Cyber Essentials for Accountants: A government-backed scheme to help ensure accountants are protecting their own and their clients’ data from cyber threats.
Your accountant probably holds some of the most sensitive data you have, including personal data such as date of birth, address, etc, your National Insurance number, probably your bank account details and tax reference.
Now, with the move to paperless offices, they possibly hold a scanned copy of your driving license for money laundering purposes, as well as other personal documents such as pension and investment statements.
Fortunately your accountant will be registered with the Information Commissioners Office (ICO) which means that they will register every year and confirm that they are adhering to the principles within the Data Protection Act as to how they store and maintain your personal data.
You can check they are registered and what information they hold by going to: ICO
There are 8 principles that organisation who hold personal data should follow, the 7th of these is security and says:
“You must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.”
Whether your accountant is a large firm or a small firm you expect them to take the highest level of care they can with your data. Accountants are no longer able to work without the internet as many of the functions they need to perform with HMRC and Companies House involve filing information electronically.
This means they need to make sure they have taken every precaution to secure their systems.
Cyber Essentials for Accountants
The Institute of Chartered Accountants in England and Wales (ICAEW) was involved in developing a new Government backed security standard called Cyber Essentials which was launched in June 2014.
This is a self-certification scheme, signed off by a certification body, and covers the basic controls that companies can implement to guard against 80% of common cyber-attacks.
One would think that all accountants would rush to ensure that they meet these minimum standards, as the data they hold is so sensitive. In addition to this, the cost is as little as £300 to be certified!
The ICO website leaves the decisions about what your business needs to do to protect client data very much up to the individual business and includes some high level guides about what businesses can do to secure their Client data, it does however have external links so you can find out more about the Cyber Essentials Scheme and also ISO 27001.
In our experience many accountants are unaware of the Cyber Essentials scheme, and some that have started going down the route of self-assessment have dropped out over such simple steps as passwords such as each user having a unique user name and strong password.
The reason given is because of the inconvenience of having to regularly change them and remember them!
It would be interesting to how the ICO would consider whether ‘appropriate’ measures had been taken, in these circumstances, if there was a breach.
Securious is a Cyber Essentials Certification Body – if you would like more details about Cyber Essentials for accountants please contact us here
Cyber Essentials is a government backed scheme.
Cyber Essentials ensures that the following controls are in place:
- Boundary firewalls and internet gateways which includes ensuring your system boundaries are secure from outside access and simple steps such as making sure that manufacturers defaults passwords on these devices have been changed
- Secure Configuration including the use of ‘strong passwords’, back up policies etc
- User Access Controls-using a unique user name and password, not allowing Admin rights to all users, and restricting the use of admin rights to only perform admin tasks.
- Malware Protection-updating and running scans regularly
- Patch Management-having a policy to ensure that updates are applied within 14 days of release.
ISO27001 is an audit and Certification scheme
The above certification schemes are not mandated by the ICO. When you register with the ICO you confirm that you have taken ‘appropriate’ security measures, which, if in fact you haven’t and there is a breach, then the ICO have powers to issue some considerable fines. Identifying what is appropriate however is not clearly defined, but the above certifications would show that you have taken steps to protect your client data.