How chartered accountants can protect their practice against cyber security threats

As a chartered accountant (CA), loss of critical financial data of your client due to a cyber-attack can have far-reaching consequences for your firm, like loss of reputation, trust, and ultimately, loss of clientele, identity theft, and fraud. With the growth in technology adoption, you must protect your accounting practice against cyber security risks.

1. Symantec's internet cyber security threat report of 2017 ranks India as the fifth most vulnerable nation in the world in terms of cyber security breaches in 2016.
2. According to CERT-In's data, the number of cyber security incidents in India jumped from 44,679 in 2014 to 50,362 in 2016. In one of the security breaches in India, data of nearly 3.2 million debit cards got compromised.
3. According to estimates of Kaspersky lab, a single targeted cyber-attack can cost an enterprise more than USD 2.5 million.
4. A study by leading IT firm Citrix and Ponemon Institute found that 91% of businesses in India are feeling vulnerable to cyber-attack.
5. In 2013, a hacker stole tax returns of some 900 Connecticut residents in Fairfield County, altered specific details, hoping to collect refunds before the actual filers.

Measures to protect your practice from cyber-security threats

1. Use genuine software

According to Business Practices firm EY, more than 60% of the software used by companies in India is unregulated, thereby exposing them to cyber-attacks. When you are working with critical financial data, using genuine software is an absolute must.

Maya Ramachandran, Partner, Advisory Services Practice, EY, remarks, 'Many organisations secure their hardware. However, they ignore the software used, which could be unregulated.'

• Prevent spyware from getting into your computer by not installing ‘cracked’ software. There is a chance of the cracked software installing malicious software on your device.
• Carefully read the terms and conditions while installing software.
• Choose “custom installation” instead of “standard installation”. Standard installation might bring along with it other unnecessary installs.
• Following best practices related to software compliance and licensing may involve some investment but can potentially save you thousands in the long run. Such investment can be perfectly funded by flexi business loans, which are custom-made for chartered accountants to safeguard your firm from cyber-security threats.

2. Invest in technology solutions like firewall and antivirus

Cybercriminals are smart. You have to be smarter to counter their threats. Installing firewall and antivirus software protects your system and computer networks from trojans, worms, and other malware used by cybercriminals to hack your system.

Antivirus for a single PC with a three years license is available for around Rs. 1,000. A single license 20-user firewall is available for approximately Rs. 28,000.

3. Implement a cyber security culture

A joint report by ASSOCHAM and PwC on securing the nation's cyberspace notes that businesses should practice self-regulation instead of just limiting themselves to cyber compliance.

Note that cyber security doesn't end with installing antivirus and firewalls. Human vulnerabilities are equally dangerous as software loopholes.

Basic security practices can go a long way in combating the menaces. Such measures include:

• 2-step authentication for accessing emails
• Implementing internet usage guidelines
• Using strong passwords for sensitive data

Some best practices for password management are:

• Use ‘passphrases’ instead of ‘passwords’
• Have different user ID/ password combinations for different accounts
• Create complicated passwords by combining letters, numbers, special characters (minimum eight characters in total)
• Regularly change your password
• Avoid writing any password down
• Create your own format for passwords if you feel that remembering all these combinations could be difficult. For example, your name(xx)@websitename, where xx could be any two-digit number.

Although some of these may be seemingly intuitive, most professionals don’t end up abiding by them.

4. Vendor management

In all probability, your assets are being hosted and managed by an external service provider. Soha Systems Survey on third-party risk management found 63% of data breaches were attributed to a third-party vendor.
Working closely with your vendors is crucial to mitigating risks. You must understand your vendor’s:

• Security certifications
• Encryption measures
• Data management policies

These are critical to understanding the level of risks you are exposed to.
Some encryption measures as CAs you should follow:

• Never upload your personal ‘unencrypted’ data to dropbox, google drive, or any online file-sharing services.
• Always encrypt a zip file or any single file (a photo, video, or document) with AES-256-bit encryption. Encrypt hard disks with important data via BitLocker.
• Such encryption saves you from getting your data leaked, even in case of a data breach.

5. Developing comprehensive data security policies

A comprehensive data security policy with the given elements will help you protect your CA practice from falling prey to cyber attackers.

• Password management
• Internet usage
• Email usage
• Managing company-owned mobile devices
• Governing social media
• Overseeing software copyright and licensing

According to Scott Laliberte, the global leader of Protiviti's IT security and privacy practice, 'It's imperative that leadership keeps a closer tab on the state of their organisations' cyber-security programs. Particularly as new technologies are introduced, and new approaches to generating revenue are deployed, it's increasingly important to re-examine existing data security and privacy processes regularly - ensuring that the right systems and people are in place to keep pace with changes.'

A holistic approach to cyber-security combined with the latest tools and best practices goes a long way in protecting your practice from the threats lurking in the digital ecosystem.