secure when people know how to use them safely. Defining and communicating policies and procedures will help prevent or mitigate security incidents. As well as being another legal obligation, policies protect your business, your staff and your clients. And have your staff agree and sign for a cybersecurity staff handbook as part of their training, so that everyone knows the rules and what is expected of them.

6. Are you buying security software which you do not need and which is not actually solving your security problems?

Buying additional software will rarely solve your security problems. It just creates a false sense of security.

Worse still, we find many firms have been persuaded to purchase a patchwork of expensive security software and ad hoc deployments with overlapping functionality. In most cases, their existing technology had perfectly good protection built in, if only it were correctly configured (and in some cases, simply switched on).

7. Are you getting the right help in replying to client questionnaires and assessing your own supply chain?

Businesses are increasingly being asked to satisfy clients and others about their security arrangements. Your security professional should be able to take care of this. They should also be advising you on the type of questions you should be asking of those with whom you share systems and data.

8. Who is providing you and your Board with ongoing assurance that your security controls remain both appropriate and effective?

It is a basic principle of risk management that assurance be provided by someone independent. It is neither sensible nor fair to expect your IT people to be cybersecurity experts or to mark their own homework. Nor will any party’s when a breach occurs.

Just like a vulnerability assessment, assurance is not a one-off spot check. Over time, your technology will change, as will the threats, forms of attack and methods of extortion. So, testing and auditing your security configuration and controls should be undertaken on a regular basis to ensure your defences are kept up to standard and you continue to be protected. Again, checking the effectiveness of your security measures on an ongoing basis and recording this in writing is now a legal obligation.

If you still think your IT support are the right people to be looking after your cyber risk management, you are now lagging behind the field and are likely to suffer a breach.

Managing cyber risk is an important board level responsibility. It is time to stop hoping you are secure and start proving you are secure.


About Mitigo:

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our Evolve members.

Find out more about Mitigo’s cybersecurity services.

For more information contact them on 0131 564 3131 or email icas@mitigogroup.com.


This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.

2022-01-xero 2022-01-xero
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: