The last eighteen months have seen the way businesses work change dramatically, with a shift to work-from-home environments taking centre stage. While this has been beneficial in protecting employees from risks around COVID-19, it’s crucial we examine the impacts this shift has had for cyber-security challenges.
For auditors and accountants alike, nothing is more important than protecting your firm’s data and your client’s personal information. But it can be easy for even the most diligent of us to become apathetic about monitoring for cyber security attacks.
However, the current work-from-home environment has created an added level of risk for how we protect and secure personal information and data. And given the sensitivity of information auditors and accountants hold, without the protection of in-office IT and securities teams monitoring staff activity, we cannot afford to not be proactive about this issue.
Fear around the Coronavirus has seen people turn to the news for the latest information around it’s impacts locally and state-wide. Unfortunately, government agencies have reported that scams with COVID-19 messaging have cost Australians $9,800,000 since the start of the pandemic.
Further, the added risk of employees accessing sensitive information on personal devices while working remotely can significantly increase the risk of cyber attacks from human error alone.
Let’s explore some of the major impacts of cyber security threats from a work-from-home environment, and how to make sure you’re being proactive about cyber security within the industry.
How serious is the risk of cyber crime in 2021?
Over the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) recorded an increase in cybercrime reports of 13%, climbing to over 67,500. This equates to one cyber attack every eight minutes. Fraud, online shopping scams and online banking scams were the top reported cybercrime types.
The frequency of cybercriminal activity is, as the ASCS states, compounded by the “increased complexity and sophistication of their operations”. The “exploitation of the pandemic environment” through our desire for COVID-related news was one of the most common methods of which criminals targeted Australians. For example, recipients of spear phishing emails were encouraged to enter personal details to access COVID information.
The impact of incidents has increased for the financial year 2020-21, according to the ACSC, with cybercrime reports and average reported loss for medium-sized businesses hit hardest. Medium businesses reported a loss of $33,442 in this time frame alone.
Average reported loss by organisation size for financial year 2020–21
Source: ACSC.gov.au.
Common ways you may be targeted while working remotely
According to the Office of the Australian Information Centre’s (OAIC) Notifiable Data Breaches Report for January – July 2021, the majority of breaches came from:
- Phishing attacks (30%)
- Compromised or stolen credentials (27%)
- Ransomware (24%)
- Hacking (9%)
- Malware (5%)
- Brute-force attack (5%)
After breaching an organisation’s network, criminals conduct surveillance to understand the location of data and backups, as well as the applications running. They may deploy credential-harvesting software to hack usernames and passwords and further exploit sensitive information in your systems.
The OAIC found that between January and July 2021, 43% of all data breaches resulted from cyber-security incidents. Human error is a factor in the likelihood of cyber-security challenges, accounting for 30% of its total notable data breach notifications. With a number of Australians having moved into lockdowns from June this year, it’s possible these figures may increase in the next report.
This is because the work-from-home environment may create some barriers for preventing common cyber attacks. Employees accessing work resources and information from personal devices that have been the target of cyber attacks may limit the amount of control a company has to protect said information.
When you consider the increase of online shopping and online banking scams, paired with, say, employees accessing work emails from their phones, it’s easy to see how a lack of awareness or complacency may create the perfect environment for security breaches.
Cyber criminals may take advantage of human error, lack of computer literacy, lack of awareness, complacency to seize on sensitive information. Auditing and accounting organisations and their employees must increase security awareness while operating at a work-from-home basis.
Biggest impacts of cyber attacks and schemes
During the 2020-21 financial year, the ACSC observed self-reported losses from cybercrime totaling more than $33 billion.
While the financial impacts of cyber-attacks cannot be understated, it’s also worth noting that the reputational impacts of cyber-security issues can have a ripple effect internally and externally.
The relationship between accountants and auditors and their clients is one of trust, and if cyber-attacks occur, the reputation of any organisation can decrease. It is fundamental that organisations get on top of any potential issues ahead of time to limit the likelihood of incidents.
Ever since mandatory data breach laws came into effect in 2018, the accounting industry has continued to feature in the list of top data breaches. The OAIC Notifiable Data Breaches Report found that accounting services were the third most likely industry sector to notify data breaches.
Not only are organisations obligated to notify the OAIC of breaches, but clients must be advised as well. So, the reputational risks of organisations who face cyber-security challenges are high as well.
Protecting against cyber attacks while working remotely
Key ways that you can protect your workplace from cyber attacks during work-from-home regulations includes:
- Regularly updating passwords to be more secure
- Using two-factor authentication
- Protocols for securely storing work devices
- Employee education around how to spot scams, phishing attacks and suspicious activity
- Employee education around mandatory data breach reporting requirements
One of the most significant solutions to protecting organisations is prevention education, as the education of employees can help to limit the likelihood of human-error-led cyber attacks.
At National Audits Group, we offer awareness training, championed by KnowBe4 cybersecurity leader, Kevin Mitnick. This was recommended to us by Accounting Firm IT cloud experts, FreshMethod, who also encourage the implementation of Practice Protect password management – including two-factor authentication and geo-locking.
Effective IT governance is fundamental in identifying and addressing cyber-security risks. It’s crucial organisations regularly review and test internal IT processes and plans (including their Data Breach Plan) to identify any gaps and risk areas that may be targeted by cyber attacks. This is particularly worthwhile while many Australians are working remotely to ensure incidents are reported and to help navigate any impacts.
If your organisation has faced cyber-security challenges this year, we encourage you to speak with our National Audits Group team. We can help identify areas where the IT infrastructure and governance of your organisation could be improved.
Reach out to our National Audits Group team today for more information around cybersecurity risk management and our other service offerings.
