Cyber Security Challenges in Accountancy

Meeting the challenge of securing data in a UK accountancy practice

Accelerate Technologies helped the business strengthen security and improve employee awareness of security threats.

Company Profile

A growing independent accountancy practice with four branches across two counties and around 100 employees. The company had seen growth through acquisitions over the last few years, expanding in size and capabilities which also brought in new processes and the need to incorporate the existing IT infrastructure.

Accountancy Practice:
Challenge

The company specialises in accountancy, tax and business advice, regularly collecting, processing and storing clients’ sensitive data (such as personal HMRC, PAYE, Pensions, etc.). At all times, they need to be aware of exactly what data they hold and where it is stored to protect all sensitive data from loss.

In addition to GDPR, the company had assessed their data protection against the Cyber Essentials scheme but were looking to extend their security further in line with the Centre for Internet Security (CIS) framework.

The working from home initiative during the COVID-19 pandemic prompted an urgent need to support employees with applications outside of the office to ensure that the business and billing time could continue.

Use of older, more industry specific applications, accessed via remote desktop, presented the IT team with additional security challenges, unlike cloud-delivered applications, which are designed with security in mind.

The Accelerate
Solution

The company called on Accelerate Technologies to carry out a Cyber Security Assessment. Through a brief workshop with the IT team, the business’ appetite for cyber risk and current state of their security was assessed. Key areas identified in the report were:

Deploy a Cyber Awareness Program with a blend of face-to-face awareness for execs, regular phishing simulations and video training for employees.
Review and tighten existing Office 365 security policies to increase sensitivity of detection of malware and phishing attacks.
Protect Internet-exposed RDP server hosting Wolters Kluwer accountancy package with enhanced authentication using existing Microsoft Multi-Factor Authentication (MFA) through Single Sign-on.
Assist IT Team in discovering and reporting all locations of sensitive and critical information held on disparate file sharing locations to meet GDPR obligations.

Phishing scams are becoming increasingly sophisticated and it is important that employees spot and report any potentially malicious emails to protect critical business and client data.

During COVID-19 HMRC shut down almost 300 phishing scam sites*.

*Infosecurity Magazine – May 2020

The Accelerate Method

Employee Cyber Awareness Programme

Training – Awareness of cyber security threats is key to ensuring business continuity. Employees are often oblivious to threats, such as clicking on links within malicious emails, and it was important to ensure that processes were in place to protect sensitive information outside of the office. Training was delivered to suit different employees and their role within the business.

Simulated Phishing Attack – Phishing attacks can take on many guises, via email, SMS or social media and are designed to install malware, swindle users or farm sensitive data. A malicious email might look like a client sending through an invoice pdf, which when clicked on downloads malware. To test the areas of vulnerability to these threats, simulated phishing attacks were used, tailored to different functions within the business.

Reporting Potential Security Threats – Working alone, outside of the office, presents an additional risk. Employees are not able to quickly seek reassurance with a colleague or IT if they notice a dubious email. To create a pro-active and caring culture around security the company decided to use phishing “call it out” software, so they can report anything suspicious and be rewarded for their vigilance.

Studies at Microsoft indicate that an email account is 99.9% less likely to be compromised if it is protected by Multi-Factor Authentication

IT Security

Configuration and policies – Office 365 email security configurations, policies and user privileges were reviewed to ensure all risks were covered and that all notifications were active to spot any malicious behaviour. The assessment also recommended making sure any email domains were properly protected against impersonation.

Multi-Factor Authentication – People tend to use the same password for personal and work accounts or use weak passwords that can be easily hacked by criminals. Implementing Multi-Factor Authentication (MFA) for user access has significantly reduced the threat of compromise to email and critical applications.

Application Security – Accountancy firms in the UK rely on older industry applications, and the company provided access to these via remote desktop. Remote servers are vulnerable to cyber-attack if user access is not secured through multi-factor authentication (MFA). The company rolled out MFA and single sign-on without disrupting users and making access simpler and less cumbersome for employees.

For complete protection on the client side, it is also important to secure access to on-line applications with MFA.

Supplier Security – The company carried out third-party due diligence to ensure that IT systems and firewalls outsourced to other companies also adhered, not only to standard service level agreements, but to appropriate security guidelines.

Our Results

With the staff Cyber Security Awareness programme in place the company have improved security practices across all functions and have incentivised their employees to take a pro-active approach to safeguard the business.

Adjustments to software configurations have increased resilience and the implementation of Single Sign-on using existing Azure Multi-Factor Authentication has provided an added layer of security across the business.

The company are now also skilled-up not only to improve security for their own business but improve security measures for clients accessing online payroll and accounting systems.