Top cyber risks for accountants who work remotely

Cyber-crime, resulting in data breaches and fraud, is a growing problem in the UK. At the height of this year’s winter lockdown, when many of us were working remotely, the UK experienced a huge spike in reported instances of cyber-crime, with business reporting losses of £1.3bn during the first part of this year, which is a threefold increase on the prior year.¹

Cyber-criminals have found a lucrative opportunity catching us off-guard in our home environments, and as a result we need to be even more vigilant in protecting ourselves.

At Marsh Commercial, we are the exclusive appointed insurance broker for ICAEW members’ professional indemnity (PI), cyber and office insurance. Our dedicated team offers a wealth of experience to help manage the specific risks, including the increased risk of cyber-crime, faced by chartered accountants working as sole practitioners or in practice.

What is cyber-crime?

Cyber-crime is criminal activity that either targets or uses a computer, a computer network or a networked device. The most common cyber threats to accountancy firms are online scams, phishing emails, malicious domains and malware. Cyber-criminals or hackers generally commit cyber-crime to make money. Some are organised cyber-crime groups using advanced techniques and are highly technically skilled. On rare occasions, cyber-crime could aim to damage computers for reasons other than profit. These could be political or personal.

Phishing email scams have been with us since the early 90s, but they have evolved to be much more sophisticated. An email could appear to come from trusted names like Microsoft or the NHS, with sender details very similar to what you would normally expect. Often, the message will be urgent and require you to click on a link or attachment. Another way cyber-criminals use email is to hack an email account and send emails impersonating the account owner. This is difficult to detect as a recipient ‒ so it’s important to be informed and vigilant.

What is the cost of cyber-crime?

Cyber-crime can cause loss to your business in a variety of ways:

• Financial
  Direct monetary loss from responding to the incident, including remediation, legal costs, compliance fines and lost revenue.
• Time
  An important consideration is the time it takes to manage a cyber-attack, the lost hours from you and your employees responding to the incident.
• Reputational
  Cyber-attacks can result in an ongoing impact to your business from a public relations (PR) perspective – clients may not trust businesses if there has been a data breach. Managing the PR exposure is as important as managing the direct financial cost.

Cyber insurance can help mitigate the loss your business faces in the event of a cyber-attack.

What is the biggest cyber risk to accountancy businesses?

Whilst technology and antivirus software provide your business a level of protection from cyber-crime, cracks in your security are just a click away. Human error is the biggest risk to your cyber security, as employees make a variety of mistakes that can lead to data breaches:

• Failing to install software security updates
• Using weak passwords/sharing passwords
• Falling for phishing email scams.

Human error can have a devastating impact on data protection and system security. A study by Cybint found human error is the leading cause of 95% of cyber-security breaches.² Unfortunately, human error has allowed cyber-crime to thrive during lockdown and experts have attributed this to an increased risk of human error when we work from home.

One example of how working remotely can impact our actions is the element of being away from others. When working together in an office, we might sense-check a suspicious email with colleagues and ask for their opinion. When at home, we rely on our own judgement regarding a suspicious email. Cyber-criminals have leveraged this opportunity, increasing the volume of phishing email scams, with realistic content such as messages from the NHS, HMRC or parcel delivery companies.

How to manage cyber-security in a remote or hybrid work environment

Stay at home orders may have been unavoidable, but many employees have reported benefits of working remotely since the beginning of the pandemic, such as:

• avoiding a lengthy commute
• better work-life balance
• increased productivity
• more flexibility, decreasing stress levels.

Employees have come to expect a level of flexibility and a hybrid model improves your attractiveness as an employer. A flexible working model appeals to all ages – with the younger generation demanding modern working styles and the older generation appreciating the flexibility.

So, how do we manage the increased risk of cyber-attack with a remote or hybrid workforce? The most important form of defence you have is your people, so raising awareness and increasing staff training is the number one priority.

Provide opportunities for your employees to practice identifying suspicious content – including phishing email scams. We have created an educational, interactive test  which is free to download and share. Ensure all company devices are used for business only, and ensure software is kept up-to-date including antivirus software.

Finally, have the right insurance in place should your business come under attack. A recent change in the insurance industry is the clarification of silent cyber in non-cyber policy wordings. This change has been reflected in the ICAEW’s minimum requirements so we’re urging members to consider cyber risk separately to PI risk and take out cyber insurance.

Cyber insurance springs into action as soon as you notify us that your systems have been compromised, providing cover for your liabilities regarding media, data security, viruses and hacking. A policy covers more than just your initial liabilities.

Customer notification, credit monitoring and legal fees are also included. Specialist teams are deployed to identify the root cause of the attack and clear your systems of any malware. You can also access PR consultants to mitigate any damage to your brand.

If you have any questions about managing cyber risk in your business, or cyber insurance, don’t hesitate to contact the ICAEW team on ICAEWenquiries@marshcommercial.co.uk or call 0345 894 4684.

^Sources:

<sup>1. https://www.securitymagazine.com/articles/93722-uk-sees-a-31-increase-in-cyber-crime-amid-the-pandemic
2. https://www.varonis.com/blog/likelihood-of-a-cyber-attack/</sup>