Cybersecurity: what can accounting firms do to protect their businesses? 

A

s accounting firms adapt to the changing business and political landscape, digitalisation, global supply chains and new ways of working, they are at far greater risk of cyberattack.

Firms face ever more skilful and ambitious attempts by hackers to access, disrupt and steal sensitive data, often associated with ransom demands. Most of these attacks will be thwarted but the number and scale of security breaches is growing by the day.

The onset of the pandemic saw a 300% increase in cybercrimes reported to the FBI’s Internet Crime Complaint Centre, as both domestic and international hackers took advantage of increasing activities online. Globally, there were 270 attacks per company in 2021, an increase of 31% on the previous year, according to IT firm Accenture.

The ICAEW (Institute of Chartered Accountants in England & Wales) rightly points out audit and accountancy firms are particularly vulnerable to attacks because of the type and volume of data they collect, process and hold. The consequences can be devastating. IBM research shows the average cost of a data breach is $4.24m. This includes theft of intellectual property and financial data to post-attack disruption and damage to reputation.

Just how costly a security breach will be to an accounting firm’s business and reputation will depend on the level of cyber resilience each organisaton achieves, and it’s important to remember that building greater cyber resilience, isn’t just a question of IT, it’s also about risk management, awareness and training.

Typically, a security breach could start with an easy-to-hack password, unsafe link, or cleverly-worded email to induce individuals to reveal personal information (phishing). It could be software devised to disrupt, damage or gain unauthorised access to a company system (malware), often resulting in a hefty ransom demand (ransomware).

Remote workers using public networks to access data on the move are particularly vulnerable to attack, as are devices linked to laptops such as printers and cameras, poorly protected cloud-based storage or external suppliers with access to data. A report by cloud services provider VMware reveals 76% of global cybersecurity professionals say attacks increased due to employees working remotely.

Praxity recently conducted a survey of its member firms worldwide to gauge awareness of the growing cyber threat and the challenges this poses. Our research reveals most accounting and IT/cybersecurity leaders believe a cyberattack is “very likely” or “extremely likely”, with ransomware being of most concern, followed by phishing/malware attacks and identity theft.

The biggest challenge is keeping pace with evolving threats, followed by mitigating the strain on IT resources and securing data that can be accessed remotely. These challenges have become more acute during the pandemic with the increased trend towards remote and hybrid working. All those firms surveyed have adopted some form of hybrid model, with at least 50% of employees working partly from home, and the majority of firms expect this percentage to rise. In Finland, workstation usage at the main Helsinki office of Praxity member firm Oy Tuokko is only 24%, demonstrating the ongoing impact of the pandemic but also changing employee preferences.

When we asked members how they are responding to the growing cyber threat, the results show accounting firms are adopting a far broader range of cybersecurity measures than previously, underlining how cybersecurity has become a top priority.

Praxity member firms with advanced cybersecurity strategies have already introduced data encryption and multi-factor authentication, where a user is required to provide two or more verification factors to gain access to an application, account, or VPN (virtual private network). For these firms, focus has largely switched to other security measures such as:

• Monitoring of end-user devices to detect and respond to cyber threats like ransomware and malware.
• Creating centralised Security Operation Centres (SOCs) to continuously monitor and improve security while preventing, detecting, analysing, and responding to cybersecurity incidents.
• Zero Trust security with strict identity verification for every person and device trying to access resources on a private network.
• Identity and Access Management (IAM) security to manage digital identities and user access.
• Tighter controls on who can access what and where, using software such as Intune and Azure Active Directory.
• Controls to protect cloud-based information and restrict access to third parties.
• Education and awareness programmes and incident response plans with clear actions for employees in the event of a security breach.
  
  

Praxity member Aronson in the U.S. is among those firms raising employee awareness. Previously, Aronson had no formal training programme in place, relying instead on a tool with various training courses linked to it. The firm then shifted to a more interactive micro-learning approach. For three weeks in a month, employees receive three-minute videos. In the fourth week, they do a quiz to validate what they have learnt.

Similarly, UK firm Shorts is taking steps to ensure IT functions are aware of services being connected while also ensuring users understand the risks of accepting invitations to access a cloud service. The firm is working towards educating users in sharing and collaborating, making sure files are only shared for a limited time and shared with the right person.

The way forward, according to a recent report by Gartner, is to develop a ‘cybersecurity mesh’ to deploy and extend security where it’s most needed, overseen by cyber-savvy boards with dedicated committees.

Given the complexity and fast-evolving nature of cybersecurity, firms are increasingly sharing expertise, not just to learn from each other but also to help IT and cybersecurity leaders gauge if they are doing the right thing.

“Multi-firm collaboration is, I believe, an essential component in driving positive change in the profession. Praxity is taking the lead by encouraging firms to work together on its platform, supported by IT-focused working groups, talks and workshops at national and global conferences,” says CEO Samantha Louis. This provides an opportunity for IT and cybersecurity specialists in different firms and jurisdictions to bounce ideas off each other and share best practice.

Tom Gardner, IT Manager at UK Praxity member firm Rouse Partners, says sharing expertise was especially useful during the Covid-19 pandemic when he worked closely with a specialist from another firm. He says: “It was valuable to know the person I was talking to was addressing similar challenges to me and we were able to support one another.”

With cyber attacks expected to continue to rise, it is vital accounting firms are aware of the dangers and how best to respond. By working together, they can not only provide more protection for their employees, networks and systems, they can make their businesses – and their clients’ businesses – more resilient.