Cyber security: how accountancy should address risks
With cyber security top of the business agenda, David Adams examines how organisations should address the risks; and looks at the growing role played by accountancy firms in helping clients to improve their security posture
Paranoia is not usually grounded in reality. But when it comes to the relentless need to protect businesses against cyber risks and threats, it is perfectly reasonable to think that someone is out to get you. In recent years cyber incidents have led to large-scale data breaches, operational disruption, and severe reputational and financial damage to organisations of all kinds, from the smallest micro-businesses to banks, retailers, airlines, telecoms companies and the NHS. The extent to which cyber has become a prominent business issue is revealed by statistics from jobs website Indeed, showing that the Big Four accountancy firms now recruit for more cyber security roles, as a proportion of all the roles a company seeks to fill, than any other business. Cyber roles accounted for 5.95% of positions recruited by KPMG in 2018, ahead of PwC (5.08%), with EY in third place (1.99%) and Deloitte fourth (1.47%).
Although the Big Four are quite different from most other accountancy firms, this also indicates the growing importance of cyber to accountancy in general; a profession that manages exceptionally sensitive client information and is becoming more digitised. There are good reasons why demand for cyber risk and security services is growing. The 2019 UK government Cyber Security Breaches Survey (CSBS) shows that one in three of the 1,566 businesses surveyed (32%) had been affected by cyber incidents during 2018, a figure that rose to 60% of medium-sized businesses and 61% of the largest businesses. The average cost of these incidents was £4,180; the average cost to larger businesses was £22,700. In future, those costs could be considerably higher. In July 2019, British Airways was fined £183m by the Information Commissioner’s Office (ICO), for a 2018 security breach that led to the theft of personal and financial data related to about 500,000 BA customers. This was the first such fine to be publicised since the introduction of the General Data Protection Regulation (GDPR) in May 2018, which introduced tougher penalties for breaches. It could have been higher: it equated to 1.5% of BA’s turnover in 2017 and GDPR allows for fines worth up to 4% of turnover.
Targeted attacks
How do cyber incidents happen? Eight out of 10 attacks recorded in the CSBS began with phishing emails sent from fake email addresses or web domains. Some may be sent to very large numbers of recipients; others carefully tailored ‘spear’ phishing emails to selected recipients and crafted using specific, publicly available information, to persuade them to click on a link or download a file carrying malware or ransomware; or to unknowingly transfer information or money to the attacker. economia readers should note that spear phishing often targets the individuals who control an organisation’s finances.
A few such attacks may be state sponsored or cases of industrial espionage, but most are created by organised crime groups seeking financial gain and running professional operations. Asam Malik, a partner and head of technology solutions at Mazars, describes investigations conducted by his previous employer that traced cyber attacks to a group of workers active during business hours in an eastern European state. The attackers even took an hour off for lunch. Smaller organisations are just as likely as to be targeted as large businesses, in part because it may be easier for attackers to access a smaller firm’s systems and data. It is worth noting that the 32% of businesses that suffered breaches or attacks in 2018 is fewer than the 43% who reported being hit a year earlier. The reasons for this reduction are unclear. It may be due in part to improved security measures and cyber risk management, or it may be that attackers are shifting from indiscriminate to more targeted methods.
The best defence
But even if the findings represent progress in the battle against cyber threats, one in three businesses are still being attacked. Faced with a multitude of ever-evolving security threats, businesses need to work towards best practice in use of technical countermeasures, to spread awareness of security issues throughout its employee base; but also to take a realistic, risk-based approach, says Miriam Howe, cyber security consultant at BAE Systems. “There are always more security holes to fix than there is time in the day or money in the bank,” she says. “It needs to be about what is the greatest risk to you.” That can only be informed by a comprehensive understanding of the organisation’s IT infrastructure; and an understanding of who might target your organisation and what they might want to steal, says Howe.
The next step is to do the basics well: investing in effective firewalls; threat detection and anti-virus/ malware technologies; and management tools that force staff to use strong passwords when accessing business systems. But arguably more important than the capabilities of any security function is the need to keep software up to date with patches and upgrades for all the technology used in the organisation, to prevent attackers targeting known vulnerabilities. “The number one way organisations get breached is because they haven’t patched their systems adequately,” says Malik. Ensuring that staff are aware of security issues and support best practice is arguably much more difficult than implementing technical changes. Most data breaches can be traced back to a moment of carelessness or stupidity.
Malik recalls a phishing test he helped his former employer conduct for a client. A fake domain name, similar to the client company’s name, was bought and emails were sent from it to staff, offering a discount voucher for the Apple Store to recipients who clicked on a link and entered their network password. And 40% of staff did so, handing the testers a huge pile of user credentials. Richard Horne, cyber security partner at PwC, speaks for many in his industry when he says that security needs to be embedded in every aspect of business operations. “Every decision made in that organisation is going to impact cyber security, so how do you embed cyber security thinking into every decision?” he asks, suggesting that as well as informing day-to-day business activity this should include factoring cyber risks into the design of new products, services, processes or technologies. Even if an organisation improves its own security, digital links to supply chain partners present attackers with further opportunities to exploit security vulnerabilities.
Paul Taylor, partner and UK head of cyber security for KPMG, fears these vulnerabilities may be exacerbated by increased use of automated supply chain processes, machine learning technologies, or inadequately secured Internet of Things-connected devices. Evaluating the risk – and trying to prevent the possibilities – of suppliers and their staff creating security problems for an organisation is also very difficult. “Historically, large organisations have used third party supplier security reviews,” says David Calder, managing director and co-founder of security firm Adarma. “That’s been quite a heavy burden and is viewed by a lot of organisations as a compliance requirement, rather than a way to manage a threat. More recently, organisations have started to try to assess the risks and threat that a third party presents if it were compromised.” Businesses also need to assess such risks in relation to cloud technology service providers.
The security a cloud service provider can offer is almost certainly as good, if not considerably better, than a business’s own, but, as Kirstin Gillon, technical manager in the Tech Faculty at ICAEW says, businesses must never assume that storing data in a cloud provider’s servers means responsibility for protecting that data has been delegated. “You are still responsible for client data in the cloud,” she says. “You can never outsource the risk and responsibility.” Calder believes cyber risks related to cloud services should be managed in the same way as risks related to other third party providers. “You need to look at what controls you have and what someone could do if they breached this system and got into an online CRM system, or an online ledger, for example,” he says.
Quick reflexes
Finally, planning how to respond to cyber security incidents is just as important as the job of trying to prevent them. “In the future, cyber becomes just another risk and what then becomes most important is operational resilience,” says Taylor. “It’s about how much damage is done, how you recover and what’s the effect on your customers.”
These are questions for the board – but the problem is that many boards suffer from a lack of technical understanding. This is where providers of accountancy and advisory services may play an important role in future. “As accountants one of our key jobs is to highlight business risks,” says Malik. “With most of the cyber security work that I do, the main buyer is the FD, or the audit committee. They want someone to give them an independent view on their cyber security. And when I’m feeding back cyber risks to the board, I’m putting those risks into a business context – using a language that the board can understand.”
ICAEW is working to support accountancy firms seeking to improve cyber security and to help clients improve their security posture. It also works with the Cyber Security Information Sharing Partnership (CISP), a joint initiative between government and multiple industries that aims to share cyber threat information to help combat them. A collaborative approach is necessary to tackle cyber threats in an increasingly connected world, but ultimately every organisation must take responsibility for its own security requirements; and for planning how to respond and recover from cyber incidents. As Malik says: “It is going to happen to you – you need to be prepared.”
Originally published in Economia on 3 October 2019.