THERE are huge business benefits available to accountants embracing digital technologies. But realising the benefits that come with digital technologies is far from simple.
In this article, I lay out the three useful starting points which all accountants should consider.
Remote working as an accelerator not an initiator of the truly digital accountant
Cloud-based versions of accountancy software, alongside digital payment, payroll and other solutions, can help accountants operate more effectively and efficiently. Cloud-based solutions can be scaled up or down, or reconfigured, in line with accountants’ changing requirements. Digital technologies may also help accountants seeking to offer clients additional services, including business advisory services informed by use of data analytics.
It seems increasingly likely that within a few years a majority of accountants will use digital technologies to serve a majority of their clients. This change will be driven in part by demand from the clients themselves, with additional momentum created by further development of Open Banking services and extension of the Making Tax Digital programme.
But in 2020 some of that momentum arrived early, because the Coronavirus crisis forced so many accountants and their clients to accelerate adoption of digital technologies, when millions of businesses and employees were forced to work remotely or at home. In many cases organisations had to transform long-established working practices within just a few days. They found themselves improvising an approach to distributed, digitally-enabled working on a large scale; effectively testing the efficiency, security and resilience of this new way of working in real time.
In the longer term these enforced changes will bring many organisations useful benefits, as they increase the use of digital technologies more quickly than would otherwise have been the case. But with adoption accelerating during a period of economic and social uncertainty, there is also a danger that accountants and their clients will fail to take all necessary measures to mitigate any associated security, business continuity and compliance risks. So how can accountants ensure that does not happen?
Why cybercrime is on the rise in the age of Covid
Cybersecurity risks are usually created by a combination of malicious criminal activity, security flaws in software or hardware; and employee ineptitude. An extraordinary situation like a global pandemic, which knocks people out of usual behaviour, is a prime opportunity for cybercriminals. There is some evidence of criminal activity being stimulated by the pandemic: early on in lockdown there were examples of phishing emails disguised as instructions for logging into business systems, to try to trick employees into revealing log-in credentials.
This should be a concern for accountants, because while they may be affected by randomly distributed phishing, malware or ransomware campaigns, they are also sometimes targeted deliberately, often because attackers may be looking for a way to target an accountant’s clients. That doesn’t mean accountants should be paranoid or terrified – but it does reinforce the importance of planning ahead to address security and resilience risks.
The 3 steps resilient accountants can take to protect themselves and their customers
Information security could be thought of as combining three concepts: confidentiality – data being accessible only to those authorised to access it, when they need to do so; integrity – data being accurate, consistent and safe from manipulation or exploitation; and availability – data being protected but also being available to users in the manner and format in which it should be available.
Accountants should develop security strategies and policies that address each of these concepts. They should be based on risk management principles and should encompass both technical measures and improved employee training and awareness.
1. Take technical steps
Accountancy firms can start by taking basic steps: implementing firewalls, anti-virus and anti-malware software, kept up to date with the latest versions of software and security patches. Some firms will benefit from working with specialist information security service providers. Smaller practices may want to consult the Global Cyber Alliance (GCA) list of effective security tools, including many that are inexpensive or free to use.
Increased use of digital technologies can itself be a source of enhanced security and resilience, because well-managed cloud service providers will do everything possible to ensure their operations are secure, reliable and in compliance with all relevant legislation and regulation. Even so, accountants using these services cannot outsource responsibility for security and data protection: the security and resilience of cloud-based systems should be reviewed regularly.
2. Reduce the margin for human error
Any organisation can suffer a security breach caused by human error, such as employees clicking on links in malicious emails, or allowing data to leave the organisation inadvertently or mistakenly. Training employees to identify and report security threats or problems, and teaching them how to handle data can make a big difference – but many organisations have found it difficult to prioritise such training during the current crisis.
Employee access privileges for business systems or data should be controlled carefully; and only allowed via secure virtual private network (VPN) connections. Authentication of employees’ identities could be strengthened further through use of biometrics, or cloud-based mobile device management (MDM), which validates the security of employees’ devices.
It may also be sensible to encrypt the data employees can access; and to limit what they can do with it – by making it impossible to save data or documents onto removeable devices, or to upload them to other cloud-based platforms or services, for example.
It may be appropriate to enforce a policy that data can only be accessed directly from cloud-based business systems and never stored on employees’ devices at all. If data is held on employees’ devices it would be prudent if that data were encrypted; and devices that might be carrying confidential data should be equipped with remote wipe software to be used if they are lost or stolen.
Password management software, which prevents staff using weak passwords, or using the same password for more than one purpose, may also be useful. The security policy should also include enforceable policies for use of communications technologies, from email to videoconferencing and online collaboration tools.
All staff training materials should be easy to understand and as user-friendly as possible, designed to give staff a very clear idea of what constitutes good security. Ideally, training should be complemented with regular tests of staff understanding, such as simulated phishing tests.
3. Don’t forget your fundamental duty of care
It is easy to be dazzled by the brilliance of new technology, but the resilient digital accountant must never forget their fundamental duty of care to clients. Security breaches or business interruptions have the potential to cause significant damage and disruption to operations, finances and reputations – for the accountant and/or their clients.
Breaches of data protection legislation or regulations may also result in fines from the Information Commissioner’s Office (ICO): in the event of a data breach, a business must be able to prove that all reasonable steps to achieve and ensure compliance have been taken. In April 2020, Information Commissioner Elizabeth Denham issued a statement acknowledging the difficulties caused by the Coronavirus crisis and promising that the ICO would act “in an empathetic and pragmatic way” if breaches occurred – but, many months on, there cannot be very much of that leeway left.
Use of cloud technology should help accountants to recover quickly from business interruptions and some security incidents, but the ability to bounce back quickly cannot be taken for granted. In addition to comprehensive and effective security strategies and policies, regularly reviewed, tested and revised incident management and business continuity plans are essential.
So, becoming a distributed, digital business can certainly increase data security and compliance risks. But by planning ahead and taking a risk-based, best practice approach to using digital technologies, the resilient accountant can manage those risks effectively; allowing them to focus on delivering the best possible services to their clients.