We recently explored why data breaches are an issue for accountancy practices and what can go wrong if you do suffer one. But what can you do to avoid one in the first place?
Before looking at how we can prevent data breaches, it’s worth considering the underlying causes. Most breaches can be attributed to the actions of people. The Information Commissioner’s Office (ICO), which is responsible for data protection in the UK, said about 50% of reported breaches in the last quarter were down to data being ‘disclosed in error’.
With all that in mind, here are our practical tips for preventing a data breach and handling one if it does occur.
Considering human actions — whether intentional or not — are the leading cause of data breaches, you’d be surprised how many firms do not provide regular, or even any, staff training on the subject.
We know training can be a burden, particularly for smaller firms, but these are some of the essentials to cover:
Taking your business through a cyber security certification program will ensure your firm is following best practice and has the right policies and procedures in place to prevent cyber-attacks or data breaches.
The international standard for this is ISO 27001, but this may be a little tedious for small and medium-sized firms. Cyber Essentials and IASME Governance, which cover the general management of your data and configuration of IT systems, are much easier for SME firms to achieve.
We at Pro Drive firmly believe the accounting world should follow the lead of the legal sector, which has made Cyber Essentials a mandatory requirement.
With more and more business data being stored in the Cloud or on the web, passwords have rapidly become a significant weak link in a firm’s IT systems. Why?
These days, we have a lot of passwords, but secure ones aren’t easy to remember. As such, people tend to use memorable passwords, reuse the same one for multiple sites or apps and in the worst cases, write them down or save them on their computers. Go on, admit it: do you have an Excel sheet with all your passwords on it?
All this can lead to a very unwelcome problem if someone gets access to your password — either from a phishing email or if it is disclosed when one of your providers suffers a breach.
There are two things you can do right now to help avoid this scenario. Firstly, you should encourage your staff to use a password manager to securely store passwords and identify any that are weak or duplicated. Secondly, arm them with the latest advice from the National Cyber Security Centre on how to generate a secure password using three random words.
Even with the best precautions in place, it is almost inevitable you will suffer a breach at some point. So, when this happens, you need to be prepared with an appropriate breach response plan that includes:
Accountancy firms may be familiar with the recent data breach at Wolters Kluwer, one of the leading providers of software to the sector. In a perfect example of how NOT to communicate such an issue, Wolters Kluwer only said there was an issue with its systems — not what had happened, or which data was potentially compromised. This led to rumours on social media and significant worry among clients.
Although no firm likes publishing details of a breach, it is better to do so as soon as possible, along with the steps being taken to address it. This way, you can demonstrate your firm is in control.
Don’t let a data breach put your practice out of business. Join us at our Data Breach Workshop in October to find out more about minimising the risks. Until then, you can always contact our expert team for advice.