En garde!
In the cat-and-mouse game of cybersecurity, how much protection does your software – and other prevention measures – really provide?
In Brief
- Commoditisation in cybersecurity software has made it easier for small and medium firms to afford better levels of protection, and cloud-based software is more secure than on-premises IT.
- However, some clients will insist on greater cybersecurity – including ISO 27001 certification, which can be costly.
- While cyber insurance is available, providers require accounting firms to implement risk mitigation efforts if they want to obtain cover.
A close brush with hackers helped Angela Fisher CA, co-founder of New Zealand advisory firm ClockworX, commit to a five-figure investment in data security. One of her contractors was contacted by anonymous persons who claimed they had personal information that they would use to harm the firm. Fisher subsequently committed to spending more than NZ$50,000 to certify her business under the ISO 27001 data protection standard and take out cyber insurance.
“We are putting quite a bit of money into our business to be sure that it’s actually protected in terms of data security,” Fisher says.
The certification will not only give Fisher peace of mind; increasingly, clients are requesting it.
One New Zealand client sent a ClockworX proposal for bookkeeping services to its head office in Dublin for sign-off. The Irish office responded with a list of questions as part of its due diligence process.
“All these questions came to us around where the data was stored. Even for Microsoft data – which server and which country?” Fisher says.
Apart from international clients, government agencies at home in New Zealand are also asking for more evidence of data security practices, Fisher says.
Moving targets
Accounting firms are taking various measures to protect themselves against constantly changing cyber threats. Commoditisation in cybersecurity software has made it easier to buy higher levels of protection.
While well-known antivirus brands such as McAfee, Norton and Sophos still exist, much of the cybersecurity software market for small and medium enterprises has been displaced by Microsoft and Google’s productivity suites.
In 2020, Google said it had two billion active monthly users and Microsoft said it had 200 million. Among accounting firms, Microsoft 365 has become a de facto standard. Both companies bundle antivirus, sandboxing and other technologies with their email software and online storage.
We are moving away from best-of-breed security stacks, says Gavin van Niekerk, practice manager, cybersecurity, at Quorum, a Microsoft partner specialising in security. “The problem is that the attacks are getting more complicated and the investment is getting more costly. AI [artificial intelligence] and machine learning is very expensive to develop and maintain, to stay up to date with the latest attacks. Security will become more and more commoditised over a period of time.”
“The problem is that the attacks are getting more complicated and the investment is getting more costly.”
Most SMEs can enjoy reasonably strong protection by using the cybersecurity features in these services – but only if they implement the technology properly.
Microsoft has copped criticism for overly complicated pricing and charging more for cybersecurity features than the equivalent Google plans.
The Microsoft 365 Business Standard plan costs A$17.20/NZ$18.90 per user, per month and includes antivirus protection for Outlook Online and multifactor authentication. The Business Premium plan costs nearly double (A$30.20/NZ$33.30 per user, per month) and adds sandboxing – Microsoft will check whether an attachment or link is malicious before allowing a user to access it. It also includes advanced email protection that prevents spoofing, data protection and device or endpoint protection.
Microsoft’s enterprise licences (from A$52.20/NZ$57.50 per user, per month) protect user identities, monitor connections to cloud software, such as Salesforce, and manage insider risk.
Cybersecurity software is moving towards agents that combine separate technologies – antivirus, intrusion detection, firewall and policy management – into one application, says Jamie Beresford, chief executive officer of Practice Protect, a company that specialises in providing cybersecurity services to accounting firms.
“The modern version of antivirus is a desktop security agent,” Beresford says. “The old desktop antivirus just monitors what is running on a computer. Modern ones are more savvy to networking. If someone has got onto your wi-fi network from next door and they’re trying to attack your computer, it’s going to pick that up.”
These agents can also deploy policies to remote machines that restrict the use of printers or USB ports. Practice Protect’s Device Security service also monitors computers to detect unauthorised software. If someone tries to launch an application that isn’t pre-approved, it will run the application in a sandbox separate from the rest of the computer.
It will also trigger a notification in Practice Protect’s security operations centre. “We will see that executable, we’ll have a look at it and decide whether to approve it. It’ll get added to the whitelist, come out of the sandbox and then run as a native app on that desktop,” Beresford says.
Cloud is the safer bet
For years, desktop software vendors attacked cloud-based software by claiming it was less secure. The market has now largely accepted that, for small and medium firms at least, cloud software is a more secure model.
