With the risk of cyber-attacks growing, ensure you have a robust plan in place to minimise any business interruption and reputational damage.
Recent incidents point to accountants facing an increasing risk of their IT systems being hacked. Deloitte was recently the target of an attack that compromised the emails and plans of some of the firm’s blue-chip clients. So far, six of Deloitte’s clients have been informed that their information was compromised, but an internal review is ongoing.
Lines of defence
Accountants’ sensitive data makes them a prime target for hackers looking for data they can then monetise. Firms should split their cyber defences against such attacks between:
post-breach damage/crisis management.
To optimise your cyber risk management, it is vital to run the latest versions of software, in particular browsers and operating systems, and keep them up to date. This can be achieved by taking the following simple steps:
Identify all the software used on your systems – it’s easy to focus on Microsoft, but Adobe, Apache and so on must also be considered.
Monitor the release of new patches from vendors (specifically security patches, rather than feature patches) and apply them as soon as feasible. The software vendor will often assign a criticality that will help you identify the severity of the issue.
Deploy vulnerability scanning to ensure the patches have actually been installed.
It’s also important to train your staff to recognise the warning signs and avoid becoming victim to social engineering and other common cyber-criminal tactics. The following practices may help you to reduce security breaches that relate to human behaviour:
create a security policy that clearly outlines your company’s rules regulating the handling of data access and passwords, use of security and monitoring software and so on
make your employees aware of risks that their actions can pose to your company’s security, and educate them on how to best handle work in a secure manner
apply the principle of least privilege. Deny all data access by default and allow it whenever needed on a case-by-case basis.
Speed and accuracy
If you do incur a cyber breach, the speed and accuracy of your response can make all the difference.
The more planning your company does before a breach, the better your chances of minimising the business interruption and reputational damage that can ensue. Ensure any PR and comms resource you have plays an integral part in the pre-breach planning process.
Following a breach, a company invariably feels a tension between the need to communicate with customers quickly and the need to communicate accurately. To optimise the chances of striking the right balance, it’s vital for a company to involve a range of stakeholders in the pre-breach planning stages. (See ‘Cyber breach planning: building your A-team’ for more analysis of this matter.)
This should ensure that the timing and extent of your comms to third parties is a business decision that has factored in the various implications, and not just those of one or two divisions.
Typically you can retain customers’ business if they feel that you have communicated with them the cause and effects of the breach quickly, accurately and openly, and have put them first throughout this process.
Lockton has produced six posters which can be distributed within your practice or clients to help raise awareness of various risks. View these now