The digital revolution has transformed the way we do business, creating opportunities for improved efficiency and growth. However, it also presents significant challenges in safeguarding data. As we celebrate the 20th Cyber Security Awareness Month, it is important to reflect on how cyber security has evolved over the past two decades.
The early 2000s: a different era
The early 2000s saw a surge in internet usage bringing more than a billion people online by 2005. Cyber security was often an afterthought with basic passwords, firewalls and antivirus software the primary means of defence. Hackers in this period were seeking to either experiment, build their reputation or cause disruption with malware such as ILOVEYOU, Code Red and MyDoom.
This era was defined by limited digitisation and minimal regulatory oversight. The slow adoption of digital processes in accounting meant that most financial data was still stored in physical files, making it less susceptible to digital threats but more vulnerable to physical breaches. At the same time, regulatory bodies had yet to begin building regulations for the digital world. The Data Protection Act 1998 had only recently come into law and set out principles for organisations to follow.
The mid-2000s: the rise of cyber threats
The mid-2000s marked a turning point. Cyber threats became more sophisticated and malware, phishing attacks and data breaches increased. This prompted organisations, including accounting firms, to take cyber security more seriously. Passwords, access controls, firewalls and antivirus software became standard.
Hackers began monetising by scamming users through malware such as Zeus and Vundo. Botnets such as Storm were used to conduct Distributed Denial-of-Service (DDoS) attacks to target firms countering these scams. This early profiteering resulted in increasingly organised spam and ‘malvertising’.
As firms increasingly digitised their operations, data became more vulnerable. Breaches could result in severe financial and reputational damage. TK Maxx owner TJX paid out US$41m in 2007 for having 45 million credit card details stolen.
Meanwhile, accountancy firms also found themselves under growing compliance pressure as regulatory bodies started to introduce cyber security requirements.
The 2010s: the cyber security revolution
The 2010s saw a significant cyber security revolution. With high-profile data breaches like that at TJX making headlines in the mid-2000s, cyber security became a board-level concern for organisations. New technologies such as artificial intelligence and machine learning were introduced to systems to help improve detection and prevention.
The cybercrime market matured, with 2018 Home Office research finding that sellers of stolen data were earning between £24,000 to £95,000 in profit, and the buyers of this data were estimated to be earning between £6.1m to £25.2m for its use. Ransomware had come into its own through automating the proliferation of malware and the extortion of those compromised. Attacks such as WannaCry and NotPetya also highlighted the vulnerability global supply chains had to cyber attacks and resulted in more than US$10bn in damages.
For the accountancy sector, this resulted in an increased emphasis on data protection. Robust measures including encryption, multi-factor authentication and secure cloud solutions were rolled out. Cyber security became separated off as a dedicated function and security professionals started to be appointed to the C-suite as Chief Information Security Officers (CISOs).
Recognising the importance of cyber security, regulatory bodies introduced stricter compliance requirements such as GDPR, overseen by the Information Commissioner’s Office (ICO), which also delivered its first two monetary penalties for serious breaches of the Data Protection Act 2010.
The demand for cyber security professionals skyrocketed, leading to a shortage of talent. Accounting firms had to invest in training and hiring to protect their data effectively.
The present: the new normal
Today, cyber security is an integral part of the accounting profession. Firms are increasingly embracing a proactive approach, involving teams – either in-house or outsourced – that continuously monitor for threats and invest in the latest security technologies.
Firms are increasingly reliant on third parties to run their business services, and suppliers have become the targets of attacks; a significant proportion of recent breaches have been due to supplier breaches.
The growth of remote work during the pandemic has expanded the attack surface and added further complexity to the need to keep systems and data secure. As a result, firms are having to secure home networks and educate employees about best practices.
Many accounting firms have migrated to cloud-based accounting software, which offers enhanced security and accessibility. However, these systems must be appropriately configured and monitored.
What can you do to be cyber secure and protect your business?
A lot has changed in cyber security over the past 20 years, reflecting changes in technology and ways of working. We expect to see further evolution as technological trends continue to evolve; the deployment of Internet-of-Things devices, blockchain, quantum computing and further automation will result in a changing cyber security landscape.
It is important to ensure that you remain cyber aware and continue to take steps to protect your business from different types of cyber attack.
Cyber security technologies may be evolving, but the fundamental principles of good cyber hygiene remain the same. The National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security provides a useful guide to the key controls organisations should have in place including access control, vulnerability management, user training and vendor management.
We have three specific cyber security recommendations to build on the NCSC guidance:
- Consider procuring cyber insurance: The global average cost of data breaches is now US$4.45m with insurance reducing this cost by nearly US$200,000 in 2023, according to IBM. Cyber insurance has become a vital component of risk management for accounting firms, providing protection in the event of a cyber incident. It is important to remember that cyber is not yet included in Professional Indemnity Insurance policies and needs its own insurance. Also note that cyber insurance is not a substitute for a lack of controls, and insurers often require evidence that appropriate cyber security controls have been implemented. It is important to work with insurers and cyber security and risk management experts to ensure you get a policy that suits your needs.
- Staff training: Train your staff to recognise common attack methods. According to research by IBM, staff training is the second most impactful cost mitigator, with first being the adoption of a DevSecOps approach.
- Oversee your third parties: It is important to understand how your suppliers impact your cyber risk, how they manage their own cyber risks and how you can work together with them to mitigate these risks. Consider the scope of the Cyber Essentials framework and whether it should apply to your suppliers.
As we mark the 20th year of Cyber Security Awareness Month, it’s crucial for accounting professionals to remain proactive in their approach to mitigating cyber risks.
Ongoing education and adaptation is essential to stay ahead of the curve in this ever-changing digital world.
Cyber security awareness
Each year ICAEW marks global Cyber Security Awareness month with a series of resources addressing the latest issues and how to protect your business.
Cyber Security Annual Lecture
Join this evening lecture to hear from the UK Information Commissioner as he explores technologies impacting data security and individual privacy.