Voices

Top cybersecurity considerations for accounting firms

Financial services firms are a top target for cybercriminals. In fact, the industry experienced the second highest number of cybersecurity attacks in the first half of 2022, exceeded only by the health care industry. Given the highly sensitive financial and organizational data accounting firms store on behalf of their clients, a security breach would be extremely detrimental, causing irrevocable damage to client trust and to a firm's reputation. 

Cybercriminals are not slowing down. We can expect attacks against financial firms to become more frequent and sophisticated. To combat this, firms must implement mitigation solutions to help prevent breaches and safeguard their clients' valuable data. Accounting practices that are not already taking cybersecurity seriously need to make it a top priority now. 

Assessing your current security arrangements

Having an out-of-date security system can put a company at serious risk. The cybersecurity landscape changes so quickly that cyber criminals are constantly finding holes to exploit and steal sensitive client data. While smaller firms may not be able to dedicate time each day to updating their security systems, there should absolutely be regular, scheduled updates and "hygiene" checks to ensure all programs and software are always up to date. Threat actors look for the path of least resistance and on-premises systems inherently have a higher risk so this should be a primary consideration.

Failure to keep client data secure risks serious consequences from ransomware attacks, including monetary loss and reputational damage. With the number of cyber threats only increasing, it's in a firm's best interest to prioritize security and keep ahead of threats. 

Implementing a cybersecurity plan

Cybersecurity plans should not be created in isolation. Extend your plans outside your firm to encompass third-party vendors. 

Look for vendors whose planning starts at the design stage and is led by a dedicated resource such as a chief data protection officer. In smaller firms, appointing someone in this role is not always possible. However, this unfortunately means smaller firms with a less robust cybersecurity set-up could be a prime target for cyber theft.

Members of staff who are cyber aware can be the strongest line of defence, so educating staff about cyber risks is key to keeping an organisation secure. Cybersecurity training should include anti-money laundering, phishing, bribery and personal data protection. Smaller firms should also ensure that antivirus software is regularly updated, and multifactor authentication is introduced to prevent fraudulent access. 

Larger firms should not design their digital storage without planning to protect stored data from breaches. Whether large or small, every company is at risk so security should be a top concern, especially those who have acquired other companies should routinely extend their cybersecurity system across all acquisitions as a way of minimizing risk. 

Consequences of attacks

Cyberattacks can have a detrimental effect on a firm, resulting in significant monetary and reputational damage. Cybercriminals are ramping up the volume of attacks in the financial services sector, and accounting firms are not immune. During the first half of this year the financial services sector experienced 127 data compromises that affected over 22 million victims. Once cybercriminals get their hands on sensitive data, there are several ways they could make money from it. Holding a firm's information for ransom is a popular technique — the average ransomware demand was up 43%, according to recent year on year statistics. If firms fail to pay a ransom, criminals could then sell the information to the highest bidder.

There are also hefty fines for data breaches and clear indications that more focus is being directed by regulators toward how companies protect their consumer data. Global firms such as Amazon and Instagram are among many that have been obliged to pay these large fines. 

Theft can lead to a loss of intellectual property, which can impact the company's growth and lead to loss of competitive advantage, as well as lost revenues. The reputational damage and potential ensuing legal costs must also be considered, and if a company does fall victim to a cyber theft, the subsequent cyber protection insurance premium will undoubtedly rise. These are all consequences which must be protected against, and which could inflict lasting damage.

Futureproofing cybersecurity

The idea that a server can any longer sit in a cupboard at your premises holding all the firm's data securely is just not viable. Employees who are tasked with looking after that server may leave the business and therefore be a potential security threat. 

In this post-pandemic world, client communication via video conferencing is far more commonplace, and payroll and document management are often outsourced with software greatly contributing to efficiencies. Vetting software vendors and providers is an ongoing process that begins when your firm starts searching for a new provider and continues throughout the entire relationship. When you are evaluating new vendors, questions about functionality, integrations and capabilities must be asked — but don't forget to also ask about cybersecurity protocols and data protection measures as well.  

The cloud-based SaaS option for data storage is now the best way to ensure security. While making that move might be considered initially hard in the accountancy industry, it is essential in order to futureproof your overall cybersecurity.

For reprint and licensing requests for this article, click here.
Technology Cyber security Cyber attacks Ransomware Data management
MORE FROM ACCOUNTING TODAY