Cyber Essentials: The best defence against a rising threat

What cyber-security threats pose a danger to your firm and what can you do to combat them? In this article we examine the most common methods scammers use and detail how the Cyber Essentials certification can arm CAs with the knowledge they need to safeguard their firm.

The world of cyber security can often seem ambiguous to those who do not know much about it. Many firms are often put off from looking more into the subject because of its reputation for bloated technical jargon

These factors often lead to companies being exposed to dangerous cyber threats that could potentially cripple their business for days, weeks or even months. Hackers view accountants and their firms as lucrative targets due to the value of the financial information they hold about their clients. It can be sold to the highest bidder, used as blackmail on future cyber-attacks and even be used by the hacker to impersonate a firm’s client and abuse that power and relationship.

How likely is it that your firm will face a cyber-attack?

According to research conducted by the UK government, 4 out of 10 businesses in the UK have identified cyber-attacks that have occurred over the last 12 months. Data from the past 6 years indicates that 38% of businesses experience cyber-attacks each year.

One of the most common methods scammers use is known as a phishing attack, with 60% of businesses in the UK having detected phishing threats this year. These attacks are carried out when the scammer sends an email designed to convince the recipient to commit illicit actions such as giving them sensitive information under a false pretence or downloading a dangerous computer virus that’s disguised as a document.

Though regular phishing attacks are relatively recognise, the more complex spear phishing attack is more likely to succeed against untrained targets. Spear phishing is when a scammer targets specific individuals within an organisation by researching their friends, colleagues and family. Once they gather the required information, they craft an email specifically designed to convince the recipient that it is genuine.

Damaging effects of cyber attacks

A firm can face incredibly damaging repercussions from a cyber-attack, however, one of the most impactful is the loss of reputation. Gaining back the trust of a client that has had their data stolen from your firm can be impossible and, in extreme cases, it can lead to clients leaving your business and even pursuing claims against you for improper management of their sensitive and financial information.

You can also lose money directly from a cyber-attack when perpetrators siphon funds from accounts, steal money from your company or your clients, or even when they create a fake employee on the payroll system to claim a paycheck at the end of the month. However, indirect costs tend to be where businesses suffer financially the most. Companies may have to pay staff when systems are down and they are unable to work, they could lose annual revenue as clients may leave and there are the costs of getting systems and lost data back up and running.

According to the UK government, the average losses in 2021 as a result of cyber-attacks are £8,170 for small/micro businesses and £13,400 for medium to large businesses. However, these damages can be avoided by increasing your Cyber Security preparedness with the Cyber Essentials certification.

What is Cyber Essentials?

Cyber Essentials is a certification that demonstrates you are protected from the most common cyber-attacks. It is the best defence against cyber-attacks because it ensures that you have the defences in place before passing the certification. The certification covers 5 key technical controls to make sure you are protected:

• Firewalls and Gateways – Think of these as the gatekeepers of your company’s network and computers. They can be setup to restrict access to the network to only allow authorised connections, basically making sure that the only people who are allowed on to the network are staff members. These gatekeepers can also be installed onto your computers to make sure no unauthorised connections occur directly on your machine.
• Secure configurations – Ensure accounts and systems are created with appropriate privileges. This involves replacing default passwords, only granting admin access to those who need it and disabling any unnecessary services that could leave you exposed.
• User Access Control – Creating procedures to limit the use of admin accounts and ensure special account privileges are only granted when required. This can include logging admin account usage, providing admins with regular accounts to carry out their day-to-day tasks and only letting them use admin accounts for specific actions when required.
• Malware Protection - Identifying and immobilising viruses before they have a chance to cause harm to a system. Protections include up-to-date anti-virus systems, creating a list of approved software that is allowed to run on the network and running potentially harmful software in a secure environment first before using it on the company network.
• Patch management – The most important control, it ensures that all software is up-to-date and supported by the software provider. Unsupported software are apps and programs that the vendor is no longer working on (i.e. they are no longer providing updates). Hackers build many of their attacks on the foundation of outdated software. Out of date and unsupported software can be full of vulnerabilities that attackers can exploit. If the software is not receiving updates, then you run the risk of being exposed to attacks that may use these vulnerabilities.