Cyber Insurance for Accountants: The 6 Biggest Information Security Risks To Your Firm and How To Combat Them
Across any industry, and any size of business, cyber security is becoming a daily concern for business owners and professionals around the country.
From sole traders targeted by small-scale phishing attacks designed to net credit card details; all the way up to massive, targeted denial of service or malware attacks on major businesses, the tools and technologies that make our lives easier and our businesses more effective have also left us more exposed than ever to malicious behaviour by bad actors.
In the accounting and financial sectors – which deal in high volumes of sensitive, private and personal information as well as significant monetary assets – there is much for a would-be attacker to potentially gain from an attack that exploits oversight, laziness, ineptitude or hubris.
The same can be said for the legal industry and many other professional service businesses.
This makes the potential damage of a cyber incident in one of these businesses all the more concerning.
The ramifications can be financial, reputational, operational or even legal.
As a safety net, cyber insurance (as well as professional indemnity insurance) could protect chartered accountants, lawyers and finance professionals from certain ramifications.
The 6 biggest information security risks to your business
There are 6 key threats to information security specifically facing those in the legal, accounting and financial sectors.
Knowing these risks and having systems and plans in place to protect your business against them could be the difference between a smooth crisis response, and a career-ending breach.
1. Not thinking you’re at risk
‘Security posture’ is a term that refers to an organisation’s “overall cybersecurity strength.”
Essentially, it’s a measure of how well-prepared and protected a business is to deal with a cyber attack or vulnerability.
In the first quarter of this financial year (July-September 2018), the Finance sector and Accounting and Management Services sector were the second and third-highest industries respectively in terms of reported Notifiable Data Breaches, according to the Office of the Australian Information Commissioner (OAIC).
What does this mean? Well, outside of private health, accounting and finance organisations comprise some of the highest levels of cyber breaches and as such, are exposed to massive financial, legal and reputational risk.
Security posture can encompass not just your systems and processes, but also your attitude and cultural treatment of security.
If your business thinks it’s not at risk – that is a risk in itself.
The cavalier attitude and lazy planning that can come with believing you’re not a target is a major contributing factor to many firms’ risk. Unfortunately, there is no software plugin that protects against a blasé approach to security.
2. Email, email and email
The OAIC report for Q1 FY18-19 also reported that 20% of data breaches “occurred when information was sent to the wrong recipient” including by email; and another 20% were “attributed to phishing” attacks such as those often launched via email or text message.
Email is an enormous vulnerability for almost any business due to its volume, speed, and opportunities for user error.
Mailguard published a great outline of some of the biggest threats posed by email, which include botnets, hacking, malware, phishing, and spam.
In a business setting, these threats can result in everything from monetary loss to fraudulent invoices, to sharing of personally identifiable information, to breaches of confidentiality and other legal obligations which could have severe civil or criminal repercussions.
3. “We’ll patch that next week”
In 2018, Dark Reading reported that “nearly 60% of organisations that suffered a data brach in the past two years” attributed the attacks to “a known vulnerability for which they had not yet patched.”
Concerns over downtime and compatibilities, as well as worries that “software updates and patches could “break” their systems when applied” were the major reasons for this – but surely many would have taken that risk if they’d known the ultimate result of this hesitation.
Two of the most highly-publicised security breaches in recent years; the Equifax data breach and the WannaCry ransomware attack were both developed as exploitations of vulnerabilities caused by unpatched software.
And these were catastrophic events – it was estimated losses from WannaCry could total as much as $4 billion, and the Equifax breach resulted in illegitimate access to over 148 million customers’ personally identifiable information.
The Australian Government’s Stay Smart Online website explains the issue simply and clearly; “Hackers, along with malicious programs or viruses, find weaknesses in software…that they exploit to access computers, smartphones or tablets…
Why is it important to install updates as soon as possible?
To limit the amount of time hackers have to find and use these weaknesses.
The longer a vulnerability is left unmatched, the more hackers will know about the weakness and how to use it.”
