Cyber Insurance for Accountants: The 6 Biggest Information Security Risks To Your Firm and How To Combat Them

By John Catibog

Last Updated on March 12, 2019

Across any industry, and any size of business, cyber security is becoming a daily concern for business owners and professionals around the country.

From sole traders targeted by small-scale phishing attacks designed to net credit card details; all the way up to massive, targeted denial of service or malware attacks on major businesses, the tools and technologies that make our lives easier and our businesses more effective have also left us more exposed than ever to malicious behaviour by bad actors.

In the accounting and financial sectors – which deal in high volumes of sensitive, private and personal information as well as significant monetary assets – there is much for a would-be attacker to potentially gain from an attack that exploits oversight, laziness, ineptitude or hubris.

The same can be said for the legal industry and many other professional service businesses.

This makes the potential damage of a cyber incident in one of these businesses all the more concerning.

The ramifications can be financial, reputational, operational or even legal.

As a safety net, cyber insurance (as well as professional indemnity insurance) could protect chartered accountants, lawyers and finance professionals from certain ramifications.

The 6 biggest information security risks to your business

There are 6 key threats to information security specifically facing those in the legal, accounting and financial sectors.

Knowing these risks and having systems and plans in place to protect your business against them could be the difference between a smooth crisis response, and a career-ending breach.

1. Not thinking you’re at risk

insurance for accountants not at risk

‘Security posture’ is a term that refers to an organisation’s “overall cybersecurity strength.”

Essentially, it’s a measure of how well-prepared and protected a business is to deal with a cyber attack or vulnerability.

In the first quarter of this financial year (July-September 2018), the Finance sector and Accounting and Management Services sector were the second and third-highest industries respectively in terms of reported Notifiable Data Breaches, according to the Office of the Australian Information Commissioner (OAIC).

What does this mean? Well, outside of private health, accounting and finance organisations comprise some of the highest levels of cyber breaches and as such, are exposed to massive financial, legal and reputational risk.

Security posture can encompass not just your systems and processes, but also your attitude and cultural treatment of security.

If your business thinks it’s not at risk – that is a risk in itself.

The cavalier attitude and lazy planning that can come with believing you’re not a target is a major contributing factor to many firms’ risk. Unfortunately, there is no software plugin that protects against a blasé approach to security.

How to combat it

Processes and staff training are key here: ensure that your leadership, support team and everyone in between is monitoring for risks, building protections against them, and staying up to date with the latest developments in cyber threats and security

2. Email, email and email

The OAIC report for Q1 FY18-19 also reported that 20% of data breaches “occurred when information was sent to the wrong recipient” including by email; and another 20% were “attributed to phishing” attacks such as those often launched via email or text message.

Email is an enormous vulnerability for almost any business due to its volume, speed, and opportunities for user error.

Mailguard published a great outline of some of the biggest threats posed by email, which include botnets, hacking, malware, phishing, and spam.

In a business setting, these threats can result in everything from monetary loss to fraudulent invoices, to sharing of personally identifiable information, to breaches of confidentiality and other legal obligations which could have severe civil or criminal repercussions.

How to combat it

Given how embedded email is in today’s businesses, protecting yourself from information security risks posed by email requires a diversified approach.

Training staff to identify and appropriately handle suspicious emails is one step, but technological defences are also incredibly important. Some of these may include software services that filter for viruses, malware and spyware, as well as tools that scan emails and attachments.

The Australian Government describes application whitelisting as “one of the most effective strategies in ensuring the security of systems”.

This works by ensuring “only authorised applications…can be executed”, to protect against malware and other malicious executable files.

In addition, Virtual data rooms provide a secure online environment in which to share data and documents, control access to the information and prevent version control and security issues through poor data handling processes – a valuable alternative to risky email attachments.

3. “We’ll patch that next week”

In 2018, Dark Reading reported that “nearly 60% of organisations that suffered a data brach in the past two years” attributed the attacks to “a known vulnerability for which they had not yet patched.”

Concerns over downtime and compatibilities, as well as worries that “software updates and patches could “break” their systems when applied” were the major reasons for this – but surely many would have taken that risk if they’d known the ultimate result of this hesitation.

Two of the most highly-publicised security breaches in recent years; the Equifax data breach and the WannaCry ransomware attack were both developed as exploitations of vulnerabilities caused by unpatched software.

And these were catastrophic events – it was estimated losses from WannaCry could total as much as $4 billion, and the Equifax breach resulted in illegitimate access to over 148 million customers’ personally identifiable information.

The Australian Government’s Stay Smart Online website explains the issue simply and clearly; “Hackers, along with malicious programs or viruses, find weaknesses in software…that they exploit to access computers, smartphones or tablets…

Why is it important to install updates as soon as possible?

To limit the amount of time hackers have to find and use these weaknesses.

The longer a vulnerability is left unmatched, the more hackers will know about the weakness and how to use it.”

With potential scammers poised and ready to take advantage of weakened systems at any moment, an outdated system poses a greater risk with every minute it is left unpatched.

