The ACA syllabus uses the ‘ABCD’ acronym to summarise the most impactful emerging technologies. Here, we explain the risks facing businesses and the importance of following best practice.
What is cyber security?
“In a nutshell, cyber security is looking at the risks related to a breach of systems and data, and the controls that are put in place to mitigate those risks,” says Ian Pay, Head of Data Analytics and Tech at ICAEW. Many of the fundamentals of cyber security and good practice are in all the technologies we use every day – things like multi-factor authentication (MFA), encryption and strong passwords.
“It’s the sort of thing that has been talked about for a long time – and actually, sometimes that’s the challenge with cyber, because in a way none of this is new,” Ian adds. “It’s easy for it to become background noise. But it’s important to know that the significant majority of businesses of all shapes and sizes cite cyber security as one of their top risks. Because if it goes wrong, it goes very wrong.”
What do I need to know?
Accountants work with a lot of valuable information. “We are the custodians of some very sensitive data, and the gatekeepers for outflows of money from an organisation – typically, that’s where cyber criminals are trying to target the most,” explains Radhika Modha, a chartered accountant and cyber security specialist. “It’s really important to be aware of how you might be targeted, and what that might mean for you and your career. It’s so easy in a fast-paced job like finance to fall victim to some of these things.”
Cyber security starts with you as an individual, and how you protect your own identity and information. Then it’s about making sure you’re on top of your organisation’s approach and practices, and thinking about the bigger picture with clients and suppliers. Third-party risk is one of the most important aspects, Ian and Radhika agree. “Supply chain is the big one at the moment,” Ian says. “When you’re looking at cyber security risks, you’re not necessarily just looking at the risks within your own four walls anymore. You need to be aware of third-party suppliers of technology solutions, especially in this cloud-first world we’re in.”
What are the risks?
Cyber-attacks broadly fall into two main categories. “One is basically to make money, so that’s usually smaller organisations or lone wolves trying to hack into systems and either put ransomware in place or get hold of data to sell,” explains Ian. “The other is state-backed cyber-crime – and one of the best examples of that is the recent hack on NHS laboratory partner Synnovis. It was all about causing chaos and undermining trust. On the accounting side, you’re probably slightly more likely to come across the former rather than the latter.”
The breaches you may encounter will depend on your role, and the type of organisation and clients you’re working for. “If you’re a junior accountant working in accounts receivable or payable, doing the processing side of things and getting to grips with controls, I think there’s more risk of being targeted specifically than somebody doing an audit from the outside,” says Radhika. “An auditor needs to be aware of how to spot something untoward happening, and how to advise on controls and how to strengthen those controls. But I think they’re less likely to be directly targeted, and more likely to be advising their clients.”
Smaller firms and businesses tend to be easier to attack, adds Ian. “They don’t have the fortresses that the larger businesses have. It’s easier for cyber criminals to get into those firms and make a bit of money from them or from the data they get hold of.” On a wider scale, particularly if you’re working with high-profile clients, you could be part of a large ransomware attack that creates downtime and takes weeks to recover from.
What can I do?
1. Protect yourself
Most of us are already familiar with good cyber hygiene: using strong passwords; being aware of phishing and scam emails and calls; keeping software and systems up to date; and enabling MFA. Be careful, too, what information you post on social media. “Criminals are getting increasingly good at what’s called social engineering, where they essentially nosey around on social networks to build a picture of an individual, then target them to use as a stepping stone to something bigger,” Ian says.
2. Protect your employer
Make sure you know the policies and procedures in your own organisation, and understand the reasons behind them. “It’s about being aware of why we do certain things, not just mindlessly doing them,” Radhika says. “If you’re working with a system that contains financial data but there’s no MFA on it, it’s good to proactively question why it’s not there.” For her, MFA should always be the first line of defence. She also cautions against connecting to public wifi networks: “Sometimes it’s really quite hard to spot a network that’s trying to spoof a genuine one. If you want a little bit of a scary moment, look up a WiFi pineapple and what it can do!”
Ian’s golden rule is to never email data. “Accountants tend to be heavily involved in exchanging information with clients, which can inevitably be a bit of a weak point if you haven’t got a good document exchange solution in place,” he explains. “My advice is don’t send data by email. Just don’t do it. Use a secure file transfer site, or at the very least, put a password on it.”
3. Talk to your clients
“As well as making sure you’re on top of your organisation’s approach to cyber security and preaching good practices there, make it part of the conversation with clients,” Ian says. “As ACA students, you’re the people on the ground, you’re the people having those conversations on a daily basis.” Again, these can be simple things like ensuring they’re using MFA, or that their email provider has the right security settings in place.
“There’s a huge value in an accountant building up that skillset of knowing what to think about from a cyber perspective, what to think about when they’re appraising or auditing some of these systems, or putting together financial processes,” agrees Radhika. “Being able to spot that as students, and being able to advise from an early point in your career, is a really useful mindset to have.”
4. Know what to do in the event of a breach
“Typically, you don’t need to switch a machine off if you sense an attack happening, because you don’t want to interrupt what’s going on,” explains Radhika. “Talk to your security or IT team to figure out what to do. The worst thing you can do is panic, not tell anyone, and try to delete or switch stuff off.” There’s a legal obligation to report hacks to the Information Commissioner’s Office (ICO) within a certain timeframe, adds Ian. “The NCSC (National Cyber Security Centre] are the first people to call – they will handle it confidentially and give really solid advice about what to do next.”
Where next?
With the profession becoming ever-more technologically advanced and interconnected, cyber risks inevitably increase. The advent of AI, in particular, creates the potential for increasingly sophisticated hacks. “Traditionally it’s been fairly easy to spot a phishing email – the language isn’t quite right, or there are issues with spelling and punctuation. But now hackers can use freely available generative AI tools to perfectly craft those emails and make them look really, really real,” explains Ian. “Always be sceptical, especially of unexpected calls or out-of-the-blue requests.”
For those who want to find out more, he and Radhika both recommend the NCSC as a great starting point. “The NCSC has some really easy to understand, useful tips and guidance,” Radhika says. “It’s also worth looking at personal tips of protecting yourself online. If we as individuals think about our own money, our own outflows, our own data and how we secure those, that can feed the behaviours we have at work as well.”
Visit ICAEW’s cyber security hub for more guidance and resources, including a monthly round-up of cyber news.