When more than a third of European businesses admit to being breached by a cyberattack, it comes with no surprise cybersecurity tops annual business risk league tables.
What’s more, global accountancy firm RSM International, says that 80% of European view digital transformation as a strategic priority for their growth, with 29% of businesses seeing their revenue grow as a result of digital investments, cloud technology being their biggest area of focus. This means the need to invest in cyber protection is only going to increase.
The current picture is, however, concerning. Only 34% of businesses have adopted a cybersecurity strategy which they believe will protect them in case of future attacks, while 21% have no strategy at all, according to the RSM survey.
New technology, new risks
Accountancy, like pretty much every other sector, is seeing extensive digital transformation, particularly with the arrival of cloud technology and AI in the profession, making it vulnerable to cyberattacks. Yet, many forget with digital transformation comes great responsibilities.
Gregor Strobl, Co-Head of Risk Advisory Services, RSM Germany, comments: “Accountants are beginning to understand that IT-systems are a vital part of accounting, financial reporting and business operations. That those systems are connected is a big advantage for businesses, the accountants and senior management when it comes to data collection and streamlining the processes.”
Will Shilson, VP of Client Technology Strategy at Calligo, adds: “The accountancy sector is suffering an IT security perfect storm. Some of the most popular software programs for cybercriminals to target are in the accountancy and tax space. Combine this with the fact that accountancy firms rank as one of the lowest industry sectors for internal IT expertise and cybersecurity awareness, and there is a recipe for disaster.”
Entering a phase of digital transformation entails new training requirements and risk assessments, in which businesses are therefore advised to endorse a cyber security strategy.
Jonathan Wilkins, director at automation equipment supplier EU Automation says: “Just like meeting someone with a cold creates the possibility that you could pick up the bug, increased connectivity in your business creates more opportunities for cybercriminals to introduce viruses into your system. Digital transformation must go hand in hand with cyber security measures.”
Firms failing to invest in cyber security also put themselves at risk of paying the cost in the future.
Ben Rose, chief underwriting officer at Digital Risks states: “As businesses digitise their processes, such as the change we’re seeing within the accountancy industry, the risk of cyber criminals hacking businesses for data increases.”
Research led by Hiscox shows that more than half (55%) of businesses were hit by a cyber-attack last year – double the number affected the year before. And with costs reaching between £65,000 and £115,000, many may find it difficult to recover.”
An increasing threat
As the use of technology in accountancy grows, Rose believes firms will have to deal with even more sophisticated cyberattacks where, for example, criminals could trick clients into making payments.
He explained: “Deep Fake technology, where you can mimic the appearance and voice of any person using AI technology, will soon become a big threat, and has the potential to seriously dupe people out of their money.
“This is a build on spear-phishing, which has traditionally been based on emails asking stakeholders to make a quick, urgent payment to an account. You can see how this could be an issue for accountants, who are processing and managing big sums of money. If a criminal gains access to your customer database, they could easily mimic your email, or in the future, your voice, and dupe clients into making payments to an external account.”
Key to success
To be protected against potential threats, RSM believes the key to success is preparation. Much like Wilkin’s comparison to a cold, cyberattack must be treated as a bug, in which businesses should focus on avoiding the contagion.
The global accountancy firm suggests actions such as risk management, security, and good project management of any investment in digital transformation to be considered beforehand.
GDPR is also worth mentioning here. The regulation was initiated for businesses to undertake such actions, but the pressure put on organisations led to GDPR fatigue, in which many withheld from meeting the requirements and reverted to previous working practice.
The Chartered IIA’s Risk in Focus 2020 analyses the implementation of regulatory change by businesses with the arrival of GDPR and the legal frameworks for online payments.
Dr Ian Peters MBE, Chief Executive of the Chartered Institute of Internal Auditors says:
“This risk is likely to become more severe for UK and Irish businesses, as they face the prospect of further regulatory change because of Brexit.”
Time for action
Whilst Risk in Focus 2020 identifies cybersecurity as the top risk facing businesses today, the report also provides advice to businesses and investigates whether they have taken enough action in response to these regulatory changes.
The report reveals ways in which businesses can minimise risks of cyberattack. It suggests adopting measures such as assessing how customer service chatbots are protected against breaches or recruiting internal or external cybersecurity expert.
Strobl views investment in cybersecurity protection as the most cost-effective approach: “From experience, the cost of ransomware attacks (e.g. the cost to release the files as well as re-building the IT-system from scratch after being deleted) is much higher than recruiting or co-sourcing IT-security experts. The prevalence of cyber-attacks taking place across Europe, as found in our research, shows that all sizes of companies are potential targets for various hack-attacks.
“I see the lack of investment as equivalent to owning an expensive piece of jewellery and never thinking about an alarm system, because you don’t think the cost benefit is worth it. It’s insurance – hopefully you’ll never need it, but if you don’t have it, it’s going to hurt.”
Staff training
Another preparation firms can adopt is to provide training to staff. The report led by IIA revealed 22% of businesses are still not providing training to their staff, despite almost half of successful attacks targeting under-trained employees via email.
Wilkins explains: “Security training shouldn’t be limited to a one-off seminar for the staff and an initial system upgrade. Patch maintenance and updates need to be carried out as and when vulnerabilities are revealed, or new software is released.
“IT managers must implement vigorous maintenance and monitoring policies. Security is a constant and evolving concern, not something that can be solved with one quick fix.”
Strobl added: “Without question, human error is inevitable and poses the biggest security risk to businesses. When it comes to cybersecurity, it is costing European middle market businesses dearly.
“Hackers are skilful manipulators and well-versed in taking advantage of our curiosity through carefully crafted phishing emails. It is vitally important to ensure that staff know how to recognise and respond if they are targeted by ransomware or phishing attacks.”
Focus on vulnerabilities
As part of the key to success, Strobl argues businesses should focus on their vulnerabilities and areas of risks. To do so, businesses can use the help of white-hat hackers to identify those sectors and assess which tool would be best to ensure data protection.
Strobl says: “The best way would be ‘being able to think like a black-hat hacker’. When you understand why you might be attacked, you can better prepare your business – it’s all about knowing your own vulnerabilities and areas of high risk. Most hack-attacks use the weakest entry point – which, as our research found, is most likely the employee.
“Once a hacker has gained access it is easy for them to install backdoors in order to gain access again and again without the need for social engineering. In order to be able to think like a hacker you need experience. So-called white-hat hackers can help you identify your high-risk areas and protect your assets with best-practice tools and parameter settings.”
Finally, RSM’s Catch 22 recommends employees to be sensitive and suspicious of emails coming in. It advises them not to click on shortened links and to watch out for the URL of a website. Unless it is a legitimate organisation, personal or financial information about the company should never be shared. The global accountancy firm also suggests installing anti-virus software, firewalls and phishing filters to avoid potential risks of cyberattack.
A quick recap
In short, emerging technologies bring many benefits in terms of revenue growth and freeing up resources, but what businesses tend to ignore is that with digital transformation comes greater cybersecurity risk. For this reason, investment in cybersecurity is non-negotiable.
Many have suggested measures and actions to be taken in order to prevent cyberattack from happening, these include:
• Assess how your customer service chatbots are protected against breaches
• Recruit internet or external expert to minimise corporate risks
• Review security of cloud services, such as ensuring your robust systems to prevent misconfigurations are in place
• Train your staff and promote awareness in the workplace.