A recent conversation with cybersecurity expert Francis West prompted me to interview him about the risks of cybercrime affecting accountants in practice.
Francis has been involved in the technology sector for over thirty years, for the last 10 years running Westtek Solutions, providing IT support to a range of sectors including finance, recruitment and legal.
When I caught up with him I wanted to discuss the current cyber landscape and how recent developments are affecting the accountancy sector.
ML: Francis, I am especially keen to get your views on cybercrime as in how it could affect accountants in practice. You’ve said cybercrime is an industry. What do you mean?
FW: In the old days, cybercrime was largely the realm of errant teenagers sitting in their bedrooms hacking into private, corporate or institutional servers for fun, just to see if they could do it.
These days, cybercrime is far more organised. The Dark Web is thriving and one of the key items for sale is people’s personal data. Once hackers know your details and know which breach yielded those details, it leaves you far more likely to be targeted.
ML: Why should Accountants worry about this?
FW: Because Accountants have access to all the juicy information on their clients and hackers know it. Names, addresses, bank account details, passwords to access bank accounts, credit card information, payroll information – the list just goes on. They are a very attractive source for a wealth of lucrative data.
ML: Can you give us an example of how that works?
FW: Sure! Most of us know Equifax suffered a major breach in 2017 in which hackers stole personal information including email addresses and passwords. Equifax announced they would be paying victims $125 each as part of their compensation.
FW: Hackers know the email addresses of the victims, they know the details were sourced through Equifax, so they’re sending these people emails purporting to be from Equifax and containing a link where victims can claim their compensation.
The link takes victims to a spoof site – it looks like Equifax, but it isn’t. The page invites the victim to enter their name, email and bank details “so the compensation can be transferred” – but the only transfer is out!
ML: So, if an Accountancy firm was breached, what would be the impact?
FW: First, the clients of that company would need to be informed their details had been compromised so they can start changing passwords and access codes to prevent hackers from acting on that information.
This would be labour intensive, resulting in a lot of downtime. You can guarantee, your clients will not be happy. Also, the ICO would have to be informed and they would conduct an investigation.
If the Accountancy firm is found not to have taken appropriate security measures to protect the data, the ICO have the power to issue fines. In theory these could be up to €20 million or 4% of total worldwide annual turnover. Even if the fines they levy on ‘naughty’ accountancy firms are much lower than this, such fines could still be enough to cause a big dent in profits or even to put a firm out of business.
ML: And that’s not all that would happen, is it?
FW: You’re right. There’s the loss of confidence factor too.
People trust their Accountants with vital information and hold accountants in high esteem but in the event of a breach, all of that is lost. This is all assuming all that’s happened is the data has been copied and stolen.
ML: Why? What else could happen?
FW: We call them ‘ransomware attacks’. It’s sadly a common occurrence where the hacker encrypts all of the data – in this case all the data held by the accountancy firm. So not only is the data compromised but the accountant won’t be able to access any of their client data.
All of the contact information, everything, may be gone, and no guarantee you’ll get it back even if you do pay the ransom. Then you’d have to find a way of contacting your clients and telling them the situation. Very embarrassing! Imagine having to tell your clients that you can’t process their accounts or give them up-to-date information. Clients won’t be forgiving and many will probably not give you a second chance.
ML: Have you seen that happen?
FW: Absolutely. Once a firm has been hacked, customers lose confidence and take their business elsewhere. So, it’s a double whammy for the business: first, you get hit by the ICO with big fines, and then, you lose your customers. Not many firms can survive that. Would you stay with an Accountant who hasn’t bothered to take care of your most sensitive information? Not only that, selling a business, once it’s been compromised, becomes infinitely harder.
ML: What measures can Accountants take to protect themselves?
FW: You need multiple levels of security. AntiVirus alone, sadly, is no longer sufficient protection. AntiVirus will protect you from known threats, but it won’t protect you from the unknown. Often now, hackers execute malware-less attacks, so they don’t actually download code onto your system – that’s what AntiVirus looks for. Instead, hackers hijack embedded programmes and command them to start sending data to outside of the network. There are now security measures you can install that specifically monitor for unusual behaviour rather than code. There is still a place for AntiVirus, but pick a good one, not a free one!
ML: And finally, Francis, what are your top 5 tips for Accountants so they can keep their data and their businesses safe?
FW: First – Layer your security: multifactor authentication, antivirus, behaviour monitoring programme, and an email encryption service;
Second – never log onto a public WiFi or allow anyone to logon to your WiFi at work.
Third – don’t allow web browsers to save passwords. Use a password manager such as RoboForm or 1Password so you don’t have to remember hundreds of passwords either!
Fourth – have a robust back-up and recovery procedure in place so in the event you are locked out of your system or you suffer a data breach, you can get back up and running quickly with minimal disruption.
Lastly, on-going training to keep cyberattack at the forefront of your staff’s consciousness. You can have the best security measures in the world in place but all it takes is that one click on the wrong link and the whole deck of cards comes tumbling down.
ML: Many thanks Francis. If any of my readers want to get in touch to find out more, how can they best do this?
FW: I’d be very happy to talk with them. I can be reached through the office on 020 3195 0555, by email Francis.W@westtek.co.uk or through Linkedin
WESTTEK SOLUTIONS, THE COMPLETE IT MANAGED SERVICES PROVIDER
Every business needs a proactive cybersecurity specialist and technology success partner offering strategic consulting and technical support services. In order to help you maximise productivity within your business, We make sure your technology works for your business and not the other way around.
Contact at Westtek Solutions on 020 3195 0555
HMRC has produced a list of 50 questions to ask your IT provider. You can access it here >>>