Accounting firms are time poor and prime targets for the cybercriminal, because your clients trust you with the most sensitive of information and often, not enough time can be spared to focus on cybersecurity. Let’s change that and focus on getting the basics right. Let’s get cyber fit with five quick questions:

1. Have you conducted a cyber risk assessment? Reviewing business cyber risk is a must. You can use any number of frameworks from the gold standard, National Institute of Standards and Technology (NIST) to the Australian Cyber Security Centre’s Essential 8. Once you have identified your vulnerabilities and gaps you can make incremental and affordable changes suited to your workload and budget.

Hint: Sometimes it’s hard to know where to start. If you’re stuck, check out BCyber’s complimentary health check, it provides a quick snapshot referencing both NIST and the Essential 8 framework.

2. Do you have an asset register? You need to focus on your cyber assets, not your accounting one’s here – to understand your attack surface (ie where the cybercriminal can potentially get in) cyber asset management focuses on tracking all “devices” interacting with your business and the internet. The better ones include virtual assets e.g. software licenses.

Hint: This is not something that your outsourced IT provider usually has handy, you’ll need to pull this one together. Just start with a list which records all technology assets and their basic details e.g. device type, brand, model, serial number, software licenses, IP address, warranty details, responsible staff member, last patch update, purchase and life expectancy dates etc. If it interacts with the internet, include it. It’s not just laptops and PCs, but also (potentially) printers, photocopiers, servers, business mobile phones, etc.

3. Do you have a cyber aware culture? The aim isn’t to create cybers experts but ensure that everyone, no matter their role, understands what a cyber threat looks like, your policies and procedures for dealing with it. It shouldn’t matter if the attack is Phishing (an email scam), Smishing (an SMS scam) or Vishing (a phone scam), regular training supported by strong policies and practices will help build muscle memory and decrease the likelihood of the staff clicking on a bad link, unwittingly disclosing client PII or paying real invoices into the cybercriminal accounts.

Handy Hint: Staff education and awareness isn’t a “tick the box” or a one off “lunch and learn”. Regular education exercises need to be supported by policies and procedures that have been practiced and discussed. Keep cybersecurity top of mind by encouraging conversations about it at team meetings and/or alert staff (and clients) about major breaches, such as those involving social media platforms so they can update security controls and passwords – the recent LinkedIn breach comes to mind. Done right you can turn it into a positive relationship building exercise with staff and clients.

4. Does your firm have great Password hygiene? Does everyone know and follow your password policy? Tweaking the minimum number of random characters, symbols and letter cases from 12 to 16 exponentially increases the time it takes to break a password. Do staff reuse passwords or use information that can be found on social media? Social media is a great source of information. A quick reminder of password basics at the next team meeting combined with a good mandated password manager will help set you on the right path.

Handy hint: Never share passwords, it’s a dangerous and false economy. If something goes wrong and the entire office is using the same access, there is no way to workout the source. The bigger issue is the “legality” of such actions under the Terms and Conditions of your software license contract, not to mention the potential impact on a cyber insurance claim.

5. Do you know if your website is secure? Website vulnerabilities are generally forgotten but an estimated 50,000 websites are attacked daily – usually by an automated tool (aka a bot) that crawls the web looking for sites with known vulnerabilities. Website access means cybercriminals can alter your content, redirect traffic, plant malware and steal data, to name but a few nefarious objectives. Don’t think it’s a problem? A British Airways website 2018 breach recently resulted in a settled class action.

Handy Hint: A few small investments can result in some big changes:

• Update as soon as one becomes available – don’t have fixable issues on your site
• A Secure Sockets Layer (SSL)/ Transport Layer Security (TSL) certification – can boost your Search Engine Optimisation (SEO) rankings and you ensure any data your visitors send to your site uses an encrypted channel
• Install paid (inexpensive) web security tools eg Plugins and Web Application Firewalls (WAFs)

How did you go?

Final Hint: Anything less than five “yes’s” means you need to “hit the cyber gym”:

Need more cyber risk mitigation assistance from people you understand accountants, then visit the BCyber website or drop us a line at [email protected].

As a special offer to Smithink readers, Karen is happy to offer you a one-off website security report (inc SEO) accompanied by a 30min explanation meeting for the first 20 businesses who request it – it will help you understand your current level of website security, key to keeping your business secure especially as the brute-force attacks on websites have been phenomenal of late. If this is of interest to you email Karen at [email protected].