This Content Was Last Updated on April 20, 2020 by Jessica Garbett


Cyber fraud is a significant business risk. Apply this practical guidance to minimise the threat.

HMRC’s recent announcement that it will have stopped half a billion phishing emails a year from ever reaching taxpayers highlights the scale of the threat to large and smaller businesses and that practitioners need to be alert for their clients and their own business.

HMRC went on to explain that it has put in place security measures to stop emails from criminals pretending to be from an email address. It is using Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop ‘almost all of these [emails] from ever reaching our customers’ inboxes’.

It has also said that ‘our dedicated customer protection team, part of HMRC’s cybersecurity team, continues to utilise innovative approaches to combat these threats. In the first six months of this year, they have responded to over 300,000 phishing referrals from customers. They’ve also instigated the takedown of over 14,000 fraudulent websites that were attempting to harvest customer data.’

DMARC highlight that its policies are published in the public Domain Name System (DNS), and they are available to everyone. It states that ‘because the specification is available with no licensing or similar restriction, any interested party is free to implement it.’

There are also a number of telephone and email scams targeting individuals. One highlighted by HMRC is where a recorded message threatening legal action is left, which states that HMRC is bringing a lawsuit against the individual and intends to sue them. The recipient is asked to phone 0161 850 8494 and press ‘1’ to speak to the officer dealing with the case.

What is clear is that this is an on-going battle for HMRC, taxpayers and practitioners.

What can you do?

ACCA’s Internal Audit Members’ Network – working with Falanx Cyber Defence – developed a simple set of principles that applies equally to accountants in internal audit and practitioners. These are:

Prioritise cyber expenditure

The first principle is that your business must formally prioritise cyber expenditure. You cannot spend enough to prevent all cyber-attacks. Any increase in expenditure will reduce risk, but risk can never be eliminated. So, some companies give up. They take the view that it is cheaper to pay the regulatory fines and reimburse customers as required. Others will simply outsource everything to ‘the cloud’ – but it’s important to understand that the cloud is just a timeshare on someone else’s computer – a computer that also needs security checks. Neither of these abdication strategies is guaranteed to minimise shareholder risk.

The recommended approach is to understand the criminal threat specifically to you in detail, review your technology and controls, assess what risks lie in your data and processes, look at reputational risk and then prioritise expenditure and counter measures accordingly. An example – most mergers and acquisitions are highly sensitive and managed in conjunction with external lawyers and investment organisations. But most communication between management and professional advisers is by unencrypted email and can be easily intercepted.

The weakest link

The second principle is encapsulated in the famous joke about the bear. When two hunters see a bear approaching, one hunter puts on his running shoes. The other reminds him he cannot outrun the bear. ‘I don’t have to outrun the bear,’ says the first, ‘I just need to outrun you’.

You don’t want to be the weakest link. When everyone is vulnerable, your only safety lies in not being the weakest. Understand the norm for your sector, keep abreast of the risks in real time, make it hard for the hackers and they will quickly move on – there is after all a world of easy pickings out there.

The role of humans

The third principle is that cyber is not just a technical problem. Most hacks are simple – tricking someone out of a password, or conning an employee to click on a bad link – these are known as phishing. A common scam is the CEO fraud – where a well-researched and presented email arrives, supposedly from senior management, asking for critical business data or instructing supplier payment.

And then there is the inside threat, the employee gone bad. A good security system looks for changes in people’s behaviour, for when the HR employee suddenly becomes interested in accounts payable. Humans are often the weakest link and cyber awareness training, prompt exclusion of leavers and good password hygiene are basic but important security measures.

Generally accepted security principles

The fourth principle is that, while cyber is still evolving quickly, there is a set of ‘generally accepted security principles’, and each organisation should assess, tailor and implement these to meet their specific needs. From a technical perspective, the top five things to check are that the company has procedures for managing:

  • boundary firewalls and internet gateways
  • secure configuration
  • access control
  • malware protection
  • patch management.

One area to protect where a risk of loss could occur is access to your government gateway. When looking at government gateway check that:

  • passwords have not been shared
  • any default passwords (including any 3rd party software) is changed to one chosen by you and the same password is never used over multiple systems
  • you use a strong password that is not easy to guess, such as three random words or a combination of letters and numbers. Those of you who have listened to Graeme Brand highlighting the top threats will remember the importance of this simple security measure
  • you have regular changes of passwords and do not use a variation of your old passwords when changing it
  • your antivirus protection installed on your computer is current
  • your computer has the latest software updates and most recent version of your internet browser
  • you are up-to-date with areas such as HMRC’s Phishing emails and bogus contact updates

Firms who have security procedures can also apply for cyber essentials certification. The site also contains guidance for businesses.

There is also simple guidance from get safe online

The CIS Critical Security Controls Framework, contains recommended controls and behaviours to look out for.

Manage data

The fifth principle is to manage data. You want to see that your organisation has reviewed its data assets, allocated owners, ensured they are backed up, determined what is valuable and decided what should be protected – encrypted – either in its databases or whenever data is transmitted.

Does different data have different access control – or is everything open once you are in? Does your company review outgoing traffic to ensure that sensitive data is not included (ie managing data exfiltration)? While some of the technology here is complex, it is easy for an internal auditor to check if these things have been considered.

Prepare to be hacked

And the final principle is that you will be hacked anyway and you should prepare accordingly. Often the losses and reputational damage of a cyber breach are determined more by how quickly and competently the company responds. Your organisation should have a cyber-incident response plan that specifies how an attack will be recognised, who will lead the response, how forensics and investigation will be carried out and – importantly – how you will communicate with clients and regulators. The plan should involve senior management and it should be rehearsed.

Cyber fraud is a significant business risk and potential losses and the cost of defence are rising quickly. Do not be put off by technical jargon: standard checklists and having a recovery plan are essential.

Article from ACCA In Practice