October is Cyber Security month so we’re getting to the crux of the matter in the hope you’ll get the most out of it – we’re asking: are you and your accountancy firm really prepared for what happens when you’re hit by a cyber attack?
The simple answer is that unless you have someone senior in your firm who has been involved in dealing with a major cyber incident, you will not be prepared for one.
However, that should not stop you from taking steps to reduce the impact – there are plenty of resources available to assist you and most will not cost you anything but time.
And remember this, if you have not been attacked yet, it is very likely to happen at some point. In fact, you are a much bigger target than a company who has previously experienced an attack. Worse still, you could already have been attacked but you do not yet know it – most attacks take over 200 days until they are discovered.
What happens to you during a cyber attack?
There are many different types of cyber attack but the impact on staff and particularly Partners in firms is often similar. Here is what you can expect:
You will not simply be able to hand over the management of a cyber attack to your IT department or IT company. In fact, you can expect senior partners to be spending almost 100% of their time dealing with the attack and fall out of it during the first 2-3 days. As well as being extremely frustrating, the feeling of personal stress will be huge.
Potential for data breaches
You also need to consider that if cyber criminals have got hold of your documents, your firm could be in breach of the data protection rules so organisations like the Information Commissioners’ Office (ICO) could need to be informed
Disruption to your business
Disruption comes in two forms – people not being able to work due to systems being down and people not being able to work as they are dealing with the fallout from the incident. Both mean your staff will not be billing, which will cost you money and result in missing deadlines for clients.
Dealing with lawyers and cyber forensics
When you report an attack to your insurers, you will be assigned a team of lawyers and forensic cyber investigators (these are specialists and not your regular IT people). These experts will demand huge amounts of your time and will require access to people, systems and documentation.
Stressed and worried staff
Your staff will absolutely know if your firm has suffered a cyber attack. As well as being under pressure from not being able to deliver client work and assisting in mitigating the impact of the attack, they will be concerned about the health of the firm and ultimately their jobs. The Partners will be having to continually communicate with them to reassure them that things are under control.
You may be able to isolate your clients from the effects of an attack – but often it is not possible. If a criminal gains access to your systems they will likely have details on your clients and you will probably be obliged to inform them about it. This can raise concerns and if not handled appropriately, you may have clients leave you.
Dealing with insurers
You absolutely must have cyber insurance in the current climate. But even with this, you will not know until some time after the attack has concluded whether they will pay. So whilst you will be stressed and frustrated, running up legal and forensic bills in the £1000s, you must stay engaged with your insurers and their requirements so as not to compromise your chances of a successful claim.
What can you do?
Put simply, you must first think like you will suffer a cyber attack at some point. It is a case of when and not if. If you get over this hurdle – and you must if you do not want to put the existence of your firm at risk – you can start planning.
Whilst no amount of planning will ever be enough, the more you do the less you will be impacted when it happens to you.
The best place to start is to create a Cyber Security Incident Response plan. If you don’t know what this is or where to begin, sign up for one of our workshops and we will help you write one.