By Bruce Penson, Managing Director at Pro Drive IT
As an accountancy firm, you hold a huge amount of confidential and sensitive information. Personal details on clients, banking and social security information, confidential material about businesses and their staff: all of this data presents a massive problem.
Why? Because this information is highly valuable to cyber criminals. They know you hold it, they know who you are, and they will be trying to find ways into your IT systems to get access to it. Today’s cyber criminals are no longer hobbyists or ‘geeks’ sitting in a darkened room behind a computer. They are organised gangs with a considerable amount of knowledge and access to more sophisticated IT resources than a typical SME could ever hope to own.
This presents a real problem for accountancy firms — one for which many are inadequately prepared.
There is good news though. It is possible to make very real improvements to your defences and significantly reduce the risk of a breach without the need for complex technical solutions. In this eBook, we are going to cover five simple changes you can make at your accountancy practice to protect it from cyber criminals.
- Take control of your passwords
With all the different websites and apps we use in both our personal and work lives, we have a lot of passwords to remember. Memorising all of them is an almost-impossible task. Yet with many breaches of firm’s IT systems coming as a result of staff reusing passwords or having easy-to-guess ones, it is an area that accountancy practices cannot afford to ignore.
The UK Government recommends using password managers to address this problem. A password manager stores your valuable passwords in a secure online vault to keep them out of the prying hands of cyber criminals. Our favourite is LastPass, which costs just £3 per user per month for the business version. As well as providing an area for your team to store their passwords, the business edition of LastPass also alerts you to staff storing insecure passwords or reusing them for other websites — ensuring you can maintain best password practice across your firm.
If you are not ready to commit to spending at this stage, LastPass also provides a free of charge service — you can follow our handy guide on how to set this up. There really is no excuse: make sure you setup your password manager today!
- Switch on two-factor authentication
As we have already discussed, the most common form of data breach comes from passwords being stolen. For web-based accounts and applications, this is a problem as once a cyber criminal has your password and email address, they will also have access to any accounts that use them.
Using automated software, they will quickly find these accounts — meaning they will have gained access before you are even aware you have a problem. At the moment, the most effective way to stop this is to enable two-step authentication. You most likely already use this on your online banking — where you might have to supply a randomly generated code in addition to your password. Most websites and web-based applications will have the option for two-step authentication at no additional cost. Where available, you should ensure this is activated and enforce it for your entire organisation.
This is absolutely essential if you use Microsoft Office 365 or Google Apps. For more information on two-step authentication, view these simple-to-follow guides from the popular two-step authentication app Authy.
- Use an ‘External Email Banner’
Time and time again, we’ve commented on the fact emails are the source of most cyber security breaches.
As such, it can be very useful to identify any emails you receive that are from outside of your business. If you can do this and you receive an email tagged as being from an ‘external sender’, but it appears to come from a colleague of yours, there is a good chance it is a fraudulent email. Adding a simple banner such as the one below is a very short job for your IT team and should cost you nothing — yet it could save you a fortune.
- Train Your Staff
It is a well-publicised fact that almost all cyber security breaches require some kind of human interaction to be successful. It is, therefore, somewhat puzzling that the majority of SME accountancy firms do not have a regular cyber security training program in place — especially when you consider that CPD courses and anti-bribery training are deemed so important. Part of the issue is that cyber security training is considered expensive, time consuming to deliver and not at all engaging to the people receiving it. But this is far from true. Some systems cost from as little as £2–3 per member of staff per month and deliver cyber security training in short, digestible blocks. These ‘short and snappy’ training sessions will not take up large amounts of your billable time but will still get the message across in an engaging way.
- Keep Your Team Aware
One of the challenges in any firm is keeping the threats from cyber security fresh in the minds of your team whilst they have their day jobs to focus on. Although training undoubtedly helps, often this is seen as a ‘point-in-time’ initiative in response to a breach or security incident occurring. Once the memory of this has faded, awareness amongst staff often does too.
The good news is that this is easy to address and even better, it should cost you no more than a little time to administer it. Here is our suggested approach: Nominate a member of staff to be your ‘cyber threat co-ordinator’. This should not necessarily be someone from IT. Ideally, it would be the person involved in running your office and organising staff communications: most likely your practice manager. Your co-ordinator should sign up to some email feeds on the latest threats — a good starting point is the government backed Action Fraud site and the security training service DynaRisk. Your co-ordinator should also review some online blogs such those from the Independent, which offers an easy-to-understand news feed on the latest cyber security threats. The information from these feeds should then be used to create content in staff newsletters, presented regularly in team meetings, posted to your intranet or circulated via email or an instant messaging feed.
JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN
by Alex Klein, COO at Efficio Consulting
Following a period of ongoing economic uncertainty, business spend has risen high up on the C-Suite agenda, with the procurement function shifted into the hot seat as the enablers of not only rapid cost-cutting but future profitability. In fact, according to Efficio’s experts and authors of recently released PROFIT FROM PROCUREMENT, companies that break down the silos between departments and effectively optimise the procurement function can expect to add 30% to their bottom line.
But where to begin? In order to successfully embark on a roadmap to profitability, a concrete and realistic plan must be put in place – one that has clear objectives and actions agreed amongst all involved. Unfortunately, this is not something that can be achieved overnight. As with anything worth having, this involves a program of gradual transformation and is likely to take no less than 18 months to really drive an impact. With a long lead time to success, the CPO must ensure that the program makes the desired splash – proving its value and keeping internal stakeholders engaged throughout. This requires a plan that will have a high impact, high visibility, cross-functionality, and be fully resourced. Only then can procurement’s profit potential be truly unleashed.
Take a step back and listen
When embarking on a Procurement Transformation mission, getting to know the key stakeholders involved will be a crucial first step to getting the project off the ground. Whether that be the CEO, CFO, functional heads, or business unit heads – the CPO must take the time to listen and understand their expectations, needs, and requirements before a vision for the road ahead can be formed.
Suppliers are often forgotten in this mix, yet they are equally as crucial. Questions need to be asked, such as – what improvement options do they see? How could they help us to reduce cost? And how can we help them in return? What each stakeholder wants from procurement, and where they see value will likely differ, so it is important to have all cards on the table upfront. Not only should these considerations sit at the heart of your plan, but they can actually assist in making it a reality.
Determining the desired outcomes
Next up, and at the top of the pyramid that comprises your plan, needs to be a clear vision. Whilst the outcome of your efforts may seem pre-defined – such as, to cut costs and release profitability – the scope of this can span as wide or as narrow as you’d like. Now is the time to consider how far you want to stretch this outcome, and the only way to determine this is to ask yourself, “what does the next level of procurement look like in my organisation”?
This procurement vision, of course needs to link back to the businesses overall corporate strategy. For example, if the business is looking towards aggressive growth, procurement should help facilitate this by aiming for scalability. If the strategy is to rapidly digitise, procurement can play a part in digitising the supply chain.
As part of this vision, the CPO must also consider their desired role and remit. For example, how do you see procurement’s way of working changing? How do you see your procurement people interacting with the rest of the business? What do you want your suppliers to say about you? Once defined, a clear ambition can keep Procurement Transformation on track and aligned. Without it, and with every stakeholder having varying needs, the desired outcome can quickly become lost.
Establishing a step by step improvement plan
So, you now have a solid vision – you’ve spent time listening to your internal customers – surely, you’re now ready to focus on getting there? Not so fast – you now need to think about the various facets of the function, including the organisation, people, and processes to establish where you currently stand. This will act as a baseline, in which a roadmap can then be developed and will require set objectives along the way to keep the journey on track. “House of Procurement tools” can be particularly effective here – these frameworks break down the procurement function in terms of strategy, organisation, people, processes, and systems – marking them against a benchmark of bad, average, and good. By plotting against this framework, you can tackle transformation in chunks, setting concreate objectives as a sub-factor level.
Once the current state of play has been established, the goal can then be plotted at the other end of the roadmap, with the activities needed to get to this end goal plotted in between. Key to plotting such a roadmap will be a review of which activities matter, what people are doing currently, and whether these tasks having a meaningful impact. This may require a restructure of the current team, which may require investing in additional strategic procurement resources as well as upgrading internal capability.
Nevertheless, this plan must be granular, and it must be actionable. It is all well and good having great ambition, but it is nothing unless you know exactly how and what it takes to get there. Transformation takes time, and it will certainly not happen overnight, so make sure to break down your roadmap into smaller, more achievable, chunks. Rather than focusing on a single end goal 18 months down the track, ensure you have milestones to aim for after month three and month six, that contribute to the overall picture. Assembling such a plan is no easy task, but it is the very foundation needed for procurement teams to jump-start transformation.
