If no one is too big to fail, it’s also true that you are never too small to be hacked. In 2017 an Australian insurance broker Fenton Green had 17 claims from small and medium-sized accounting practices (SMPs) for cyber-security breaches. Green doesn’t insure all accountants in the country and even so that’s a sizeable number of claims for a country with such a small population (nearly 25 million). Last year a survey of 183 small Australian practices by accounting consultant Smithink revealed that one in six firms had been hacked or suffered from malicious incidents.

Technology Risks:

“As far as risk profiles go, accountants with their access to client data including bank accounts and financial statements are at the top as hackers are concerned. Their sheer financial footprint means their risk profile is high,” notes principal Drew Fenton. According to Fenton, only 25 to 30 percent of Australia SMPs use the Cloud to store sensitive data, and there remains increasing concerns around data security in the Cloud with 66 percent concerned about the security risk, a six percent increase from the previous year. SMP owner Tanya Titman, who is an avid Cloud champion, reflects on the days of putting client files on USB sticks. “Did anyone keep track of those USB sticks? With the Cloud there’s so much more security and much more process.” Drew Fenton agrees: “At the end of the day if you are not in the Cloud you are not protected.”

So what are the risks of this so called more secure digital data storage? They boil down to the same old issue: keeping track of your data. IT security expert Dr Michael Axelsen says, “Losing USB sticks used to be the greatest risk, but today the risk occurs when you go from one Cloud provider to another.” Using numerous Cloud providers may increase your security risk. Why? Because cloud providers have the right to edit and modify your inputted information. Cloud providers don’t agree on or maintain the same security agreements and – due to tough competition, potential cost issues, and outsourcing overseas - your sensitive data can potentially become compromised. 

“Practitioners need to make sure when they change Cloud providers that their data is taken off the backup systems - otherwise they could end up with a patchwork quilt of different service providers” notes Axelsen, who argues that the Cloud is still far better than the alternative.

But what is the easiest way to get hacked? It’s not the Cloud, Fenton says, the easiest way to get hacked is by opening the wrong email. ‘Innocent emails’ asking you to click on attachments is an open door for hackers to access your system.” 

Axelsen says firms can counter these events by initiating a “data respect culture” which involves making staff hyper-aware of data security. “That’s probably your best line of defense. Your data might be encrypted and relatively secure, but hackers can get something from your firm by social engineering methods or phishing.” He recommends having a strict risk policy and email protocols in place. Businesses are increasingly testing their staff through “phishing tests”, which are test emails sent to staff emails asking them to click on a variety of requests. People need to change their mindset to constantly be on guard and suspicious of all emails that are asking for an action or personal information.                        

Here are factors to consider in order to keeping your data, and your clients, safe.

Tips on Keeping Data Safe:

  • Technology Risk Management Framework
    The first step firms should take is to build and maintain a technology risk management framework. This includes policies and procedures on how a firm assesses and identifies risks associated with the use, ownership, operation, and adoption of IT. 
  • The Cloud
    Today’s cloud is safer than in-house servers, but data management is key. Know who your providers are and where they are storing your data. Consider security solutions such as two-factor authentication.
  • Disaster Recovery and Business Continuity Plans
    It is too late to build a disaster recovery plan after an attack. Failure to build and maintain an effective business disaster recovery system can be catastrophic. Firms need a proactive risk management plan that covers system and software back-ups; off-site storage; and trial restores.  
  • Cybersecurity
    It is important to have system utilities to protect the firm from malicious attacks. Systems that can proactively combat cybersecurity attacks include, firewalls, virus protection, malware/spyware programs, and anti-spam and phishing software.
  • Policies and Procedures
    Installing good IT governance procedures within a firm is critical. Policies should include guidelines that ensure that systems are not misused, with practices to ensure that applicable policies are continually reviewed and updated to reflect current risks. Ongoing education to all employees of the firm on technology risks should be part of the firms risk management framework.
  • Hardware
    Keep a log of hardware (including laptops and phones). Maintenance contracts should be sustained with hardware suppliers so that hardware failures can be quickly rectified. Ban staff from using free Wi-Fi -- on company or personal hardware -- to access sensitive data.
  • Software
    Keep an updated tracking system of current, past, and potentially future software subscriptions. Regularly upgrade software to current levels and allow time for system patching before shutting down your devices.
  • Insurance
    Adequate insurance for the firm must be maintained and cover the cost of replacing infrastructure, and labor costs to rebuild systems and restore data. Also, consider insurance for the loss of productivity resulting from a major system failure or catastrophic event.

IFAC has recently launched an updated the Guide to Practice Management for Small- and Medium-Sized Practices, which includes a new chapter on Leveraging Technology and covers Developing a Technology Strategy, Hardware and Software Options, Technology Risks and New & Emerging Technologies.

Peter Docherty

General Manager, Public Practice, CPA Australia

Peter Docherty is the General Manager of Public Practice at CPA Australia, responsible for strategic oversight of issues impacting public practice members globally, developing member services and advocacy. Peter is a regular speaker in Australia and overseas on regulatory oversight and practice management. He facilitated the development of the IFAC Guide to Practice Management for Small to Medium Practices, CPA Australia’s Firm of the Future Report and Practice Management Portal.