Does your IT have the best cyber defence?
With cyber attacks on the increase and accounting firms considered soft targets, experts weigh in on the best way firms can safeguard themselves – and check whether their IT providers genuinely have them covered.
In Brief
- When seeking cyber help, check that an IT provider is big enough to be a specialist in cyber, or choose an independent cyber expert who can run the ruler over your current IT provider.
- Create a cyber incident response plan for your firm, so all of your staff know what to do when a security breach occurs.
- Do the cost-benefit analysis for cyber insurance because premiums have skyrocketed and coverage has fallen. You may be better off investing in cyber defences.
Optus and Latitude Financial in Australia, and Pinnacle Health and Accuro Health Insurance in New Zealand have all been recent victims of major cyber attacks that were made public. Privately, the list of companies attacked by cyber criminals has been expanding.
CERT NZ (Computer Emergency Response Team New Zealand) recorded the greatest quarterly loss amount from cyber attacks in 2022 at NZ$8.9 million. Experts say it’s the tip of the iceberg.
Attacks in Australia were up 13% in 2022 on the prior year, with the average loss per SME ranging from around A$40,000–A$90,000.The loss was far greater for one accounting firm, with a staff of around 20. Philip Whitmore CA, a partner in cybersecurity at KPMG New Zealand, tells Acuity how the firm was tricked into making a NZ$5 million payment on behalf of a client.
“Someone had broken into their email accounts and was reading emails, working out what’s happening and waiting to pounce when there was a big transaction occurring,” says Whitmore.
“An email came through before a big transaction asking the firm to change the payment account details slightly, but still with the same bank. Within 10 minutes of the funds arriving, the amount was redirected to another country and disappeared. The firm no longer exists because of that transaction.
“A hit-and-run like that is often the case but the average time an attacker is in your IT systems before they do what they are going to do is over six months, if not a year.”
IT provider or cyber specialist?
The Nigerian prince email scam is a threat of the past. Cyber attacks are becoming increasingly sophisticated, or socially engineered, targeting individual behaviour rather than software or systems.
Accounting firms are considered soft targets because of the amount of sensitive client data they hold. The risks are financial but also reputational. One attack could see clients walking out the door.
Alastair Miller, principal consultant for Aura Information Security, the security arm of Kordia in New Zealand, says most SMEs work with smaller IT providers or in-house teams that do not have the resources to specialise in cyber.
“The problem is when an IT provider has one person trying to expand their cyber skills and be a specialist, and there is no one to review their work,” Miller says. “You want to look at the size of the provider. Once they get to 100 staff, they probably have a few specialisations, like cybersecurity.
“It’s better to have a separate company to do your cybersecurity. They can do due diligence on the IT providers looking after your servers and running your email and phones. It does introduce two separate costs but you can scope it appropriately.”
Australia’s Strategic Group is an IT provider primarily to accounting firms. Director of business development Aron Robertson says the company brings a level of cyber hygiene to all clients and, for larger clients wanting a deeper dive, they bring in expert cybersecurity consultants.
“When choosing a provider, it’s about assessing if it’s an old-fashioned IT company or a modern, managed security and support provider that has cyber specialists and can integrate cybersecurity into a wider business and IT strategy,” Robertson says.
“Does a provider have specialist cybersecurity staff and do those staff have recognised certifications, like CISSP [Certified Information Systems Security Professional]? Being a cyber specialist is a high-paying job. Many IT companies struggle to justify the additional salary and lean on existing teams and ways of working.”
A tip for Kiwi firms is the list of approved security providers the New Zealand Government has published for public sector use. Whitmore says there is no reason why private firms cannot use them as well.
Defence tactics
A good starting point for any cyber defence strategy is the Australian Government’s Essential Eight mitigation strategies or CERT NZ’s Critical Controls.
“If every firm put in place the critical controls or the essential eight, that would be a huge step in the right direction,” Whitmore says.
A cyber specialist can add layers of detection capability and expertise to anticipate and respond to attacks. For example, Whitmore says they use CrowdStrike software for most of their clients and that only a specialist can understand what the alerts raised by the software mean.
“A specialist should be able to detect something potentially malicious in 60 seconds, contain threats in a matter of hours, and eliminate it within a day,” he says.
Strategic Group regularly sends out cyber attack alerts to clients and try to phish them without the client knowing.
“The longer it takes to resolve or deal with the threat, the greater the blast radius,” Robertson says. “We send fake emails and do some social engineering with our clients to try and catch them out. Then we train them on what they’ve gotten wrong in person or in a monthly lunch-and-learn.”
Pictured: Anu Kukar CA. Image credit: Graham Jepson.
“Consider a retainer-style arrangement with a cyber provider who can run the cybersecurity incident response for you in case of a major incident or crisis.”
Prioritise a response plan
Experts told Acuity every firm should have a cyber incident response plan.
Anu Kukar CA, cybersecurity strategy and advisory lead at Accenture, advises firms to test their plans regularly to minimise the impact of a security breach.
