Cybersecurity skills – the why, what and how
Cybersecurity issues have become a day-to-day struggle for businesses everywhere, affecting the smallest micro-businesses as well as global retailers, telecom companies and airlines.
In the UK, a third of all businesses were affected by phishing attacks, viruses, spyware or malware in 2018, according to the government’s 2019 official statistics. That figure rose to 60% among larger businesses, which is in line with trends reported worldwide.
Accountancy firms and other financial institutions are particularly attractive to cyber criminals.
‘It’s because they hold huge amounts of client data and sensitive financial information,’ says Carl Lundberg, partner at accountancy and business services firm Gerald Edelman. He adds: ‘Accountancy is also becoming more digitised, and data commoditised.’
Smaller firms especially, with their limited or poor security defences, are perceived as a soft target.
But even the Big Four, with their vast cybersecurity budgets, are not immune.
In 2017, Deloitte US was hit by a sophisticated hack that compromised the confidential emails of some of its blue-chip clients. Potentially, too, the hackers had access to usernames, passwords and IP addresses. What’s more, the attack may have gone unnoticed for months.
Such an attack on an accountancy firm can result in severe reputational damage, legal action from clients who had their information compromised, as well as penalties imposed by the regulators. For example, in line with the EU General Data Protection Regulation, firms face fines of up to €20 million (or 4% of annual turnover) and even criminal prosecution if their data security is found to be inadequate.
It is no wonder cybersecurity has become a top priority for accountancy firms. It’s also why they are investing heavily in people and skills in this specific area.
‘Accountancy firms are increasingly seeking cybersecurity specialists to help them mitigate risks to sensitive information, financial costs and business reputation,’ confirms Lee Owen, director at Hays Accountancy & Finance. ‘In fact, the demand is huge – EY and PwC are now among the biggest recruiters of cybersecurity employees.’
Cybersecurity skills allow firms to broaden their service offering too.
Lundberg says: ‘We advise our clients on all aspects of their business, and data and cybersecurity is of increasing importance and focus. Therefore, we need to ensure we have the skills and knowledge to advise on this as well.’
A new career direction?
Bigger firms now have dedicated internal cybersecurity teams, which presents an exciting opportunity for accountants with relevant skills.
Thinking about making a move from audit, for example? You’ve got some of those skills already.
‘As an auditor you would have developed and refined logical thought processes, professional scepticism and strong analytical skills that could be applied to a role in internal cybersecurity,’ says Lundberg. ‘You are also accustomed to understanding risks, which hopefully means staying up-to-date with technology and how it can be used to better service clients.’
However, you will also need strong IT skills. ‘Your meticulous attention to detail and the ability to use logic and reasoning will be useful, but you will also need knowledge of different hardware, software, networks and databases to make this transition,’ says Owen.
Certain other hard skills may be required too.
‘These could include intrusion detection, malware analysis and programming languages such as C, C++, PHP, Perl and Java,’ says Gary Green, accountant and principal at Key Business Consultants.
A strong working knowledge of regulatory and industry data security standards is also a must, as are people skills so that you can communicate effectively with non-IT-minded colleagues.
Qualifications to boost your CV
Some employers may also be looking for a relevant degree (computer science, computer information systems, cybersecurity or a related technical field), or industry standard certifications.
‘The two most prestigious certifications are the Certified Information Systems Security Professional (CISSP) from ISC and the Certified Information Security Manager (CISM) from ISACA,’ Green says. Another one is ISACA’s Certified Information Systems Auditor (CISA). All three are recognised worldwide.
‘There are also government-run training courses and certifications to choose from,’ says Owen. These range from foundation to advanced level.
Your cyber awareness
But what if you intend to work (or continue to work) in a more traditional accounting role?
Dr Gurcharan Singh, head of department and programme director in accounting and finance at the University of Buckingham, says: ‘Many firms employ accounting software which has embedded security. This can make you feel more secure without having to dramatically upskill. But you should really try to acquire some level of IT-based knowledge so that you can identify problems and think about potential solutions.’
When it comes to file and email management and data security, you need to follow best practice and your employer’s IT guidelines at all times.
This is particularly important because statistics show that 90% of data breaches are due to human error, such as when employees unwittingly allow unauthorised access or viruses into the system by opening malicious email attachments.
Passwords are a weak link too. These days, we have a lot of them, but since secure passwords are difficult to remember, some people go for memorable ones, reuse the same one for multiple sites and even save them in an Excel spreadsheet on their computers.
‘Here, simple best practice would be using complicated random password generators and a password manager to securely store all your different passwords,’ says Green.
Sign up for technology and security seminars, and keep up to date with the latest news and guidelines from ACCA as part of your continuing professional development too.
Finally, see if you can make suggestions to improve cybersecurity best practice in your workplace.
Lundberg says: ‘As accountants, we are lucky to have access to lots of other businesses and people and we therefore have the opportunity to learn about how they manage and mitigate the risks they face. This gives us a lot of knowledge that we can try and apply to our own organisations.’
This article was first published in Student Accountant