How to combat it

This one should be obvious: keep software updates and patches up-to-date. This should be a key focus for your IT team or providers, with risk further reduced through automatic updates and policies around setup of new devices and systems.

4. Failing to plan, planning to fail

When was the last time your security, tech or leadership teams ran a risk assessment or disaster recovery exercise?

Chances are, the answer is ‘a long time ago, if ever’ – and you wouldn’t be alone.

But putting the time into planning what you do to recover from a serious incident, who’s responsible, and what the timeframe is for this activity.

A shocking number of cyber attacks still occur due to human error, and many large organisations still don’t have robust cyber security plans.

Last year, the Australian Prudential Regulation Authority (APRA) reported that it was “easy to envisage” a catastrophic attack on one of Australia’s big banks, commenting that “some financial institutions had not tested how they would cope with a cyber attack.”

The U.S. Department of Homeland Security warns that “a plan for data backup and restoration of electronic information is essential”, explaining that there are many measures available to small businesses who may not have the budget or resourcing for large-scale failover solutions.

In addition, it’s important to develop an IT disaster recovery plan “as part of the business continuity plan” and to periodically test this plan to ensure it is still functional and suitable to your business’s needs.

How to combat it

Many businesses run risk assessments before embarking on a major project, signing a new deal or making a purchase – and your IT systems should be treated no differently.

Involve all the relevant stakeholders, from leadership, to IT, to all the workers in between who interact with your technology.

The goal is to consider how you can prevent, detect, respond and recover from any cyber incident, in order to get back to business as usual as quickly as possible and without any negative impact to your business or your customers.

5. Acts of malice & revenge

insurance for accountants hackers

Try as you might to run a friendly and cohesive business, sometimes bad actors make the decision to damage a business from the inside.

Whether it’s planting holes in your security they can exploit once they leave, or stealing data and records to take with them, it’s a somber reminder that while you can do many things to protect your business from external threats, sometimes the biggest threat is those who are already inside.

There are unfortunately many cases of disgruntled employees copying records before leaving a company or planting backdoor vulnerabilities in software systems.

CSO Online reported on some incredible examples of employees who deliberately caused severe security breaches for their employers, including the story of former Google employee Anthony Levandowski.

After leaving Google’s autonomous car division (now known as Waymo), Levandowski founded his own company, which was later acquired by Uber.

He was then accused of conspiring with then Uber CEO Travis Kalanick to “steal Waymo’s intellectual property.”

As CSO Online reported; “Allegedly, before Levandowski left Google, he downloaded thousands of files including blueprints and brought them to [his own company] so he could sell them to Uber.”

Because of his role, Levandowski had reasonable access to this proprietary information – but unlike the majority of employees, he chose to exploit this privilege for his own gain.

The nature of employing someone means you are giving them your trust; that they will act with integrity and not place your company at any risk through reckless or malicious acts.

Unfortunately, that trust is not always respected, so strong policies are necessary to protect against the unpredictability of human behaviour.

How to combat it

Predicting and preventing poor behaviour is a difficult challenge.

However, ensuring you have policies in place around logging and tracking who has access to data and how it is used is a good way to place accountability on those with access to sensitive information and provide a backup plan when these processes are breached.

6. The policies guiding the people

Policy-based weaknesses are intrinsically linked to all of the security risks above, as proper planning and procedures are a key protective measure against many cyber security threats.

Accounting for human error is difficult, but robust policies go some of the way to providing guidance and process to assist best practice.

In late 2017 the Australian Financial Review reported that “almost two-thirds of small accounting practices” considered client data stored in the cloud to be at risk, “with many firms acknowledging they do not enforce basic cyber-security measures such as two-factor authentication and ensuring all software is patched to the most current version.”

Policy and network design weaknesses can be a huge liability if they’re not adequately outlined, tested, updated and maintained on the regular.

How to combat it

Regularly audit your IT security, technology and device handling policies.

Do they reflect the tools and processes you’re using day to day?

Are they functional and reasonable in what they expect from your team members?

Are they clear, easy to understand, and accessible to everyone?

Ensure that your policies exist, are fit-for-purpose, and that everyone has bought-in to making them part of the way you do business.

Cyber Insurance: security for your security

Many of the preventative measures mentioned above have become commonplace in today’s companies.

So you’ve applied these measures, your policies have been reviewed and regularly tested, and your staff is well trained on security procedures.

What then?

Even the best-laid plans can fail – and the research shows that many organisations haven’t even made it that far.

A product such as Cyber Insurance can provide an added layer of protection and peace of mind, and may be the difference between sailing through your next cyber threat, or going down with it.

Cyber Insurance provides cover against damages and loss due to malicious attacks, human error and cyber risks.

Some of the threats it can protect against include:

  • Costs of investigating a data breach, notifying those impacted and any public relations or reputational recovery work
  • Data recovery costs
  • Loss of income due to downtime
  • Third Party Liability costs incurred due to the beach
  • Data Extortion ransom payments
  • Multimedia Liability costs related to defamation, libel, slander or copyright infringements

Get in touch with us today to find out more about Cyber Insurance and how it could apply to your business.