"Accountants are well placed to advise on the steps a business should take to protect itself – cyber security isn't just about technology and computers: it involves people, information, systems, processes, and culture too"
John Berriman – PwC
Almost every week, another high-profile cyber security breach affecting firms all around the world is reported. And the number of events is rising: according to a recent global survey performed by PwC, the number of assaults reported by midsize businesses – those with revenues of between £64.5 million ($100 million) and £645.6 million ($1 billion) – increased by 64 percent in 2014 compared to 2013.
These attacks cost a lot of money. According to PwC, a single data breach costs US businesses more than $500,000 on average. According to John Berriman, chairman of PwC's cyber security practice, "the average cost of the most severe cyber security breach for a big organization now starts at £1.46 million, although that figure doesn't take into account the impact a breach has on an organization's reputation and relationship with its stakeholders."
According to PwC research for the UK's Department for Business, Innovation, and Skills, smaller businesses are just as likely to be harmed, with the cost of a serious breach ranging from £65,000 to £115,000 in the UK.
Cybercriminals are particularly interested in accountants and other financial institutions. Financial institutions, according to PwC, are almost 30% more likely to be targeted than other businesses.
'It's because they deal with high-value business data and sensitive financial information on a regular basis,' Frank Morey, CEO of security company Virtues Risk Management, explains. 'There have been a series of targeted attacks against the industry, the most recent of which was the Morgan Stanley breach, which exposed the personal information of 900 of its high-net-worth clients online.'
Kaspersky Lab, a Russian security firm, reported the largest organized cyber-attack on financial institutions to date earlier this year. A global gang of cyber hackers entered more than 100 banks and other financial institutions in 30 countries, stealing £645.6 million ($1 billion) in total from the banks rather than their clients.
Accountants, both in practice and in industry, must be able to recognize and respond to cyber security threats, rather than ignoring the matter in the mistaken notion that cyber security is the realm of their IT departments or that their company's software would protect them from intrusions.
'While products like SAP and Oracle have built-in cyber security features that can reduce the risk of data breaches, it's still critical that you remain vigilant in your daily job,' says Phil Sheridan, managing director of Robert Half UK.
'Hacking and phishing assaults are frequently launched by an employee clicking on a link in an email,' explains Matt White, senior manager in KPMG's cyber security division.
Another typical way for malware to enter an organization is through opening suspicious email attachments. 'Word, Excel, and PDF documents all make it simple to embed harmful code that can subsequently be abused,' explains Greg Sim, CEO of security technology firm Glass wall Solutions.
In fact, while cyber-attacks are becoming more sophisticated, lax security knowledge among personnel is the leading cause of security breaches. One example is bad password behavior. According to Medium, a password management company, 90 percent of employee passwords are so predictable that they can be broken in six hours. Furthermore, 18% of employees disclose their passwords with coworkers.
Many employees have their work emails redirected to their personal email accounts. However, because personal email services do not have the same security protections as corporate email services, hackers frequently hunt for corporate data through personal email, which is easily available to them.
While no company is immune to cyber-attacks, there is a lot that can be done to prevent them.
'Anything linked to the storage or transfer of data - how it is safeguarded and accessible, or how it is prevented from being accessed,' explains White. 'Different nations have different policies and laws about how information and data are used, with many "internet-related services" crossing several borders, so it's not that clear,' he adds.
Accountants can assist their clients in this area.
'Accountants are ideally placed to advise on the steps a firm should take to defend itself - cyber security is about people, information, systems, procedures, and culture as well,' adds Berriman.
PwC is attempting to raise awareness and prepare businesses.
'For example, our Breach Aid event response service assists organizations in preparing for and responding to large incidents, as well as the legal and regulatory consequences of a breach,' Berriman notes. 'We can also monitor, analyses, and respond to threats on our clients' networks and systems thanks to our London-based cyber security labs.'
Accountants can also take steps to protect themselves and their firms.
'To be prepared for a wide range of risks, accountants must understand their firm's IT security policies, including policies and processes for ensuring safe online practices, as well as procedures for reporting and dealing with breaches,' Brown writes.
'Accountants may also require additional cyber awareness training. As with most things, prevention is far preferable to cure.'
You Can Count On Us!
HMA Chartered Accountants
Office 1106, Burlington Tower, Business Bay, Dubai, UAE