The technology glass can be way more than half-full – so long as you’re vigilant and prudent.
In a previous blog we discussed how cloud computing impacts on accountancy firms more than others – not least because the cloud facilitates accountancy firms and their clients having a fully up-to-date and synchronised view of the clients’ financial situation – thereby enabling better financial decision-making.
However, this cloud-facilitated capability brings with it associated risks. And all businesses, especially accountancy firms, need to be aware of those risks so that they can manage them in a strategic manner.
Some numbers will help illustrate. The 2014 PwC Annual Global CEO survey shows that economic crime affects the financial services sector more than any other:
Here is a graphic revealing the myriad of internal processes affected by financial crime:
It is readily apparent that the tentacles of such crime extend into every nook and cranny of a firm’s operations. Economic crime covers a multitude of crime types that are both episodic and systemic. Of those that are purely systemic, cybercrime is the second most common, closely followed by accounting fraud:
The 24% for Cybercrime was across the entire survey, it was a whopping 39% for firms in the financial sector. The true number is almost certainly higher because cybercrime is difficult to detect and such detection, if it happens at all, is often only detected long after the event.
The implication? It is critical, if your accountancy firm is using the cloud or plan to, that you and your clients’ data is secure. As PwC say, “connectivity and access also have a dark side”. Your firm needs to know where the vulnerabilities are and to remove them.
For firms in the financial services sector the main threat (of economic crime) comes from outside the organisation. This is the inverse of the overall result. But it should be of no surprise – cybercrime is much more of a threat to financial services than other industries. Especially when you think of what type of data is of more interest to an economic criminal – bank account details, delicate financial performance data, etc. offers a potential large payload to the cybercriminal and the financial services sector holds large volumes of such information.
Technology and especially the cloud aspect of technology is double-edged – rich in possibility but also leaving its users prone to attack. What can you do to maximise the former and minimise the latter?
Education is part of the solution. Educate your employees. They may be innocently unaware of their potential to inappropriately expose data – through technical ignorance and/or simply through not having considered the implications of their actions.
This educating of your employees needs though to be handled delicately. For example, you need to avoid clipping their wings to such an extent that they stop using productivity-enhancing software on their mobile devices. BYOD – bring your own device – is an acronym only in use in recent years that reflects how many employees bring their own laptops, tablets and smartphones to work. BYOD is an enabler – if managed correctly! You want them to want to work. You need them though to use only approved cloud software. IBM carried out a study of 1000 employees in Fortune 1000 companies and found that “one out of every three employees is uploading and sharing corporate data to third-party cloud apps, often without the knowledge of their employer”. This weakness can be addressed by a number of security products and solutions that will help firms to use the cloud more safely and to have more control over what data their employees can upload to third-party cloud apps such as Dropbox and Google Docs.
Tools such as these can provide enforcement. And such (technical) enforcement is only prudent. Imagine a valued sales employee saves some important financial information to a cloud-based file-storage capability that they’ve set up using their personal email. They do this so that when they’re at home or on the road, they can access the information from any of their mobile devices. Then that valued employee becomes a (possibly) disgruntled ex-employee – working for a competitor. The ex-employee is free to retrieve that data from the cloud – and use it for nefarious purposes.
The example just cited is malevolent. But other data breaches could occur without the employee’s intent. For example devices can be lost – a laptop left on a train, a mobile left at a meeting. Devices can also be stolen. So devices require security, i.e., access security and data encryption.
Securing devices however, though necessary, is not sufficient. Data being transmitted wirelessly or being transmitted to or from the cloud can be intercepted. So some data needs to be encrypted before it is transmitted. But even then there is another vulnerability. What use is it to encrypt data if the key to unencrypting it resides with it? This may be stating the obvious but keeping the encryption keys separate from the data provides you with another level of insurance. For example, if you are storing encrypted data on the cloud, it is simple but potentially invaluable to ensure that you keep the encryption key elsewhere, e.g., with a different cloud provider.
BITS offer a full security audit service where we assess the potential threats to your network from both external and internal sources and offer solutions as listed above for locking out and monitoring potential data breaches in your company. If you would like more information on how BITS can help you navigate these choppy waters in order to optimally utilise the possibilities of technology, email us at firstname.lastname@example.org or call us on 056-7786882.