Cyber security is a topic that’s always in the news. Major incidents used to be rare, but staying cyber secure is now everyone’s concern, from the CRA to private firms of all sizes as well as individuals. The global pandemic had something to do with the rise of cybercrime.
Shortly after the pandemic took hold, the FBI’s Internet Crime Complaint Center started receiving 3,000 to 4,000 cybersecurity complaints per day, more than three times the number it was receiving beforehand. As the pandemic forced a rapid acceleration of digital transformation in the business world, cyber events increased apace.
Accounting firms are more attractive cyber-attack targets than many other kinds of businesses. A CPA Canada study found that 43% of attacks specifically target businesses, including individual accounting professionals. During the pandemic, attacks on accounting practices increased by approximately 300 per cent.
To find out what steps firms should be taking to counteract cyber threats, Countable CEO Atin Gupta caught up with Manoj Arora during their webinar. Manoj is CEO of Difenda, a global cybersecurity solution company headquartered in Oakville, Ontario. He is familiar with all facets of effective organizational security, from advanced technology to change management. We sat down with Manoj and to explore the implications of a cyber breach and the actions required to prevent them on the part of smaller and mid-sized accounting firms.
The building blocks of cyber security
A cyber-security breach puts both your data and your firm’s reputation at risk. Over the course of Manoj’s cyber-security career, breaches became more common occurrences and also increasingly more specialized. He likens corporate cyber security to the physical security of a house.
“With a house, people are going to enter and exit. That’s where you build your security. So you need to understand the architecture: how does data come into and out of your organization? What happens when the data is residing within your organization? This is basic data architecture, an extremely important layer.”
To secure that layer, firms put security controls in place to make sure that data is moving in and out of their environment in a secure manner. Smaller firms require smaller controls such as basic firewalls, while bigger firms need more comprehensive controls and expensive firewalls capable of handling gigabytes of data transfer. All need good endpoint threat detection and control.
After basic controls comes hygiene. That includes software patch management and making sure that email systems remain secure. “The days of just using antivirus solutions and expecting they will stop all modern-day breaches are long gone,” observes Manoj. “Putting robust endpoint threat detection in place is an extremely important control.”
While the nuts and bolts of security is important, Manoj finds that the highest-value control is end-user awareness and team training. “It’s a very small component,” he notes. “But I can tell you that even with the most advanced cybersecurity tools, if one of your employees is compromised, your entire system is compromised.”
No system can detect a legitimate user coming in and stealing data, even unwittingly, through compromised credentials. Such events are not anomalies and don’t trigger alarms. “So it’s very important to protect the end user,” says Manoj. “And that’s not expensive. Simply educating users about what they should and shouldn’t do goes a very long way in securing the organization.”
Size doesn’t matter
The Canada Revenue Agency has suffered attacks and some of the larger accounting firms are under constant pressure to maintain a high level of security. Small firms may not be such obvious targets, but they are just as susceptible to attack. That doesn’t mean they shouldn’t worry about being cyber-secure.
“I don’t see small as a disadvantage,” says Manoj. “There are cyber security firms big and small, catering to organizations at different levels.” He notes that size can be an advantage; deploying updated controls to a dozen or a hundred users is faster and less expensive. “As long as staff are aware and educated about the basic controls they need to have in place, that’s the main thing.”
Scaling up security
Building organizational cyber security according to best practices is not as expensive as one might think. Manoj finds that it’s much less costly to put those controls in place when a firm is small. “Security controls reduce threats and often cost less than remedying a single data breach” he says. “And belatedly wrapping security around your growing organization is definitely more expensive because the cost of securing data is many times what it would have been if you had basic hygiene in place.”
The cyber-security technology landscape is changing rapidly, but even so it’s barely keeping up with the evolving threat landscape. The pace of evolution is such that it’s no longer possible to plan in five-year increments. “New technologies come out,” observes Manoj, “and before they’re released, there are already new threats and vulnerabilities, so it’s got to evolve quickly.” He recommends developing an understanding of what the next 12 to 24 months will look like and ensuring that basic controls are in place.
Making security easier for users
One positive trend that Manoj notes is the prevalence of security controls being built into applications like Countable. “We’ve worked with Countable and there are a number of controls embedded within the system itself,” he says.
To deal with the cyber-security risks, multi-factor authentication is becoming the norm, as is geographically-sensitive authentication. “All of those things are being designed into platforms,” says Manoj. “Service providers are making it easier for end users to maintain compliance because they no longer have to rely on the user remembering security protocols.”
From a service-provider standpoint, Manoj welcomes application-level authentication control. “When we look at securing a business environment, there is a lot of sensitivity built around how users are authenticated and granted access,” he says. “We extend that sensitivity by monitoring user activity to spot anomalies with behaviour analytics and other tools.”
Training still a ‘must’
Application builders have done a really good job at making sure that end users, even if they are operating in absolute ignorance, have a basic level of security as soon as they log on to their application. But from that point onwards, the responsibility for security switches to the user. If someone downloads data and stores it on a poorly-secured laptop, or distributes it in an unauthenticated or unencrypted format, that’s a problem.
“Be mindful of fragmenting your data,” says Manoj. “Every time you download data and store it on your system, you have another copy on another device. When you extend that trend across a firm with hundreds of users, there’s a huge footprint, which is now all over the place and you have no control over it. “It’s extremely important that practices and policies are built around it.
A simple training program can prevent a big data breach and save the firm from spending thousands of dollars on forensic analysis, recovering the data and reporting obligations.
Cyber security doesn’t have to be complicated. These basic steps will go a long way towards keeping your business secure:
- Start with basic protection such as antivirus and endpoint security
- Keep your software up to date (this is called patch management)
- Keep sensitive data off device hard drives
- Ideally keep personal and business devices separate
- Train your staff on desired cyber behaviour
- Invest in software that makes security easier for you and your team
Countable is a centralized platform that accounting firms can use to manage their firm via the cloud. If you’re looking for a working paper and engagement automation platform to form part of your cloud-based accounting solution, have a look at Countable.