By Andy Balchin, CFO @AndyBalchinCFO
Recently I was at the Law Society in London to attend a Cyber Security launch event jointly hosted by the Institute of Chartered Accountants (ICAEW) and the Law Society.
The event was introduced by Ed Vaizey, the MP who is Minister of State at the Department for Culture, Media and Sport and the Department for Business, Innovation and Skills, with responsibility for digital industries.
So, what were they launching? Well, it was Cyber Security Training for Accountants and Lawyers, particularly focused on professionals running their own firms. A great idea, given that those people not only have a duty to protect their own data and that of their clients within their own firms, but they also have a business opportunity to provide professional advice for their clients in suggesting and recommending best cyber security practice for that client. A double whammy, in other words.
So far so good: awareness-raising, education, good practice guidelines, additional materials, cyber risk as a key business risk, government and professional body backing. There’s even a Cyber Essentials kite mark that, for a small fee, companies can now display showing that their business takes cyber security seriously by adhering to a widely endorsed standard. All in all, anything that raises cyber security up the agenda has to be a good thing.
Where’s the “but”, I perhaps hear you say? Yes – there is a “but”. This launch was certainly a very valuable initiative, but I was left thinking: Why does cyber security always seem to be talked about at quite basic levels of security such as boundary protection, password control and malware protection? But more to the point, why does cyber security get spoken about in the same breath as criminals, hacking, espionage, theft, attacks, spies, hacktivists, rogue nations etc.?
The almost James Bond-like “romantic” notion of cyber security risk is, I suppose, not too far-fetched given some very high profile cases, but I tend to agree that large, medium and small companies alike will be misled if the impression they get from events like this is that most cyber-events are limited in their nature to what many might regard as the stuff of novels. Someone at the launch did question the emphasis and suggested that the risk for the average SME was, and often is, very different. Due to time, he was not able to elaborate and nor was the panel able to properly explain the emphasis, but on closer questioning afterwards I learnt that he was referring to accidental loss. Good man, someone who clearly understands that there are potentially greater risks staring us right in the face.
With IT being the focus of running most businesses nowadays, the accidental, deliberate or negligent act by any member of staff or contractor is probably the most significant and likely risk for any company. This is widely known as “The Insider Threat” or “The Enemy Within”. I bet every firm can recall examples of emails being accidentally sent to the wrong person, or attachments containing confidential information being distributed wider than intended. And it wouldn’t be too impolite to ask each senior partner within an accountancy or legal firm to own up to whether they have ever done this, accidentally! Everyone has, whether they own up to it or not!! And then ask what protection they now have in place to help protect that person in future, to control that information against accidental loss.
In my view there is a great opportunity to ensure that accounting and legal firms recognize that Cyber Security Training for SMEs should be balanced and risk-based. What an ideal opportunity for each firm to prepare a Risk Quadrant for their clients, and thereby help them focus resources on those risks which are most likely to occur. Often the real risk is far closer to home than is first appreciated.
So with respect to cyber security, don’t just think “criminal” – and don’t just think basic hardware security. These are of course important, but think about how to ensure the right information only goes to the right person, think about content and secure collaboration, think about all those comments and track changes in a document and how you ensure they are stripped out before reaching your clients, think about meta data and what process you have for making sure all that potentially embarrassing yet hidden stuff doesn't get out, think about information being loaded onto USB sticks, think about emailing information to home email addresses; start by protecting against how your staff access and use your critical information. Protect them from themselves. Get that right, and it will surely go a long way to protect against the more dramatic forms of cyber security events we read about.