Tax & Accounting Blog

How to create a cyber-security conscious firm

Accountancy Practices, Business Practices, Data Security April 9, 2019

Ever wondered how to create a cyber-security conscious firm? Most of us are aware of the dangers associated with a lack of awareness around cybersecurity. We’re constantly being tested by cyber criminals who use increasingly sophisticated methods to access our data. As soon as we easily recognise one malicious technique, they source new methods that test our habitual assumptions. As accountants, you hold incredibly valuable personal data in your systems. The Cyber Security Breaches Survey 2017 (published in a joint report by the Department for Digital, Culture, Media & Sport and National Cyber Security Centre) identified companies holding Personal Data as more likely to be targeted than companies than those that do not (51 percent compared to 37 percent). This puts accountancy practices firmly in the target zone for cyber-criminals. The most common attacks took the form of fraudulent emails, followed by viruses and malware.

What can your practice do?

Staff can be intimidated by the term “cybersecurity”, so by familiarising your team with the terminology it will help individuals embrace the challenge. Many accountants I’ve spoken to are concerned about raising the topic – many don’t feel they have enough knowledge to talk about the topic with confidence. I don’t believe this to be a good strategy; ignoring the problem won’t make it go away. In fact, it reminds me of a phrase my dad used to use: “Don’t look at the frog too long before you kiss it”. For example, if you have something to do, just do it. Therefore “cyber security” needs to be a term used in social situations more frequently. The taboos need to be broken down and this needs to be part of your firm’s everyday vocabulary.

Here are five top tips to create a culture of cyber-security:

1. Provide clear instructions

Explain the habits you’d like your team to use when thinking about cybersecurity. If you don’t give explicit instructions such as not to download a file or click on a link from an unknown sender, then you’ll have a greater chance of a breach in your firm. Make sure your guidelines are clear and concise. Try not to use jargon, make sure your remove ambiguity wherever possible. Providing in-depth training for new staff and regular refresher training is one way of proving clear instructions.

2. Discuss it regularly at team meetings and meetings with your bosses

Just because you’ve provided clear instructions on best practice, education doesn’t stop there. The more you discuss threats associated with cyber security, the greater their awareness and likelihood of recognising a potential attack. The more stories your team can share about things they’ve read and seen, the greater the engagement levels across the firm. You’ll be surprised how quickly this becomes part of a conversation piece with customers.

3. Have open and honest conversations

Everyone is a potential target, and nobody is completely infallible. Accidents happen and if they do, business owners need to be aware of this as soon as possible. The more time that goes by after any malware downloads, the greater the potential damage. Be sure not to cultivate a blame culture by encouraging your team to report anything suspicious, however small. Staff should feel comfortable to speak up if they think they may have downloaded something they shouldn’t have.

4. Password complexity and reset frequency

I know, everyone hates creating and remembering passwords. But this is a key weapon you have in your defence arsenal. Make sure you have clear guidelines on the frequency and complexity of passwords. If you can enforce regular password resets on your IT systems it is well worth considering.

5. Training

There are several low-cost/no-cost online training tools for you and your staff. I’d recommend a finding a good course on Phishing. Phishing is a tool that uses email to try and gain sensitive information. Emails will arrive and look incredibly real, sometimes even experts find it hard to tell the difference between a real and fraudulent email.

My recommendation is to maintain conversation and training around this topic to incorporate it in to your firm’s culture. By protecting your firm from a data breach, you’re doing your best to help protect your clients against fraud. Thomson Reuters Onvio offers secure online file storage and client portal software for accountants. Benefit from a more streamlined process for client communication, easily share files and documents with your clients online and gain online approval from clients with e-signing.

For more tips on cyber-security, see how Lucy Cohen and Olly Evans approach risk management within their successful accountancy firms.