Accounting for Security: Is your accounting practice at risk from an IT security breach?
Smaller businesses tend to be a greater IT risk, in part because they are an easier target (only 14% of UK accountants consider themselves ‘up to speed’ with cyber security) and in part because they haven’t stopped to consider the data they hold as an asset, a risk, and a management issue.
Here are seven key ways that your accounting firm might be putting itself in the danger zone.
1. Data ignorance
Even leaving aside the arrival of the General Data Protection Regulation (GDPR), the need for businesses to manage the data they hold has never been greater. While many organisations don’t fully understand where their data is, what data should be kept and what deleted, or even which data are particularly valuable to cyber-criminals, those criminals definitely do!
They target smaller firms especially because they are likely to be ignorant of their level of risk and to have sensitive data stored in unsafe places as a result. Discovering what data you hold, where you’re holding it and whether it’s secure should be a priority.
2. Employee carelessness
An American survey revealed that 77% of employees regularly leave their computers unattended without closing them down, during their lunch break – a perfect opportunity for a random visitor to access systems to install malware or simply download data onto a memory drive.
Over 80% of employees admit that they would click on a link in a business email, while only 24% would do the same with their personal email. And most only change passwords when prompted by their employer.
Educating employees is vital to securing your IT systems. Even small accountancy practices tend to have a couple of employees and that can exponentially increase risk of an IT security breach.
3. Detection failure
Half the small and medium sized enterprises interviewed for an EU-wide 2017 survey said that they doubted that their IT teams were able to detect and respond to an attack on their systems.
This was partly because they knew there was no systematic policy to check for breaches or test systems and partly because they recognised that their organisations were outward facing, looking only at external threats, while their personal experience of cyber-threat suggested that internally facing structures like password generation and two-step authentication were vital to successful data protection.
We’ve explored the need to develop cyber security systems at depth in this article which will be invaluable to Irish accountancy firms seeking to protect themselves from risk.
4. Mobility of data
From cloud based computing systems to thumb drives, from working at home to the storing of data on phones or tablets to work outside of the office, the mobility of data is the new reality and it carries a number of IT security breach risks:
- Mobile devices can get lost, stolen or damaged
- Mobile data can be easier to hack into, not least because protection for mobile applications can be lower than for bespoke accounting systems
- Loss of data from mobile devices may not be recognised immediately, giving criminals a head-start in accessing data deeper in shared systems.
Exercising good control over the mobility of your firm’s data and using secure, trusted vendors is important for mitigating these risks.
5. Bad back-up routines
An unbelievable 50% of small businesses fail to back up data regularly, with over 4% of one-person accountancy practices never backing up data at all. Not only does this put them at risk of losing client information, it also makes them a natural target for cybercrime, because if a company doesn’t know what it has lost, it can’t begin a disaster recovery process that could lead to finding the cause of the breach.
The WannaCry ransomware attack in May, 2017 was a worldwide cyber attack which targeted computers running by encrypting data and demanding ransom payments. Properly implemented backup routines could have mitigated the damage done to many businesses as a result of this attack and others like it.
In general, IT security doesn’t have to be a headache, but it’s important to develop systems and habits that can give you confidence that you’re cyber-savvy and with the alternative being a catastrophic IT breach, it’s time to get serious for many Irish businesses.