“The biggest threat to accountancy firms may not be the automation of the industry but the increasingly sophisticated cybercriminal – operating both internally and externally.”
That was the stark message from Andrew Fitzmaurice, Chief Executive of Templar Executives, who were voted best cyber security firm in the European CEO Awards 2016.
Describing the threat of cybercrime as “the elephant in the room”, Andrew told delegates that preventing attacks by cybercriminals should be seen as a business proposition, not just a security proposition. He said firms must understand the risks and threats, decide what matters and take action.
He cited a recent attack on telecoms firm Talk Talk which cost the company £42m and halved its profits. Almost one in 10 customers had their bank account numbers and sort codes hacked and the firm lost 95,000 customers.
A mid-life crisis could cost millions
The threat could be internal as well as external, the security expert told delegates. It is not unknown for a firm to pay someone to get a job in a rival firm to gain access, transfer information and then leave. Equally, a company could pay for an attack on a firm it wishes to buy to lower the share price in advance of the acquisition. Insiders exploit legitimate access to assets for unauthorised purposes. The majority of insiders are male employees on a full-time, permanent contract. The trigger could be something as personal as a mid-life crisis.
Employing someone to monitor security may not be enough, Andrew said. “Who watches the watchers? Who watches the system administrators?” He pointed out that late year there were five major attacks in the City of London and four were insiders.
Combating cybercrime
So what can firms do now to combat the threat of cybercrime? Firms need to set the tone from the top, with appropriate governance and a clear hierarchy for the management of information risk to ensure the development of a cyber aware culture.
Andrew urged firms to focus on:
1. People – with improved HR vetting/training, security culture and local accountability
2. Process – via governance, corporate policies, performance metrics and data management
3. Technology – to monitor and respond, assess risk and develop security standards
Even simple things like keeping systems up to date, using strong passwords and two-factor authentication can greatly increase security. At the very least firms should consider investing in a firewall and anti-virus software, and using virtual private networks to create a ‘tunnel’ between two points such as a head office and a branch, where data is encrypted and secure.
What are the threats?
Firms and individuals are vulnerable to cyber-attack in many ways including:
- Phishing – the attempt to obtain sensitive information such as usernames, passwords and credit card details for malicious reasons by masquerading as a trustworthy entity.
- Spear phishing – a highly personalised form of phishing which may include a holiday photo to convince the reader to click through.
- Vishing – when someone such as a PA is asked for personal details on the phone.
- The dark web – where people advertise services to ruin someone’s life.
- Legalised malware – such as mobile phone apps or games with complex terms and conditions which if accepted could provide access to hostile, intrusive or malicious software.
Award-winning chartered accountants offering tax, audit and advisory services.