It only takes one successful attack to create serious problems. Ransomware attackers have the ability to shut your business down entirely while they demand payment. This will cause a huge impact both financially and reputationally for your own practice as well as on the businesses of your clients and their clients. There are also significant financial penalties if customer data is stolen.
To combat these threats, accountants need to ensure they have robust cyber-security measure in place that apply to data, devices, software, people and passwords.
Here are our top tips to maximise safeguarding data, systems and infrastructure:
1. Use complex passwords and two-factor authentification
Only use long and complex passwords which you can create using a password generator and store these using a password manager. Ensure that you use unique passwords for each account to stops individual breaches having a wider impact.
Two-factor authentication, which involves a code being sent to your mobile should be turned on where available for maximum security.
In the office separate your private network from guests and never use public Wi-Fi for business purposes.
If you have employees, ensure they follow this system, as your security is only as good as the weakest link.
2. Back up data regularly
Backing up business critical data to the cloud and ensuring that the cloud storage has two-factor authentication is a key and ongoing task to protect yourself from cybercriminals. This can be automated to protect from human error.
If this is done regularly, it will ensure that you can return to business as usual if you are the victim of a cyber-attack.
3. Make sure devices are secure
Office and home phones, laptops, computers and tablets all need to be kept secure by downloading software updates as soon as they become available. This will ensure you have the optimum protection against hackers and viruses.
It is best practice to:
- Switch on your firewall, and enable antivirus
- Set up PIN code, password, fingerprint or face ID to stop other from accessing your device
- Set devices to auto-lock after a period of inactivity
- Make sure you are using the latest version of all software
- Ensure automatic updates are turned on and always allow them to install
- Turn on Remote tracking and wiping for your mobile
Be sure to make sure that employees follow these rules too.
4. Be alert to phishing
'Phishing' is when criminals use scam emails, text messages or phone calls to trick you into visiting a website, which may download a virus onto your computer, or steal bank details or other personal information.
It is incredibly important to train staff regularly on the dangers of clicking on links within unfamiliar emails and offering up information to sources which are not legitimate. Staff should feel comfortable to raise suspicions with you.
Ensure that all members of staff have the lowest level of user rights and access relevant to do their jobs and restrict sensitive data access only to those who need it.
5. Data is an asset – make sure it’s secure
It is important to understand that data is an asset which has value to both you and others who may seek to benefit from it. This includes your own personal data (contact details, bank details, medical history etc) as well as that of your clients.
Under the UK Data Protection Act, you are responsible for taking reasonable steps to secure the data of your clients, suppliers and staff. This includes all personal information – names, addresses, salaries, bank details and any other information that could be used to identify individuals.
You must:
- collect only the information you need for a specific purpose
- keep it secure
- ensure it is relevant and up to date
- hold only as much as you need, and only for as long as you need it
- allow the subject of the information to see it on request.
Failure to follow these rules can result in your business being fined.
Creating and maintaining a data asset register listing the location, type and quantity of data you control and on which devices, will help you see just how much there is. The process of protecting yourself against cyber threats starts with producing this document. This document needs to be kept up to date as your business grows and changes and can be useful for obtaining cyber insurance.
6. Plan for the worst case
Developing a Business Continuity Plan can help you plan for and mitigate the risk of many eventualities that you may face. This includes the risks posed by cyber breaches as well as many wider risks. Start by simply listing all the critical functions of your business, put them in order of importance, find ways to mitigate each one then put a plan in place on how to react to each function failing.
With a few simple steps and a security focussed mindset you can drastically reduce the risk of being attacked and guard against the most serious consequences. There is no perfect list of actions which can be completed to be fully secure once and for all. Constant vigilance is required, making a point of regularly reviewing the systems you have in place will help keep you safe.
Cyber insurance is specifically tailored to cover you for breaches and other cyber threats. The premium is calculated based on risk, and as part of the application process, you will be asked a series of questions about your security arrangements and the data you hold. Going through this process will help you understand your situation and can be valuable in its own right.
All TaxAssist Accountants have access to team of IT experts at the Support Centre, plus the back up of our recommended IT partner, AcoraOne, who is fully ISO 27001 (security) and 9001 (quality) compliant.