So, what comes next? Buy in from the rest of the business of course. After all, a plan can only be successful once it has board level approval and sufficient investment. In part two of this series, Alex Klein will explore the stages that follow, including: developing a savings execution plan, building a business case for procurement investment, and ensuring program structure and governance.
THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION
Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems
CFOs and financial controllers play a pivotal role in how organisations evaluate and manage data risk. Analyst firm Gartner reports that more than 30% of organisations will use financial risk assessments of their data assets to prioritise investment choices for IT, analytics, security, and privacy by 2022.
Data is particularly at risk within the finance function. Sensitive data such as customer and supplier information, financial statements, and personnel records are processed and shared daily both inside and with vendors outside the organisation. The finance team communicates with banks, auditors, and lawyers on a regular basis and while laws and policies exist to provide protection, there’s no certainty as to where your data could end up, and you can’t control it once it is sent. The information that resides outside the organisation’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains it.
Assess Your Vulnerability
All of this presents an immense risk. Understanding what the risks and potential costs are is an important component of organisational planning. How would the organisation react if sensitive information were disseminated to the wrong audience? What could it cost? Simply thinking ‘it won’t happen to me’ or assuming a party erroneously receiving sensitive data will act with integrity and delete the information can no longer be justified. Data breaches are common and can have a significant impact on your business.
The financial risk of a data breach is typically the cost of lost revenue, compliance challenges, cost of litigation, privacy regulation penalties, and reputational damage. Revenue loss risk and litigation costs risk are tangible impacts that can be measured. However, it is more difficult to quantify the probability. On that front, understanding your data’s level of vulnerability is important. If you are SOC2 compliant, your risk will be mitigated by the controls within the internal bounds of your system. On the flip side, it is difficult to assess the probability for data that leaves your repositories. Internal compliance, including SOC2, cannot address it.
Thankfully, there’s a multitude of methods to protect assets and minimise your cyber risk. Consider securing and managing your data with technology like digital rights management (DRM), data loss prevention (DLP), data classification and security incident and event management (SIEM) software. There are network controls you can put in place, and you should have a process for evaluating the security of any apps you use to minimise your vulnerability. Evaluate your cyber risk holistically to ensure nothing slips through the net, otherwise your vulnerability remains.
Implementing Data Security Best Practices
Cybersecurity can be very complex depending on the size and industry of the organisation. New attack methods and new technologies to deal with those attack vectors show up all the time. To maximise efforts at assessing security risk, allocate resources so the most effective tools and strategies (such as encryption or digital rights management) are used to protect the most important information assets.
Finance leaders should follow these best practices to manage their team’s cyber risk.
- Identify exposures in either tools or processes and work with the IT team to close the gaps in security.
- Classify your files and with it, understand where your sensitive data is located and how access is provided to parties that need it, especially those outside your organisation. Company policies and processes often overlook, or have no direct control of, data outside the organisation so this awareness is important.
- Adopt a zero-trust approach to protecting your sensitive data and implement technology that allows you to manage your risk. Software such as digital rights management,for example, protects your most valuable data assets no matter where they travel, allowing you to secure, track, audit, and revoke access if data accidentally or maliciously falls into the wrong hands.
- Educate and train finance team members to recognise and manage risk. Employees need to understand the importance of the data they are using and have access to the right tools and processes so that it is handled correctly.
Protect Your Most Valuable Assets
Evaluating an organisation’s cyber risk starts with clearly understanding the company’s risk tolerance. Is the organisation risk tolerant, or extremely risk averse? The answer may differ depending on what needs to be protected and what industry you operate in. In the finance function, what level of risk are you willing to accept and still justify and defend to stakeholders? Start by identifying those assets where the risk is unacceptable and where access needs to be carefully controlled and managed and focus your execution from there.
FINTECH COMPANY PAYEN CHOOSES AQILLA FOR ITS LIMITLESS SCALABILITY AND SUPERIOR MULTI-CURRENCY FEATURES
Payen is a fast-growing FinTech company that provides gateway Payment and FX services to online merchants. Having launched in 2010,...
