Bruce Penson, Managing Director at Pro Drive IT
We recently explored why data breaches are an issue for accountancy practices and what can go wrong if you do suffer one. But what can you do to avoid one in the first place?
Before looking at how we can prevent data breaches, it’s worth considering the underlying causes. Most breaches can be attributed to the actions of people. The Information Commissioner’s Office (ICO), which is responsible for data protection in the UK, said about 50% of reported breaches in the last quarter were down to data being ‘disclosed in error’.
With all that in mind, here are our practical tips for preventing a data breach and handling one if it does occur.
Train your staff!
Considering human actions — whether intentional or not — are the leading cause of data breaches, you’d be surprised how many firms do not provide regular, or even any, staff training on the subject.
We know training can be a burden, particularly for smaller firms, but these are some of the essentials to cover:
- All staff should read your information security policy on starting and at least once a year thereafter (just make sure it’s easy to understand and not too long).
- You should provide cyber security training at least once a year, preferably twice a year. Online training is the easiest way to manage this, although it can be more engaging face to face.
- Train your staff on the correct use of your IT systems — especially new starters or when you introduce a new system. If employees can use the system properly, they’ll be less likely to disclose data accidentally.
- Keep your staff up to date on developments, particularly on breaches that may have happened elsewhere and why. You can subscribe to blogs to get this information delivered to you and pass it onto staff in a monthly newsletter.
Taking your business through a cyber security certification program will ensure your firm is following best practice and has the right policies and procedures in place to prevent cyber-attacks or data breaches.
The international standard for this is ISO 27001, but this may be a little tedious for small and medium-sized firms. Cyber Essentials and IASME Governance, which cover the general management of your data and configuration of IT systems, are much easier for SME firms to achieve.
We at Pro Drive firmly believe the accounting world should follow the lead of the legal sector, which has made Cyber Essentials a mandatory requirement.
With more and more business data being stored in the Cloud or on the web, passwords have rapidly become a significant weak link in a firm’s IT systems. Why?
These days, we have a lot of passwords, but secure ones aren’t easy to remember. As such, people tend to use memorable passwords, reuse the same one for multiple sites or apps and in the worst cases, write them down or save them on their computers. Go on, admit it: do you have an Excel sheet with all your passwords on it?
All this can lead to a very unwelcome problem if someone gets access to your password — either from a phishing email or if it is disclosed when one of your providers suffers a breach.
There are two things you can do right now to help avoid this scenario. Firstly, you should encourage your staff to use a password manager to securely store passwords and identify any that are weak or duplicated. Secondly, arm them with the latest advice from the National Cyber Security Centre on how to generate a secure password using three random words.
Even with the best precautions in place, it is almost inevitable you will suffer a breach at some point. So, when this happens, you need to be prepared with an appropriate breach response plan that includes:
- Any actions that need to be taken with your IT systems (for example, notifying your IT team or provider);
- Whether you need to notify the ICO and if so, how to do it;
- How to inform anyone whose data is involved in the breach;
- Whether you should be communicating the breach in public, e.g. via social media.
Accountancy firms may be familiar with the recent data breach at Wolters Kluwer, one of the leading providers of software to the sector. In a perfect example of how NOT to communicate such an issue, Wolters Kluwer only said there was an issue with its systems — not what had happened, or which data was potentially compromised. This led to rumours on social media and significant worry among clients.
Although no firm likes publishing details of a breach, it is better to do so as soon as possible, along with the steps being taken to address it. This way, you can demonstrate your firm is in control.
Don’t let a data breach put your practice out of business. Join us at our Data Breach Workshop in October to find out more about minimising the risks. Until then, you can always contact our expert team for advice.