For those that may not be aware, there is a government backed standard for cyber security, called Cyber Essentials. It is, in simple terms, a way for businesses to demonstrate a responsible approach to cyber security, protecting both themselves and their clients.
Cyber security is something we all need to take seriously: currently around half of UK companies are likely to experience some kind of breach. Should this happen, the cost (both financially and to reputation) can be severe. The Cyber Essentials scheme can help reduce these risks by up to 80%, simply by following their security guidelines and taking appropriate steps.
Why focus on accountants?
All businesses should be security conscious, but accountants hold a large amount of personal and sensitive data, for both businesses and individuals. Accountants are also required to collect client ID evidence (used to verify account holders and to protect against money laundering), a would-be hacker’s dream.
Accountants often include payroll and bank account management in their services, for which clients grant them full access. A cyber attack could therefore result in transfers being made to a rogue bank account and potentially large sums of money being lost.
So it’s not hard to see how a security breach could be a big problem, not just for the business itself, but also for the clients on their books. A breach would have a domino effect, compromising the data of any individual or business they held information for.
How can I reassure my clients?
Cyber Essentials offers two levels of certification and is recommended by the ICAEW (Institute of Chartered Accountants in England and Wales). The first stage is an initial assessment covering the five key areas of security:
- Firewalls and Internet gateway
- Secure configuration
- Access control
- Malware protection
- Patch management
This can be carried out as a self-assessment, but we would advise that anyone appointed to do this has a good technical understanding and knowledge of the scheme. If you are an accountancy firm with mostly private clients, this may well be enough to reassure them, and to give you a competitive edge over businesses that are not Cyber Essentials certified.
What if we have commercial clients?
As the basic level of certification can be achieved via self-assessment, this may not be enough to reassure commercial clients. The second level, Cyber Essentials Plus, requires in-dependent testing to ensure that suitable security measures are in place and are fully functional.
Whichever level you are aiming for, the process begins with assessment for the standard Cyber Essentials. It may well be worth getting help through even the initial stage, as it can be hard to pick-up on issues with an untrained eye.
What are the benefits to Cyber Essentials?
Unlike recent changes to data legalisation (GDPR), which felt like a rather paperwork-heavy compliance task, Cyber Essentials is a far more approachable scheme. It offers practical ad-vice on how to guard against the most common security threats, in language we can all understand.
The scheme is designed to be pretty straightforward, at least in the initial stages. The time it will take to become certified will depend on the size and scale of your business, and of course, the knowledge you have around cyber security.