Accountancy firms hold some of the most sensitive data of all businesses; data that could reveal product and marketing strategy, revenue and profit forecasts, and that could highlight weaknesses which could potentially wipe a company off the face of the earth.
But of course, accountants know this – they have a duty of care to safely and securely manage and store their customers’ data, particularly with the incoming EU general data protection regulations (GDPR). Firms are also aware of the cyber security implications and threats as it has become a mainstream topic that is being discussed at the highest level in many organisations.
However, as Adrian Barrett, CEO of GDPR advisory company Exonar, suggests, firms still have a huge target on their systems.
“If I was a hacker looking to gain access to a large company’s sensitive information I’d look for the weakest link. What would be easier, targeting a heavily protected FTSE 500 company with their myriad of security controls and strict data management processes, or targeting their less tech-savvy accountants?”
It’s not the key corporate systems where sensitive data is stored that is often the problem – as companies are investing more and more in order to protect this information. Instead, it is the other ways that information is shared and stored that can have a devastating effect.
For instance, email is one of the easiest forms of communication, but it is also notoriously insecure.
“It’s not universally encrypted, so messages can be intercepted and modified in transit by a dedicated and well-positioned attacker, and email senders can be successfully spoofed if your organisation does not use properly configured email security features like DKIM and SPF,” said David Yates, information security consultant at IT security company MWR InfoSecurity.
Other forms of communication such as WhatsApp and instant messaging apps make it even easier for accountants to share information with each other and other departments, and despite being labelled as ‘encrypted’ could cause issues if a personal or corporate mobile was stolen – this means firms should ensure their employees aren’t sharing sensitive information over these platforms, and have remote wiping capabilities for mobile devices.
Meanwhile, firms should also ensure that metadata – essentially data about data that is automatically generated in the background of a document – is secured. This could include information such as hidden text, cells and fields, email addresses, names of contributors, the server or hard disk where the document is saved, attachments, dates of revisions and different versions, computers’ names on the network and company names. Essentially, every document has metadata attached to it, and if the documents are sent via emails or uploaded onto the internet, this metadata is shared too – unless it has been removed.
It is vulnerable to hackers and can lead to personal and financial information being stolen – particularly if it is sent to another firm whose data management practices are not as sophisticated or well thought out.
For Daniel Stachowiak, MD at MyDocSafe, the supply chain is indeed the biggest weakness when it comes to data protection.
“An accounting firm can protect its most important, sensitive data with a private army, but if an ancillary system is exposed or a supplier or client is not using effective security checks then the accounting firm is going to be under threat,” he said.
“The information supply chain should be a major concern, especially for smaller and emerging firms that do not have huge budgets,” he added.
Another area where information could spread if not properly secure is over the phone.
“Tax season is the busiest time of the year for many accountants and during this time communication will be highly sensitive and confidential,” said Steve Flavell, co-CEO of conference calling company LoopUp, who suggests that hackers could use conference calls as a way to gather information to gain a competitive advantage, or be blackmailed or worse.
Although the majority of people may think it is the norm to be unsure of who has dialled in to a call, Flavell suggested that the conference line should ‘dial out’ to its participants to avoid ‘professional phishers’ or hackers to hear something they shouldn’t.
Finally, there is physical data; it’s not only ‘cyber’ criminals that can attempt to retrieve data remotely, there are people who may try to get hold of physical files or information.
The point is – it’s not as easy to secure data within the organisation by buying an IT security product, there are so many different aspects to data protection that need to be taken into account. All of which need to be looked at ahead of the new EU data protection regulations being enforced.
About Sooraj Shah
Sooraj is a freelance technology journalist covering all things IT.