- A business should identify its ‘crown jewels’ – the items that must be protected at all costs from cyber threats.
- It’s essential to plug any security gaps to protect those crown jewels.
- Cyber breaches are especially damaging for accounting firms, as their business is based on trust.
Cyberattacks are increasing in frequency and severity, and no environment is impenetrable. A persistent threat actor will compromise any environment given enough time and resources.
In February 2018, the Australian government introduced its notifiable data breaches (NDB) scheme, which requires certain businesses to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC).
More businesses have dedicated additional time and resources to shoring up their security to reduce the likelihood of a data breach. But few have the funds and resources to protect every piece of data and every business system to the extent they’d like.
Given this constraint, the most important thing a business can do is identify its ‘crown jewels’ and prioritise protecting these.
A critical first step is to methodically identify those crown jewels – the items that must be protected at all costs. It could be information such as customer data, payroll information, vendor details and other mission-critical information. Security measures already in place can then be assessed for vulnerabilities that may put this most valuable data at risk.
This leads to the second step, which is to ask what is the risk of a security breach of that valuable data? The answer should drive the subsequent security investment and strategies.
The third step is to determine which gaps must be filled to protect the crown jewels, compared with vulnerabilities in security around less significant business systems and data.
Insiders must identify what’s valuable
For many organisations, taking even the first step may seem overwhelming. A solution may be to work with an external service provider. However, it’s essential that someone from within the organisation helps carry out the data risk analysis.
An external partner can make key recommendations on what information is likely to be important, what is covered by legislation, and how to protect it. But only the organisation itself can determine its risk appetite and priorities and, most importantly, the true business value and importance of the different data that it maintains.
“Only the organisation itself can determine... the true business value and importance of the different data that it maintains.”
This can be a laborious process, but it’s an essential foundation for any organisation’s information security strategy. It should not be overlooked as a key step.
It’s also important to recognise that this prioritisation process may result in other areas of the business being less protected. Therefore, businesses must devise and practise a comprehensive incident response plan. Only by planning in advance can the business minimise the risk of a cyberattack being successful.
The initial investment in security planning, testing and countermeasures will yield a positive return in the long run. However, it is important to develop a risk management plan that is flexible enough to align to any changes in the business.
Cyber breaches wreck reputations
The recent cyberattack on ASX-listed property valuation company LandMark White shows the significant damage that a data breach can cause to a business.
In February 2019, LandMark White revealed that a cyberattack had resulted in 137,500 of its property valuation records being released on the dark web.
When its shares resumed trading in May they were down 27%. The company slashed its full-year revenue guidance from A$55 million to A$43.5 million. The CEO and two directors have since left.
When an organisation suffers a cyber breach they risk losing their clients’ trust. For accounting firms, the trust placed in them is enormous, given the highly confidential information that accountants maintain. The ability to keep confidential information secure can provide a competitive edge, as clients are drawn to work with firms they can trust completely.