SJD and Nixon Williams hack

How are accountants feeling about the cybercrime net closing in?

Didn't find your answer?

The reports of SJD and Nixon Williams being hacked are pretty wild, but given the nature of the information held by practices I suppose it was only a matter of time before the cybercrime net closed in on accountancy. How are people feeling about this? Is it a case of 'when not if'? 

Replies (9)

Please login or register to join the discussion.

Slim
By Slim
19th Jan 2022 12:27

I take it very seriously although I know very little about infosec, I stick to large trusted platforms (no guarantee i know) and 2fa.

Thanks (0)
avatar
By Justin Bryant
19th Jan 2022 13:13

For every successful cyber attack report there must be at least 10 others unreported, so this is not surprising and will continue as long as people can blackmail in crypto totally anonymously as the potential payoff is so big.

An investment in cybersecurity is a good bet.

https://www.lawgazette.co.uk/news/conveyancing-firms-may-be-forced-to-bu...

Thanks (1)
avatar
By Hugo Fair
19th Jan 2022 13:23

Unless you're prepared to conduct all your business on paper with the occasional use of a PC that isn't connected to the Internet (a policy of some all the way through to 2000+) ... then you need to take cybersecurity very seriously. After all you wouldn't leave your office with doors & windows gaping open overnight, or simply throw your clients' accounts out into the street in the hope that they somehow get to the right person.

But the bit that usually isn't explained properly (however obvious it may seem) is that there are two main components ... the software 'solutions' that you put in place, and the policies/procedures with which your staff are instructed to comply.
And it is the latter part which most hacks utilise to gain entry - the fallibility of humans to consistently apply the rules and not occasionally cut corners or forget.

So you need to add a 3rd level/component ... the constant review (or policing) of staff compliance - which is neither popular nor inexpensive, and so gets 'cut' with obvious potential consequences.

It's a bit like Quality Standards - except that any failure can terminate the business!

Thanks (1)
A Putey FACA
By Arthur Putey
19th Jan 2022 13:56

Most of the cloud platforms (with the notable exception of HMRC agent services!) now require MFA. I'm more concerned about back end hacks on the platforms. Also things like archiving (picking on Xero here but they won't be the only one) and GDPR retention policies so that old data can be archived or better still deleted once the statutory retention period is up.

Thanks (0)
avatar
By Paul Crowley
19th Jan 2022 14:48

A determined skilled hacker can get anything
Whatever is put in place is simply a time delay

A bit like buildings
Owner can delay entry but not prevent it

Thanks (0)
Replying to Paul Crowley:
avatar
By Hugo Fair
19th Jan 2022 14:56

I know what you mean ... but try telling that to the owner of a bitcoin 'wallet' who has lost her/his password!

Thanks (1)
Replying to Paul Crowley:
Stepurhan
By stepurhan
19th Jan 2022 17:47

You are quite correct. The aim of most security is to make yourself not worth the trouble.

It is a bit like those telephone calls claiming to be from Amazon. They could put a lot of effort into convincing someone initially sceptical, but they are much better off moving on to the next person on their list in the hope they are more gullible.

As long as your security is better than average, it is less likely you will be targeted unless someone holds a personal grudge.

Thanks (0)
avatar
By rmillaree
19th Jan 2022 15:53

Kinda makes me think i cant retire too soon.

Thanks (1)
avatar
By Gone Sailing
27th Jan 2022 17:45

It includes stopping it, getting your data if it happens, not paying a ransom, being able to contact your online service providers if you have concerns, taking back control of your accesses.

Not one of my online service providers, eg. HMRC, my accounts and tax filing software, have contacted me to set up a secure contact in the case of a suspected or actual breach.

So, if I email them, text them, phone them, write a letter, turn up at their front door, stand outside with a tannoy, how do they know it's me shouting for help, and not the hacker?

Thanks (0)