Cybersecurity: Start here for safer computing
Cybersecurity issues are now fact of life in cloud economy – all of the new opportunities the internet brings are accompanied by a whole host of scary threats. As a result, cybersecurity awareness has become more important than ever.
Anyone involved in finance will be aware of the headaches and bureaucracy surrounding payments. In the age of internet banking, there should be no need to wait for payments to clear. Yet the convenience of instant transfers also lessens the opportunity to spot and prevent suspicious transactions. Thieves might well have spirited the money away before you spot that it’s gone.
These cybersecurity threats are scary mainly because they’re unknown. But a little experience seems to go a long way – if figures from BullGuard are anything to go by. The company’s recent international survey found that 60% of US and UK small businesses did not think their firms were likely to be targets of cyberattacks and 43% had no defence plan in place.
Yet 18.5% of that sample had experienced data breaches in the previous 12 months – lower than the most recent UK government annual security breaches survey figure of 30%. The experience of a breach typically raises awareness of the need for better cyber protection – 50% of the Security Bull survey respondents said they took 24 hours or longer to recover from a breach and 40% lost crucial data. For a quarter of those affected, the recovery costs exceeded $10,000.
To save you the inconvenience and cost of such painful cybersecurity lessons, this overview aims to help accountants familiarise themselves with recent information security resources on this site and our US sister site to help you get to grips with this essential technology issue.
Don’t make assumptions
In the era of cloud applications, it’s advisable not to make any assumptions around security. A 2019 Verizon Data Breach Investigation found that web applications are a top target for hackers.
Cloud systems are complex pieces of software, which increases the risk of unrecognised vulnerabilities that can be exploited – as we saw last year when CCH Axcess was breached in the USA.
“Your data is only as safe as the vendor’s employees and processes make it,” wrote Mike Skinner, partner in charge at Horne Cybersecurity LLC after that incident. “As you negotiate an initial contract, you must be certain that the vendor is taking proactive measures to prevent your data from being compromised in security breaches and process failure.
SAP Concur offered similar advice last December urging cloud software users to ensure their service providers follow all the relevant privacy laws and data protection practices. It advised these be followed across multiple devices and platforms in the territories where the customer company operates.
Under the European Union General Data Protection Regulation (GDPR), for example, personal data has to be stored within the EU or in a safe harbour country. Have you asked your cloud supplier if they comply with that requirement? And have they provided you with any assurance about their data centre backup and recovery facilities?
As well as looking for evidence of “three nines” system availability (ie 99.9% of the time), compliance with industry standards such as the ISO 2700 family should be a given for reputable suppliers.
Practice “cyber wellness”
US-based security practitioner David X Martin has thrown his weight behind the somewhat new age concept of cyberwellness. For him, security is less of a set of specific defensive measures than a way of conducting your business in a healthy, cyber-aware way.
“This plan of attack takes into account the fact that it is impossible to centrally control every connection with employees and clients,” wrote Martin. “Everyone in the firm is responsible for the risks they undertake. It is an active process – just like physical wellness programs, in which the company takes an active approach to promoting and maintaining employees’ good health.”
Cyber wellness doesn't wait for an attack to happen. It starts with preventive measures such as employee training to deepen their knowledge and updates them with regular reports on specific threats.
This underlying cyber wellness approach includes elements such as:
- Comparing existing security strategies against best practices
- Assessing vulnerabilities, with cost/benefit estimates of mitigating them
- Evaluating cybersecurity spending against the value of the assets protected
- Mapping current and emerging threats.
The best practice element of cyber wellness extends into governance structures and policies, backed with ongoing workforce and training. This structure should include the cybersecurity audits and management process for third party suppliers already mentioned. Insurance options for cover and implementation should also be considered.
The objective of all these efforts is that “When bad events happen, employees at all levels are better prepared to deal with them,” Martin wrote.
Thomson Reuters’ Ian Cooper echoed some of the same themes in his recent tips on how how to create a culture of cybersecurity. These included:
- Clear instructions to establish good habits such as not downloading files or clicking on links from unknown senders.
- Discuss it regularly – the more you discuss threats associated with cybersecurity, the greater their awareness and likelihood of recognising a potential attack.
- Password resets are a key weapon in your defence arsenal. Make sure to have clear guidelines on the frequency and complexity of passwords and enforce resets through your IT system if this is feasible.
- Training – the more the better, when it comes to cybersecurity so you and your staff can keep up with evolving threats around things like phishing emails.
In essence, good cybersecurity should become part of your firm’s culture. It should be an in-built condition of mild paranoia offset by practical education to help the whole team appreciate the changing nature of threats and the ways in which they can be minimised and mitigated.
As David X Martin wrote in How to apply a military strategy to your firm’s IT strategy, “You need to build a strong foundation of knowledge around your data to understand exactly what you hold and the potential risks to its security. A helpful way of determining the value of a specific piece of information – and the risks to be managed – is to think about the impact if it got into the public domain. What would happen?”
Further advice on this subject is available by following links in this text, and from this 2019 podcast on building a cybersecurity culture.
You might also be interested in
AccountingWEB’s interim Editor in Chief has been with the site since 1999 and returned to the editorial hot seat in March 2020 to lead the hunt for a long-term successor... Send a DM if you're interested! When not tending to the needs of AccountingWEB members and geeking out on their technology habits, he devotes much of his time to his oddball...