Businesses must plan for potential cyber security breaches.
Key points
- Small to medium-sized accounting firms are vulnerable to cyber attacks.
- Common myths leave many firms exposed, resulting in poor incident response.
- Proactive planning and awareness can protect your business from costly attacks.
Despite 560,000 new cyber threats being discovered daily, with 81 per cent targeting small to medium-sized businesses, many accounting professionals still believe certain cybersecurity myths that leave them vulnerable.
We debunk five of the most common myths to help you better protect your firm and clients.
Myth 1. Only the big four accounting firms get hacked
You might be thinking that your business is not large enough to be hacked. However, size does not matter to hackers who value sensitive information and data regardless of scale of the business.
Small to medium-sized businesses are at risk from all kinds of cyber incidents, from DDoS (distributed denial of service) attacks to phishing attacks. More modest firms are often more vulnerable because they lack the resources to invest in the high levels of security that larger firms can afford.
Experts advise preparing for a cyber breach, even if you think it’s unlikely to occur.
Ensure your finance, HR, IT and leadership teams know what kind of threats the business is vulnerable to, how to spot unusual activity and develop a response plan. Scenario planning is often much more impactful than a yearly PowerPoint presentation.
Myth 2. Silence is the best policy
Discovering a cyber breach can be overwhelming. As a service provider, you rely on the trust of your clients and it is tempting to fix things quietly. This isn’t just risky – it can also be illegal if the breach meets certain thresholds.
Paul Scott, Managing Director at Filestream Systems, cautions staying silent is never the best approach.
“If someone has hacked you and you pay the ransom once, you are then a target for them returning and asking for more money,” he says.
“If you refuse, then they will release the information and also tell everyone that you have already paid a ransom, so you are now in breach of GDPR (General Protection Data Regulation) and your fine is going to be based on the first issue, as well as breaking the reporting rules.
“Your reputation will also be destroyed, as if you are willing to deceive in this way, what other ways are you breaking rules?”
Communicating clearly and swiftly with stakeholders is recommended and prioritise who you speak to first, Scott advises.
Clients directly impacted should be top of your list, but it’s often best to wait for clarity as to what happened and who is impacted before notifying others (subject to legal considerations).
Myth 3. You can choose who to report the incident to
Prachi Vasisht, associate at law firm Taylor Wessing, says reporting requirements differ by jurisdiction. Firms may need to report a cyber incident to multiple authorities, particularly if they’re part of EU supply chains.
“The regulatory landscape within the European Union has developed significantly, and financial institutions might be subject to new reporting requirements,” she says.
“Under the EU’s Digital Operational Resilience Act (DORA) major ICT-related incidents must be reported to the relevant national competent authority. The Network and Information Systems Directive (NIS2) also contains a framework for incident reporting requirements.”
Closer to home, Ms Vasisht expects UK cyber regulations to follow the EU.
“This is likely to update the current UK NIS Regulations in a similar way to NIS2’s updates on the original NIS Directive, and will likely create enhanced reporting obligations to relevant UK-based authorities.” she says.
Richard Breavington, partner at law firm RPC, agrees notification to regulators will depend on local laws and the circumstances of the incident.
“Post-Brexit, the UK ICO cannot be a lead supervisory authority for the purposes of the European GDPR. Depending on the particular circumstances, notification to European regulators might be needed if European data subjects are affected,” he says.
Myth 4. We backup our data, so we’re less at risk
Even with robust data storage, the information you hold is still valuable to hackers. Advanced disaster recovery solutions might reduce downtime, but you’re still vulnerable to data extortion.
In fact, Veeam research shows cyber criminals often also attack backup repositories, with 75 per cent of victims losing some of their backed up data.
Your hackers could still threaten to release stolen data online if you fail to pay their ransom.
Investing in robust cybersecurity from the outset is your best defence, including specialist software, staff training, access controls, system updates, password managers and multi-factor authentication.
Myth 5. Cybersecurity is ‘set and forget’
Relying on your IT team to implement a set of security measures once isn’t enough in today’s digital world.
Not only are you obligated to regularly review, audit, and update your data practices under the GDPR, but fostering a cybersecurity culture could help avoid costly attacks. Medium-sized businesses face an average cost of £10,830 to remedy an attack.
Vigilance at every level is required, from finance teams following communication policies to assessing supply chain security and revising your cyber roadmap every six months.
The IFA international conference online 2024 will explore AI on 7 November. Register HERE.