“It’s more difficult to protect yourself with on-premises software versus cloud,” van Niekerk says.
On-premises software installed on a desktop computer or a server requires regular patching of the firmware and the operating system, as well as the application software. The responsibility model for cloud software shifts the onus of cybersecurity onto the vendor, van Niekerk says. “With cloud there’s no server I have to worry about, or ageing hardware. I just consume the service.”
The greatest vulnerability for cloud software is not the hardware or software – it’s the user’s identity. This is the new security perimeter Insurers also recognise the safety of cloud software in their pricing. Nowadays, insurers’ greatest concerns are firms that run on their own servers.
A firm was recently hacked and the insurer discovered that only certain parts of the data were backed up. “It was quite costly in terms of employing third-party service providers to work out what data was lost and rebuild that data,” says Rob Collyer, cyber underwriting manager at Nova Underwriting, a specialist insurer for accounting firms.
“A firm can’t say, ‘Someone else is looking after that data’. They need to know that their data has been backed up and confirm that with the software provider. The responsibility of the insured’s client data rests on the insured’s shoulders,” Collyer says.
“A firm can’t say, ‘Someone else is looking after that data’. They need to know that their data has been backed up and confirm that with the software provider. The responsibility of the insured’s client data rests on the insured’s shoulders.”
Nova Underwriting pushes for more regular backups; some firms only backup weekly or even monthly. This is one major reason why cloud software is preferred, as the vendors will backup data daily or even hourly.
Have there been any issues with these backups by popular cloud-based business software?
“Not that I’m aware of,” Collyer says. “We see cloud as the best source for smaller businesses. And it’s cost effective for them as well.”
How to lower your cyber premium
Insurers are taking a harder line when it comes to offering cyber insurance to firms. For example, failing to provide multifactor authentication for remote access is a deal-breaker.
“The insurance industry is seeking greater levels of risk controls and processes in place to have a sort of minimum level of protection and acknowledgement from the insured that there is a risk and that they’re doing something to reduce that risk,” Collyer says.
What affects premiums? Staff training, multifactor authentication, regular patching, updating and offsite backups for server-based software. “Those are factors that are in play with premium, excess and whether we will decide to insure,” Collyer adds.
If a firm doesn’t provide regular staff training, have an incident response plan or a disaster response plan, Nova Underwriting will also decline to insure, Collyer says. If only one of these is missing, Nova Underwriting will ask whether the firm has a plan to put them in place within the next 12 months. If the firm still doesn’t have these controls by the annual renewal, Nova Underwriting won’t renew cover.
“We don’t really have any circumstances where that’s occurred, because they’ll generally see the importance of having those in place and implement something fairly quickly,” Collyer says.
The biggest challenge is still one of the oldest – making sure staff don’t click on a link they’re not supposed to. “One of the things that we really push is regular staff training. Now that software is becoming more similar [in its level of cybersecurity], it comes down to human error,” Collyer says.
Endpoint protection – security software on all devices, whether mobile phones, laptops, desktops or servers – is only mandatory for mid to large businesses, Collyer says. There are no penalties or conditions for firms with working-from-home arrangements or remote teams.
“We will ask whether the employees bring their own device or is the device supplied by the company they work for. Is the company putting the approved software on the device? We want to make sure they’re properly protected working from home,” Collyer says.
Beresford agrees – there is no security penalty for working from home. The most effective measure is to ensure staff use a company-supplied device at all times, or at least a machine dedicated to work, he says. While it is possible to access cloud software from a personal laptop, that device will lack the security controls enforced on company devices such as antivirus, data protection and access control.
“You can limit it to work use only, and control how data is saved and how data is managed in that remote environment through remote security tools,” Beresford says.
Do you need a separate internet connection for business use as well? Beresford says this is not practical and adds too much complexity. Residential broadband plans provide a lot more bandwidth for the price, reducing the impact of streaming games such as Fortnite on the video quality of your Teams call.
The biggest threat, whether at home or in the office, is business email compromise (BEC), Beresford says. Hackers are finding it easier to hijack payments to suppliers by hacking email accounts than holding businesses to ransom.
BEC attacks target ‘payment partners’ – staff in accounts payable or a manager requesting approval for supplier payments. BECs are so effective because once a hacker controls an email account they can copy a previous request, including the language, style and tone of voice, and send it to the approver or facilitator of the payment.
