Top 5 cyber mistakes in accountancy and how to stay resilient in 2023

Accountancy practices process and hold some of our most confidential data, in the form of our personal or business accounts. This information can include employee personally identifiable information (PII) and will have details such as full name, address, email, national Insurance number and mobile number. If an attacker was able to breach an accountancy practice, there would be a treasure trove of information that they could then use to specifically target individuals, and with insider knowledge, make the attack more likely to succeed. There are a number of trends, such as remote and hybrid working, and risks from third party and organisations that continue to be prominent across the industry. Therefore, firms of all sizes must remain vigilant and ensure that they are not putting their clients in jeopardy. Implementing the following processes will help keep danger at bay. Payroll and payslips One of the most common mistakes that accountancy practices make is to email clients their payslips without any form of protection on the data. Email, unless encrypted, should not be thought of as a secure communication method. You may think that you have sent the information to the right person but how do you know that they have not had their email account compromised and that actually, you are now sending PII to the attacker? A simple and effective method to protect payslips and payroll data is to use document protection, normally in the form of a password that only you and the client knows. When choosing a password, it is not recommended to use the clients date of birth or national Insurance number, as this information can be gathered by an attacker easily with a bit of research. Another alternative is to have a secure file transfer or share with each client that has multifactor authentication in place. There are a number of products that offer this service and in some cases are free. Corporate email to personal email Accountancy practices have a range of clients, from large organisations to smaller sole traders, which will mean that the communication medium will differ from a large corporate to a sole trader. One may use their own email service and domain, but the sole trader may simply use their own personal email via gmail.com or outlook.com. One of the things to be careful of is when sending electronic signature documents to clients if they are using a personal email account. The document you are sending may be the end of year accounts or a contract for signature, which you are assuming only the client will receive. However, when using personal email accounts, you are not able to confirm 100% that an attacker is not actually in control of the account and therefore could access and sign any document you send. If you are going to use an electronic document signing service, then using a verified digital signature-based method where the individual has had to sign in and verify who they are before allowing to sign is recommended. Clearly there is no 100% fool proof method for this but using the above and including password protecting the documents you send can limit the likelihood of this happening. Wrong data, wrong client One of the most common mistakes that accountancy firms make is to accidentally put the wrong information in the wrong place, or to send the wrong client an email with PII inside. These mistakes have reduced over the past five years or so due to online platforms being used which helps to mitigate the risk of the wrong data going to the wrong person. Some practices will have a workflow in place where before an email or communication is released to a client, they will have it go via multiple people to check before it gets released to the end client. Clearly this can mean more time taken to get information processed. Regular staff training covering the key points above will also reduce the risk of the wrong data being sent to the wrong client, but ultimately human beings do make mistakes, so things really must be properly checked. Phishing links Accountancy practices are a huge target and as such will receive a large volume of phishing emails trying to get their staff to click a link and login to a portal to give away information. One of the biggest dangers is HMRC phishing emails which try to get an accountancy practice to give away the Government Gateway ID or password to access the portals. This access would allow an attacker to see all the information about an individual, or in some cases if it’s an accountancy practice master account then it may allow access to see all their client’s information. Phishing is still one of the biggest attack vectors to target organisations as it is seen as a quick win for attackers. They can easily craft an email and send it to 10,000 recipients - all they need is for one person to click and interact and they have won. There are two methods that can be used to attempt to combat this threat: User Awareness Training, carried out regularly to ensure users can spot and report phishing emails and reputation based email gateways will attempt to filter and block these phishing emails. Clearly 100% protection will never be possible. Website Data Some accountancy practices are required to publish information on their websites. There have been occurrences where the information published has contained confidential information. This could be in the form of internal file paths for a link which gives away your internal system or storage methods, to actually having personal information contained in the documents published that have not been checked before going live onto the website. Make sure that you carefully review all the information that is on your website and anything that is published regularly, such as blogs and news, and that a stringent checking process is in place to stop any confidential or PII data being accidentally published. James Griffiths is an ex-Government cybersecurity specialist. CSA works extensively with accountants and finance firms and all employees have enhanced government security clearance.