Information Security

Consumers and businesses take a significant risk when entrusting accounting organisations with their data. If their details fall into the wrong hands, it’s not a case of resetting a password; it becomes a matter of survival. 

What we want to do in this article is solidify just how at risk, as an accounting organisation, you are of that happening. Where do those risks come from, and how you can avoid them.

How likely are accounting organisations to be hacked?

Organisations that store payment details are often at the top of hackers to-do lists. As an accounting organisation, according to PWC, you’re 30% more likely to be targeted than other types of organisations. 

In early 2022, SJD Accountancy and Nixon Williams confirmed they had experienced some form of hacking breach. This news was concerning but not surprising as their sister company, Parasol, had been successfully attacked by hackers not long before.

What accounting data points are hackers targeting?

The more apparent data cyber criminals target includes:

  • Bank account details such as account number
  • Card numbers for online purchases
  • Usernames and passwords

Hackers will also target less obvious data sources that are less likely to be detected. This data includes information such as:

  • Transaction history
  • Account recovery answers such as their first street or pet names
  • Identifiable information such as their address
  • Credit and debt history

5 cyber security challenges for accounting organisations

1. Understand your data storage and permissions

Begin taking control of your cyber security by summarising your data processing and storage tools. Maintain and clean their code bases and API connections to avoid opening access windows for malicious users.

Also, look into user permissions for your data networks. Lock down systems and ensure only those authorised to access them can do so. Here are a few ways you can boost the effectiveness of your permissions:

  • Enable Two Factor Authentication (2FA). With 2FA, if someone exposes their password, the hacker can’t use it alone to gain access.
  • Give every user a unique ID and link it to their activity. Tracking activity won’t stop an attack but will deter users and give you a breadcrumb trail to follow after you’ve identified a breach.
  • Set up unusual activity alerts. If you only access specific reports at the end of the month, you can create an alert to inform your IT team if it’s accessed any other time.

2. Understand threats and trends

Take the time to monitor the accounting and finance landscape and see what is threatening your business and competitors. Hackers fall on favourite tools, while other practices come in and out of fashion. If you understand the threats you’re likely to face, you’ll be in a better position to stop them.

Common cyber security threats to accounting firms include: 

  • Ransomware – A malware that blocks your access to a system until you meet the hacker’s demands.
  • Data mining bugs – A hard-to-spot piece of software a hacker instals in your system to collect and send transactional data over time. 
  • Internal leaks – Intentional or not, hackers can access your organisation by ‘ethical means’ if they are given, or come across, a user password or data set.

3. Know your responsibilities

As an accounting organisation, your responsibilities span far beyond protecting your customers’ data.

Your cyber security responsibilities as accounts include:

  • Protect and defend – You must do everything you can to stop hacks from occurring in the first place.
  • Monitor and scan – You must monitor for potential threats and vulnerabilities that slip through your defences.
  • Update and maintain – You must maintain your defences by updating software and investing in new solutions as necessary.
  • Act and repair – If or when a breach occurs, you must do everything in your power to stop the breach, repair damage, and recover assets.
  • Inform – You must inform the Information Commissioner’s Office (ICO) that the breach has occurred within 72 hours. You must also inform everyone affected or put at risk by the breach.

4. Train your staff

Set up a relevant cyber security training program for all of your staff. It doesn’t matter what role individuals hold; you should train everyone from your Auditors and Tax Specialists to your HR team and assistants. 

Training might include standard cyber security practices like email management, phishing, and password hygiene.

It should also include spotting suspicious activity in accounting software and colleagues. An example could be general awareness, such as noticing if a colleague has come under recent hardship and started accessing unusual reports.

5. Audit your partners including payment gateway providers

Finally, you should audit all of the partners of your accountancy firm. Partners receive special access to your systems and operations, which leaves you vulnerable to any faults from their organisation. 

Check if your operational and software partners, including payment gateway providers, have Cyber Essentials certifications in the UK and other required legislation such as PCI. 

How to improve your cyber security if you are an accounting firm

Here are 3 things you can do straight away to protect yourself from immediate threats:

  1. Invest in a reliable and proactive cyber security team. 
  2. Get Cyber Essentials accredited.

Talk to CyberCrowd. We’ve helped many financial organisations protect their operational and customer data. Complete our contact form or email us on info@cybercrowd.co.uk to get in touch.