If a cybercriminal infiltrated your firm, would you know?
As cybercrime continues to grow worldwide, security expert Andrew Fitzmaurice, has urged firms to take steps now to avoid costly attacks in future.
By Ian Lavis, Praxity
The biggest threat to accountancy firms may not be the automation of the industry but the increasingly sophisticated cybercriminal – operating both internally and externally.
That was the stark message to delegates at the annual global conference of Praxity, the world's largest alliance of independent accounting and consulting firms, in Scotland recently. It was delivered by Andrew Fitzmaurice, Chief Executive of Templar Executives, voted best cyber security firm in the European CEO Awards 2016.
Describing the threat of cybercrime as "the elephant in the room", Andrew told delegates that preventing attacks by cybercriminals should be seen as a business proposition, not just a security proposition. He said firms must understand the risks and threats, decide what matters and take action.
He cited a recent attack on telecoms firm Talk Talk which cost the company £42m and halved its profits. Almost one in 10 customers had their bank account numbers and sort codes hacked and the firm lost 95,000 customers.
A mid-life crisis could cost millions
The threat could be internal as well as external, the security expert told delegates. It is not unknown for a firm to pay someone to get a job in a rival firm to gain access, transfer information and then leave. Equally, a company could pay for an attack on a firm it wishes to buy to lower the share price in advance of the acquisition. Insiders exploit legitimate access to assets for unauthorised purposes. The majority of insiders are male employees on a full-time, permanent contract. The trigger could be something as personal as a mid-life crisis.
Employing someone to monitorsecurity may not be enough, Andrew said. "Who watches the watchers? Who watches the system administrators?" He pointed out that late year there were five major attacks in the City of London and four were insiders.
So what can firms do now to combat the threat of cybercrime? Firms need to set the tone from the top, with appropriate governance and a clear hierarchy for the management of information risk to ensure the development of a cyber aware culture.
Andrew urged firms to focus on:
- People – with improved HR vetting/training, security culture andlocal accountability
- Process – via governance, corporate policies, performance metrics and data management
- Technology – to monitor and respond, assess risk and develop security standards
Even simple things like keeping systems up to date, using strong passwords and two-factor authentication can greatly increase security. At the very least firms should consider investing in a firewall and anti-virus software, and using virtual private networks to create a 'tunnel' between two pointssuch as a head office and a branch, where data is encrypted and secure.
Carol Wright, Business Growth Specialist at Praxity participant firm Springfords in Edinburgh, said firms need to address the cyber security issue internally as well as advising clients. "Twoof our clients have lost five figure sums over the last year as a result of phishing attacks. We are advising our clients to protect themselves and to take out cyber security insurance."
To help get the message across, Springfords has been organising a series of cyber security seminars for clients and staff alike, as well as taking action to improve security including data encryption for laptops and encouraging staff to regularly change passwords.
Carol added: "Obviously having a well maintained, up to date and secure IT system is important along with robust internal procedures but, at the end of the day,it is our people who represent our first defence against cybercrime. Not only is it important that we train our staff to be alert to the methods external cyber criminals use, we need to ensure we have a happy and well managed workforce to avoid internal attacks by disgruntled employees. It's also important that we take out additional insurance to protect ourselves against potential financial and reputational losses from cyber attacks."
What are the threats?
Firms and individuals are vulnerable to cyber-attack in many ways including:
- Phishing – the attempt to obtain sensitive information such as usernames, passwords and credit card details for malicious reasons by masquerading as a trustworthy entity.
- Spear phishing – a highly personalised form of phishing which may include a holiday photo to convince the reader to click through.
- Vishing – when someone such as a PA is asked for personal details on the phone.
- The dark web – where people advertise services to ruin someone's life.
- Legalised malware such as mobile phone apps or games with complex terms and conditions which if accepted could provide access to hostile, intrusive or malicious software.