“When a major cybersecurity incident happens, you’ll need to make decisions quickly,” Kukar says. “A structured and well-rehearsed incident plan enables you and your staff to respond to and recover from incidents more effectively, because you have clarity on who has the authority to make decisions and how to communicate what’s happening to your staff, stakeholders, and customers.
“Consider a retainer-style arrangement with a cyber provider who can run the cybersecurity incident response for you in case of a major incident or crisis. You get access to specialist help and you can use some of the retainer hours for staff training and to run simulations to test your plan,” she says.
Cyber insurance
Years ago, firms may have opted for cyber insurance as a cost-effective way to protect themselves against attacks. That is no longer the case.
A spate of attacks and payouts has disrupted the insurance market. Premiums have skyrocketed, coverage has shrunk and application forms have swelled up to 40 pages.
Firms can no longer afford the premiums or their applications are being rejected by insurers because of inadequate cyber controls and infrastructure.
“I’ve seen plenty of examples where cyber insurance has been valuable, helping cover costs or giving you access to a specialist cybersecurity response team,” Whitmore says. “But it is only one mechanism to manage your risk. The bottom line is: cyber insurance doesn’t help your reputation. If you’ve been breached, clients will go to someone else they can trust more.”
Miller knows some clients who are spending over NZ$100,000 on premiums. He suggests money can be better spent on building a firm’s cyber defences.
“If you’re going to spend NZ$100,000 on an insurance premium, I would spend NZ$50,000 on putting controls in place that would actually make my environment safer, and save myself NZ$50,000,” says Miller.
For those firms that are keen to invest in cyber risk or cyber liability insurance, Robertson strongly recommends being hyper vigilant for policy exclusions, labelling them a “minefield”.
“Make sure you have a good understanding of what the policy covers, including any breaches that may have started before the policy took place,” he says.
Cloud or servers for data?
Many small to medium firms will be using shared drives to store sensitive client data.
With cloud providers now perceived to be safe keepers, Miller says moving data to the cloud could be a good option for smaller firms.
“If you’re a smaller company with around 25 employees, it makes more sense to get a professional company to take on most of the risk for you,” he says.
“Larger firms may consider managing their own data in Xero, AWS (Amazon Web Services) or Google Cloud. But it is much easier to get someone who specialises in running it, provided they have been around for a while and have a good reputation.”
Robertson warns that the cloud is not necessarily more secure than a server.
“With public cloud services, for example, you may even be increasing the likelihood you’re going to be attacked by people trying to impersonate global service providers, like Microsoft,” he says.
“The cloud has provided some great functionality and easier integration between systems, but new threats and challenges are emerging that businesses need to be mindful of.”
You've been hacked! what are your responsibilities?
Australian firms
1. Contain the breach immediately, if possible.
2. Assess if the breach is likely to result in serious harm to individuals whose personal information is involved, in line with the Office of the Australian Information Commissioner’s (OAIC) data breach scheme.
3. Notify the individuals involved and, if it is a notifiable data breach, inform the OAIC and await instructions. Consider notifying other individuals who could suffer serious harm to give them an opportunity to act to protect themselves.
4. Review the incident and consider what actions can be taken to prevent future breaches.
New Zealand firms
1. Contain the breach immediately, if possible.
2. Assess if the data breach is likely to cause serious harm to anyone, in line with the Office of the Privacy Commissioner’s (OPC) NotifyUs requirements.
3. Notify the individuals involved and, if the breach is likely to cause serious harm to someone, notify the OPC within 72 hours of the breach occurring and await instructions. Consider notifying other individuals who could suffer serious harm to give them an opportunity to act to protect themselves.
4. Review the breach and prevent it happening again by investigating the cause and updating your prevention plan.
Know your cyber threats
To help protect your firm, the experts say to practise good password hygiene, use multi-factor authentication, avoid shared logins and mailboxes, and double-check the identity of suspicious actors or the validity of last-minute requests.
1. Business email compromise
Tricking a user into making a payment via an email entry point. Hackers can spend months or even a year warming up to impersonating someone and making a malicious request.
2. Email links (phishing)
When a hacker sends an email using a fake email address asking the user to click on an attachment. Clicking on the attachment can give the hacker access to systems and data.
3. Vendor impersonation
When a hacker impersonates a supplier, like Dell or Xero, and asks to share screens so they can access passwords or multi-factor authentication information.
4. Software breaches
Out-of-date software can be easily hacked into, giving hackers access to data and systems. Keep your software up to date.
5. Ransomware
When hackers access data and lock it up, and then threaten to release the data to the public unless they are paid a ransom. Victims are generally advised not to pay the ransom.
From CA Library
Protecting SMEs against cyber criminals
The podcast 'Protecting SMEs Against Cyber Criminals' looks into why SMEs are targets for cyber criminals and offers strategies to protect smaller firms against attack.
Click here to listen