The nature of business in the 21st century means that more and more businesses are using technology. Cloud software, websites, smartphones, tablets, social media and ecommerce are now the standard way of conducting business. And this rapid rise of technology has been accompanied by an increase in security breaches.
According to The Global State of Information Security® Survey 2016 conducted by PWC, the number of security breaches affecting UK organisations rose by 38% in 2015, and the theft of “hard” intellectual property increased by 56%.
To help accountancy practices prepare and remain aware, we’ve listed what accountants sometimes do wrong, followed by some of the things that can help fix the problem:
What accountants are doing wrong in 2016
- Tolerating BYOD (bring your own device) insecurity
While many accountants are using mobile devices at work to email and text other professionals and clients, there are others who take work home or to public places like cafes. Many of the smartphones and tablets they use are not properly secured and encrypted. If these devices are stolen or lost, your data is at risk. You need to consider those devices in your practice’s security policies.
- Not spending enough on security
Although PWC’s report found that financial service organisations increased their security spending by 14% in 2015, there are still many small accountancy practices that do not devote much of their IT budget to security. With a client’s financial information at stake and the advent of the cloud, accountants need to re-evaluate their overall security strategy.
- Unaware employees
According to the PWC report, while employees (knowingly or unknowingly) remain the most cited (22%) source of compromise, many security incidents are attributed to business partners. As staff members can be seen as the Achilles' heel of cybersecurity - making mistakes like clicking on a malware link or losing their mobile devices - they need to be made aware that security is not only the IT department’s responsibility but also theirs. Asking employees to not click on questionable links should be part of your security policy.
- Complex IT systems, policies and protocols
Staff members will ignore IT policies and protocols that are too complex to use, no matter how good your intentions are. Striking a balance is critical to protect the security of the financial information and it is recommended that protocols and policies focus more on the ease of use, than the financial data is at risk.
What accountants need to do in 2016
- Replace password with two-factor authentication
Security log-ins, often using an email address and password, are a no brainer but a two-factor (2FA for short) authentication is something accountancy practices need to look at in 2016. Back in the March 2015 Budget, HMRC made a couple of important announcements, namely Digital Tax and Application Programming Interface (API). An API links business accounting and bookkeeping software data directly with HMRC’s digital tax accounts. This strategy will drive the change in how the software interacts with HMRC and subsequently the way accountants authorise software to submit tax returns to HMRC will change. The most likely innovation to come will be the use of two factor authentication, wherein you can setup your mobile phone to receive supplementary identity verification via SMS to complete a logging in or authorisation process. This means only the user with access to the trusted device will be able to log-in, making it more arduous for unauthorised people to access the data. Tech giant Google has developed a USB device called the Security Key that’s provides this type of authentication for its Google for Work applications.
- Encrypt mobile devices and databases
Whether data is at rest in the database, being accessed by an employee, or in transit between a device and storage, encrypting data is a very good way to ensure its security, particularly in the event of a system hack or lost/stolen device. Encryption is your practice’s safe harbour. In an interview with the Guardian in Moscow, even Edward Snowden advised accountants to encrypt data by default.
- Check cloud service provider is serious about security
If accountancy practices are considering moving to the cloud they need to shop around and find out if they are getting the right service for their practice’s data. Accountants should check that the cloud provider is serious about security. Find out if the cloud provider is part of the Cloud Security Alliance. Ask them if their compliance standards adhere to the ISO 27000 series. Find out where they are hosting your data. It’s important you get it right because the potential security implications of this are massive.
- Introduce enterprise mobility management (EMM) systems
As mobile devices can easily be lost or stolen, the data on those devices is vulnerable. In 2016, accountancy practices need to look at using EMM systems as these help IT administrators manage and secure all of the mobile devices connected to a practice’s network.
- Build a culture of security
Anti-malware software, spam managers, encryption and other security measures are important, but they aren’t enough. You need to create a top-to-bottom security culture, in which staff who access data or systems personally feel responsible for maintaining the security of the information. This is predominantly a training issue and practices need to address this.
Accountancy practices still have a long way to go before they can bullet-proof their data security technologies and practices, but these things are achievable. To borrow a quote from Douglas Adams’s The Hitchhiker’s Guide to the Galaxy: “It’s a tough universe. There’s all sorts of people and things trying to do you, kill you, rip you off... everything. If you're going to survive out there, you've really got to secure your data.”