With potential scammers poised and ready to take advantage of weakened systems at any moment, an outdated system poses a greater risk with every minute it is left unpatched.
4. Failing to plan, planning to fail
When was the last time your security, tech or leadership teams ran a risk assessment or disaster recovery exercise?
Chances are, the answer is ‘a long time ago, if ever’ – and you wouldn’t be alone.
But putting the time into planning what you do to recover from a serious incident, who’s responsible, and what the timeframe is for this activity.
A shocking number of cyber attacks still occur due to human error, and many large organisations still don’t have robust cyber security plans.
Last year, the Australian Prudential Regulation Authority (APRA) reported that it was “easy to envisage” a catastrophic attack on one of Australia’s big banks, commenting that “some financial institutions had not tested how they would cope with a cyber attack.”
The U.S. Department of Homeland Security warns that “a plan for data backup and restoration of electronic information is essential”, explaining that there are many measures available to small businesses who may not have the budget or resourcing for large-scale failover solutions.
In addition, it’s important to develop an IT disaster recovery plan “as part of the business continuity plan” and to periodically test this plan to ensure it is still functional and suitable to your business’s needs.
5. Acts of malice & revenge
Try as you might to run a friendly and cohesive business, sometimes bad actors make the decision to damage a business from the inside.
Whether it’s planting holes in your security they can exploit once they leave, or stealing data and records to take with them, it’s a somber reminder that while you can do many things to protect your business from external threats, sometimes the biggest threat is those who are already inside.
There are unfortunately many cases of disgruntled employees copying records before leaving a company or planting backdoor vulnerabilities in software systems.
CSO Online reported on some incredible examples of employees who deliberately caused severe security breaches for their employers, including the story of former Google employee Anthony Levandowski.
After leaving Google’s autonomous car division (now known as Waymo), Levandowski founded his own company, which was later acquired by Uber.
He was then accused of conspiring with then Uber CEO Travis Kalanick to “steal Waymo’s intellectual property.”
As CSO Online reported; “Allegedly, before Levandowski left Google, he downloaded thousands of files including blueprints and brought them to [his own company] so he could sell them to Uber.”
Because of his role, Levandowski had reasonable access to this proprietary information – but unlike the majority of employees, he chose to exploit this privilege for his own gain.
The nature of employing someone means you are giving them your trust; that they will act with integrity and not place your company at any risk through reckless or malicious acts.
Unfortunately, that trust is not always respected, so strong policies are necessary to protect against the unpredictability of human behaviour.
6. The policies guiding the people
Policy-based weaknesses are intrinsically linked to all of the security risks above, as proper planning and procedures are a key protective measure against many cyber security threats.
Accounting for human error is difficult, but robust policies go some of the way to providing guidance and process to assist best practice.
In late 2017 the Australian Financial Review reported that “almost two-thirds of small accounting practices” considered client data stored in the cloud to be at risk, “with many firms acknowledging they do not enforce basic cyber-security measures such as two-factor authentication and ensuring all software is patched to the most current version.”
Policy and network design weaknesses can be a huge liability if they’re not adequately outlined, tested, updated and maintained on the regular.
Cyber Insurance: security for your security
Many of the preventative measures mentioned above have become commonplace in today’s companies.
So you’ve applied these measures, your policies have been reviewed and regularly tested, and your staff is well trained on security procedures.
Even the best-laid plans can fail – and the research shows that many organisations haven’t even made it that far.
A product such as Cyber Insurance can provide an added layer of protection and peace of mind, and may be the difference between sailing through your next cyber threat, or going down with it.
Cyber Insurance provides cover against damages and loss due to malicious attacks, human error and cyber risks.
Some of the threats it can protect against include:
- Costs of investigating a data breach, notifying those impacted and any public relations or reputational recovery work
- Data recovery costs
- Loss of income due to downtime
- Third Party Liability costs incurred due to the beach
- Data Extortion ransom payments
- Multimedia Liability costs related to defamation, libel, slander or copyright infringements