THE ACCELERATION TOWARDS A MOBILE FIRST ECONOMY
By Brad Hyett, CEO at phos Over the last year, we have seen a big shift towards contactless payments....
NEW RESEARCH REVEALS KEY ROLE OF KYC COMPLIANCE IN DRIVING CUSTOMER LOYALTY, ADVOCACY AND NEW BUSINESS
The impact of financial crime for institutions goes beyond crippling fines A piece of original research conducted by RegTech...
HOW MERCHANTS CAN IMPROVE THE ONLINE PAYMENTS EXPERIENCE
By Alan Irwin, Senior Director of Product at Global Payments UK The dramatic increase in online shopping over the...
JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN
by Alex Klein, COO at Efficio Consulting Following a period of ongoing economic uncertainty, business spend has risen high...
NAVIGATING FINANCIAL SERVICES IN 2021: LOW-CODE TO THE RESCUE
Nick Ford, Chief Technology Evangelist, Mendix Financial services are the poster child of great digital transformation: today, Britons can...
PAYSAFECARD AND NEO EXTEND THEIR SUCCESSFUL PARTNERSHIP
paysafecard, a market leader in eCash payment solutions, and NEO, one of the most successful FIFA teams in the world,...
WHY THE NORDICS WILL CONTINUE TO LEAD THE WAY IN DIGITAL PAYMENTS
Kriya Patel, CEO, Transact Payments While the recent introduction of PSD2 — the second iteration of the EU’s Payment...
COMBINED RISE OF M&A AND CYBER RISK CREATES STORMY SEAS FOR INVESTORS
UK organisations carrying out merger and acquisition (M&A) activities must improve pre-acquisition due diligence of software vulnerabilities By Philippe Thomas,...
PPRO CLAMPS DOWN ON FINANCIAL CRIME RISKS, PARTNERING WITH AND INVESTING IN AI-DRIVEN TRANSACTION MONITORING STARTUP SENTINELS
PPRO, the leading local payments infrastructure provider, has today announced a strategic partnership and minority investment in Sentinels, Europe’s leading transaction...
EMV® IN TRANSIT: WHY AND HOW?
Taoufik Sakhi, Smart Mobility Technical Advisory Director at Fime Today, contactless cards provide a fast and frictionless payment experience,...
INSTANDA ENTERS THE MIDDLE EASTERN MARKETPLACE
INSTANDA expands global footprint by working with new client, NewTechMe First product distributed in the Middle East Announcement signals INSTANDA’s understanding of NewTechMe’s vision to drive digital transformation in UAE...
RGU LEADS EUROPEAN INTER-REGIONAL NORTH SEA PARTNERSHIP TO HELP HOMEOWNERS IMPROVE ENERGY EFFICIENCY
NB: Image from left to right includes: Mike Bauermeister, Kishorn Insulations, Jamal Alabid, RGU, Amar Bennadji, RGU, Richard Laing, RGU,...
JUMIO APPOINTS JENNIFER N. HARRIS TO BOARD OF DIRECTORS
Addition of veteran CFO comes amid period of record growth and product expansion at Jumio Jumio, the leading provider...
WISE LAUNCHES ASSETS, YOUR WISE ACCOUNT INVESTED IN THE WORLD’S LARGEST COMPANIES
Assets offers current account flexibility, with the potential for investment returns Wise, the global technology company building the best way...
A CHECKLIST FOR RETRENCHMENT READINESS
By Shelley van der Westhuizen, head of financial well-being strategy & applied research at Alexander Forbes Your health may not...
EQUIDUCT LAUNCHES TRADING IN EXCHANGE TRADED FUNDS FOR RETAIL INVESTORS IN EUROPE
Equiduct will offer 436 ETFs and ETPs for trading through Apex Equiduct, the pan-European retail exchange, announced today that...
THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION
Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems CFOs and financial controllers play a pivotal role in how organisations evaluate and manage...
THE DEMAND FOR BETTER B2B PAYMENTS
By Brandon Spear, CEO, TreviPay Business-to-consumer (B2C) payments started adapting to digital processes when consumer shopping habits began shifting...
HOW TO BUY USDT AND AVOID THE HIGH VOLATILITY OF CRYPTO
Understanding and breaking down all the different types of crypto can feel like a huge task—there are so many variations...