Making Tax Digital (MTD) is expected to deliver a more efficient tax collection system for HMRC, but concerns have been raised around the cyber security vulnerabilities that will emerge.
Many companies are upgrading their existing – or adopting new – accounting packages in order to deliver VAT returns in the required format requirement.
However, the Treasury Select Committee has warned that many businesses are unprepared for digital tax processes and as a result will be vulnerable to exploitation by cyber criminals. Here’s how accountants can help themselves and their clients avoid the potential risks.
As dictated by MTD legislation, all VAT submissions must be submitted electronically to HMRC from April 2019. For many small to medium businesses management of VAT has historically been handled on spreadsheets and then submitted via the HMRC web portal manually.
However, from April the HMRC portal is being withdrawn and submissions will need to be undertaken using MTD compatible software, and electronic records maintained. Some organisations will not currently be using an accounting package, while others may have a solution that is not MTD compatible, which will need to be upgraded, or replaced.
In either case an organisation must consider the following with regards to a system’s usage and operation:
- Is it protected from cyber-attacks?
- Is access to data restricted to only the staff that need access?
- Are you processing clients’ personal information in accordance with the UK Data Protection Act 2018 and GDPR? Where you use third parties to host or operate your solution, have you fulfilled your responsibility to verify that the supplier is protecting the data appropriately and meets it data protection obligations?
- Are you and your suppliers’ staff trained to deal with cyber security threats, can they protect data appropriately and are they aware of their data protection/GDPR obligations?
The human element
We hear daily about cyber-attacks and data breaches and the responsibility is usually placed with IT. Of course, some element of risk can be mitigated with the help of the IT department via firewalls, encryption and fixes to vulnerable software and IT service – ie effective patch management.
However, 80% of breaches are due to human error: staff throughout the organisation unwittingly allowing virus or hacks into the system.
With MTD being so new, criminals will view this as the perfect time to trick unsuspecting employees into revealing confidential information. Cybercriminals are using ever more sophisticated techniques to fool people into believing that malicious communications are trustworthy.
One of the most common causes of data breach is staff falling victim to an email phishing attack. If employees are unaware of the potential risks and not following good practice, the organisation and client data could quickly become compromised.
Cyber security for all, not just IT
The best way to prevent a breach is to ensure that all staff appreciate how they could be targeted, and that they comply with set policies when it comes to electronic communications and internet usage.
Employers need to ensure staff are brought up to speed with these policies when they are inducted into a company – and then kept up-to-date with the latest threats, because they are evolving all the time.
Online or classroom courses on cyber awareness, GDPR and specific upcoming legislation such as Making Tax Digital are worth implementing for all new employees and existing staff that work with digital records.
The risk relating to personal data may not at first glance seem obvious for an accounting solution. However, if a business trades with or buys products from sole traders, partnerships and companies (of any size) they may be holding email addresses (business or personal), home addresses, and mobile phones that link back to an identifiable individual, and this information is covered by data protection legislation.
Accountants themselves have a lot of data and information – personal and financial – which is not only of importance to the customer but also of value to the cybercriminal. With GDPR, businesses are obliged to reveal if and when they have a data breach.
Businesses quickly lose the trust placed in them, as well as their credibility, when it transpires they have been breached and customer data has been compromised. Implementing procedures for managing customer data is now not only mandatory but essential to your reputation as a business.
To assess the risks that implementing a new accountancy package can bring, or even to assess an existing service, a good place to start is to complete a Data Privacy Impact Assessment (DPIA) that outlines what data you hold, where it is stored, the end to end data flows, and the risks that you need to protect from. A template available from the Information Commissioners Office (ICO) can be used for this, or you can obtain professional advice.
Make cyber security common practice
The truth is that no company, business or data set is totally cyber secure. However, statistics show that companies that have started to improve their information security practices and train their staff reduce their risk of being impacted by a cyber-incident by over 50%. Most people would say “this is common sense”, but the evidence is that it’s not yet “common practice”.
There needs to be far more awareness and education around this issue as businesses are often unaware that they could be a target, and also unsure how to respond when they are targeted. Accountants can act now to educate staff and clients to the potential risks and to ensure precautionary procedures are in place and understood when working online and with electronic data.
Companies that undertake basic protection disciplines, maintain them, and follow or attain recognised security accreditations are better placed to reduce the risk of loss or exposure to their critical organisational and personal data.