Better training could fix accountancy firms’ cybersecurity blind spot

It is no secret that any disruption to an accountant’s operations is going to be damaging – both reputationally and financially. Indeed, accountancy firms’ diligence on clients’ financial affairs, and managing any risks associated with a client’s business, is central to their value. But while they tend to manage traditional risks very well, accountancy practices have developed a blind spot when it comes to cyber security protection. It is no longer enough to rely on the IT department and a firewall: Firms need to provide their staff with proper cyber security training before it is too late. Why are accountancy firms a target in the first place? Well, cyber criminals want the financial data they hold. Tax IDs, bank account details, payroll data and employees’ personal details – everything you would not want to fall into the wrong hands. Almost one in three businesses experience breaches or cyber-attacks at least once a week, according to recent a UK government report. They can be devastating: Look no further than the infamous Deloitte attack in 2017 that compromised the confidential information of some of the firm’s blue-chip clients, and more recently the 2022 breech of UK based SJD Accountancy and Nixon Williams. Compounding the issue is that an accountancy firm may feel coerced into paying the criminals for the return of such sensitive information, due to fear they may not recover from an attack. And stringent breach detection and reporting protocols under GDPR and other regulations present a legal minefield, especially for smaller firms. Only 17 per cent of businesses conduct cyber security training, according to the UK government’s 2022 breach survey. Many businesses are still not taking the risks seriously. Industry’s tendency to protect billable hours over taking the worthwhile time for a comprehensive cyber training needs to be reevaluated. This is creating a major cyber blind spot: Despite advances in criminals’ techniques, simple human error is still responsible for 88% of cyber-attacks succeeding. No one is immune, it only takes one successful phishing attack, perhaps an employee clicking a link in an unexpected email, to leave a firm’s entire systems inoperable. People need the right training, even in an industry where billable hours are sacrosanct. Near daily reports of household companies being subject to cyber breaches should be evidence that relying on tech alone is not always enough. Firms should take a bigger-picture approach, marrying rigorous IT infrastructure with high-quality human training. Robust training is the only way to truly mitigate against a worst-case scenario. Training empowers the team to become a company’s strongest line of internal defense, identifying and avoiding threats in real-time and providing valuable feedback of a firm’s online security processes. With the introduction of increased threats and regulatory reforms, it’s imperative to educate staff on cybersecurity across social engineering, phishing, password protection, breeches, and on how to react to a range of potential attacks and to correctly handle third parties’ sensitive information. Training should be tailored to a company’s specific needs. They should also be gripping. What about including scenarios from an ethical hacker, on how to prevent someone from breaking into a company dressed as an electrician and gaining access to their IT system? Accountancy practices need to step up their cyber training before they become the latest statistic in the growing trend of cyberattacks. The UK government has warned companies to invest in more robust cyber security as UK businesses are among those worst hit financially by cyber-attacks, costing a median of £45,000 in 2020. To protect their people, profit, and brand reputation, businesses must ensure that they are giving themselves every defence against these unseen and often untraceable criminals. By Nicola Hartland, Senior VP Falanx Cyber