The most effective way to stop BEC attacks is to block hackers from accessing the device. Multifactor authentication is a baseline protection, and firms can also limit the location from which access is approved. For example, a laptop could only log in from the network at work or at home, or only within Australia. “It’s about stopping those brute-force attacks,” Beresford says.
Do you need a VPN?
Virtual private networks – or VPNs – are a 1980s technology that create an encrypted tunnel from a computer to a server. Their popularity has waned as companies have moved to using cloud applications which run in a browser.
“If you’re a cloud-native organisation where all your applications are either platform-as-a-service or software-as-a-service, then there’s no need for a VPN,” says Gavin van Niekerk from Microsoft cybersecurity partner Quorum. “They are out on the internet. What you need is secure access to that service, which most of them enforce. Everything is encrypted.”
Today, some technologists consider a VPN to be less secure because it gives a user access to the whole server.
“A VPN is this massive pipe into the organisation, when I really just need a hose if I need access to one file,” van Niekerk says.
An alternative approach is to ‘publish’ a server application to the internet, so it functions as a cloud application. A firm can then add layers of security and access restrictions to make sure that only authorised users can access it, van Niekerk says.
Setting the standard – how much does ISO 27001 cost?
Auckland-based firm ClockworX targets businesses with NZ$1 million – NZ$20 million in revenue and charges an average fee of NZ$3000 per month for services that include accounts receivable and payable, GST reporting, monthly accounts and payroll. It is prepared to invest in the ISO 27001 standard to attract more clients with international head offices. However, the cost is significant.
“We just got a quote for NZ$35,000 that includes the templates and the auditing. That will get us a certification, and then there’s the yearly audit,” ClockworX director Angela Fisher CA says.
“The work that we’re doing and handling data is becoming more and more important for clients that we’re going after.”
Once a business is certified under ISO 27001, it must undergo an annual audit every year. The second- and third-year audits cost NZ$4000 each. The fourth year requires a NZ$14,000 review.
Fisher says she is hearing about more businesses certifying to the ISO standard. It’s not just NGOs and government agencies requiring it of suppliers; her ISO consultants are certifying companies in construction and finance too, Fisher says.
Fisher also has taken out cyber insurance for the first time as well. Why get it now?
“I guess it’s just what I’ve been reading and hearing in the market and the risk-benefit-cost decision,” Fisher says.
Held to ransom
An accounting firm in Victoria with fewer than 10 staff was hit by a ransomware attack in February. The attack didn’t shut down their systems but the hackers did steal a large amount of data: including tax file numbers, phone numbers, addresses and driver’s licence numbers for 200 clients.
The hackers threatened to publish the information to the dark web unless the firm paid A$200,000. Subsequent negotiations brought that down to A$25,000 – but the firm decided not to pay.
“Our insured and the experts determined it wasn’t worth paying the ransom. They worked out that these guys weren’t really serious because they were constantly reducing the amount,” says Nova Underwriting’s Rob Collyer.
Despite avoiding the ransom, Nova Underwriting will pay out more than A$300,000 in costs. This included IT forensics to work out when and how the attack occurred, recovering lost data from compromised backups, notifying clients their data had been stolen, providing the Office of the Australian Information Commissioner with the details of the data breach, and subscriptions for credit monitoring services for the 200 clients.
“It’s an example of how costly these things can quickly become. Without insurance, that would really put this business back a number of years and possibly even into liquidation,” Collyer says. “There was business interruption, which is part of the claim because they weren’t able to conduct business.”
Cybersecurity features in Microsoft licences
Business Standard | Business Premium | Enterprise E5 | |
Price per user, per month (annual commitment) | A$17.20/NZ$18.90 |
A$30.20/NZ$33.30 |
A$78.30/NZ$86.20 |
Email protection (Microsoft Defender for Office 365) |
Y | Y | Y |
Microsoft Defender Antivirus |
Y | Y | Y |
Microsoft multifactor authentication |
Y | Y | Y |
Social engineering protection (against ransomware) |
Y | Y | |
Endpoint protection (Microsoft Defender for Endpoint) |
Y | Y | |
Data protection (BitLocker) |
Y | Y | |
Spoofing protection (AiTM attacks, Microsoft Defender for Office 365) |
Y | Y | |
Sandboxing documents and links (Windows Sandbox) |
Y | Y | |
Identity protection |
Y | ||
Improved multifactor authentication | Y | ||
Cloud app security (Microsoft Defender for Cloud Apps) |
Y |