Cybersecurity: member firms raise the bar
Praxity member firms around the globe are implementing new technologies and strategies to protect sensitive data from cybercriminals. By connecting on the Praxity platform and via working groups, cybersecurity and IT leaders are working closely to share best practice and provide greater levels of security for employees, systems and clients.
Cyberattacks are growing in number and scale, prompting member firms within the Alliance to develop new ways to protect against data breaches.
The growing threat of attack coincides with the rise in remote and hybrid working. Employees working from home using public networks are a sitting target because their data is easily exposed. Insecure devices linked to laptops such as printers and cameras also present weak points.
Breaches can stem from an easy-to-hack password, unsafe link, or cleverly-worded email to induce individuals to reveal personal information (phishing). Increasingly, the threat comes each week. The most damaging breaches can cost an organisation millions of dollars and seriously impact brand and reputation.
What are the priorities?
There is general agreement among cybersecurity experts in Praxity member firms that identity-first security should be the number one priority.
At the very least, organisations need to adopt multi-factor authentication, where a user is required to provide two or more verification factors to gain access to an application, account, or VPN.
Jorge Rey, Chief Information Security Officer at U.S. firm Kaufman Rossin, says: “The first step to protecting your business data is to ensure that everyone’s wireless connection is properly encrypted. Instruct your teams to turn on full encryption from their wireless access point and set up strong passwords. Users will always be the greatest point of vulnerability.”
Tom Gardner, IT Manager at UK firm Rouse Partners, points out: “Regardless of a hybrid setup, the users will always be the greatest point of vulnerability for any common IT environment and thus the biggest cybersecurity challenges usually revolve around authenticating them. This takes many forms, including guarding against user mistakes, preventing phishing attacks and social engineering. Yet security is always a trade-off versus convenience and finding the correct balance point will be unique for every business.”
Multi-factor authentication including biometrics and conditional access policies are becoming standard practice. Combining this with Single Sign-On (SSO) based authentication for authorised apps ensures a very robust single-point authentication for your user, and automatically grants access to all the cloud-based applications they require from that one authenticated login.
Tom explains: “It’s ‘AVA’ (Authentication, Security-policy Validation and Authorisation) all in one go. This hugely reduces administrative burden, user burden, provides a single-pane-of-glass for logging or diagnostics and creates a more seamless user experience too.”
Member firms are also prioritising employee training. Security incidents are often caused by employee error and remote workers may not have the same level of IT assistance as their office-based colleagues. It is important employees are aware of security protocols and stick to them, wherever they work.
U.S firm Aronson has adopted an ongoing, micro-learning approach. Azunna Anyanwu, Chief Technology Officer and Director of Aronson’s Technology Advisory unit says: “Previously, we didn’t have a formal training programme in place; we just a had a tool with various training courses linked to it. We then shifted to a micro-learning approach. For three weeks in a month, employees receive three-minute videos. In the fourth week, they do a quiz to validate what they have learnt.”
A recent survey of Praxity member firms around the world reveals firms are adopting a broad range of cybersecurity measures to reduce the risk and impact of an attack.
Firms in the U.S., Australia, Canada, Brazil, the UK and Finland listed the following technologies and initiatives already in place or being rolled out:
- Data encryption.
- EDR to continuously monitor end-user devices to detect and respond to cyber threats like ransomware and malware.
- Creating Security Operation Centres (SOCs) – a centralized function to continuously monitor and improve security while preventing, detecting, analysing, and responding to cybersecurity incidents.
- Zero Trust security incorporating strict identity verification for every person and device trying to access resources on a private network.
- Identity and Access Management (IAM) security to manage digital identities and user access to data, systems, and resources.
- Controls on who can access what and where, using software such as Intune and Azure Active Directory.
- Privileged Access Management (PAM) software to safeguard identities with special access or capabilities beyond regular users.
- Cloud access security brokers (CASBs) – security software used to enforce security policies through risk identification and regulation compliance whenever cloud-based data is accessed.
- Virtual cloud desktops for all third-party workers.
- Monitoring, record retention and antivirus policies.
- Education and awareness programmes.
Different firms are implementing different measures depending on their current level of protection, expertise and employee awareness. However, the scale and breadth of response demonstrates accounting firms within the Alliance are taking the cyber threat extremely seriously.
At Shorts, the focus is on moving the security boundary to the cloud using the Azure and Defender tools, and educating users in sharing and collaborating. The firm has put in measures to protect its IP, with increased monitoring and auditing. It has introduced Domain Name System filtering to provide an extra layer in the fight against malware. This provides keyword blocks to unsavoury types of website. Controls have also been introduced on permitted access.
Shorts has also introduced a ‘honeypot’ tool, a network-attached system which provides a decoy to lure cyber attackers away from legitimate targets. The system detects, deflects and studies attempted hacks on dummy services with poor security.
For the majority of firms, the focus has been on ensuring secure remote access and protecting sensitive data, while also helping clients develop responses to the changing cybersecurity landscape.
Commenting on the strategy at Rouse Partners, Tom Gardner says: “We were in a fortunate position, having carried out significant upgrades to our remote work environment prior to the pandemic. This was driven by the need to develop a scalable, robust remote work environment for our audit team but also rolled out to the wider team, in anticipation of longer-term trends towards flexible and off-site working. So, through good strategy and investing for the future we were well positioned.”
“Whilst we were in a strong position, we did find that some clients and contacts were not as lucky and were particularly impacted by the global rush to acquire remote working equipment (laptops, webcams, iPads etc.). Thankfully we have strong partnerships with a good number of globally-leading suppliers and were able to step in to assist with equipment acquisitions and offer advice in certain cases. I think this shows the importance of building strong, long-lasting relationships with your suppliers.”
Support for clients
As well as tackling the threat to their own businesses, many firms have expanded their cybersecurity resources and technological capabilities to give greater support to clients.
Brazilian member firm VBR has developed a joint venture with Israeli consultancy CyberTeam 360 to devise a range of “treatments” for companies of all sizes and at different stages of their cybersecurity journey, from evaluation of the current security status through to protection of data from advanced attacks.
Kaufman Rossin is helping clients with risk assessments, identifying where the risks are and making sure they have the right cloud software and reporting in place. Similarly, Aronson has set up a dedicated IT security consultancy focusing on key areas of cybersecurity including assessments, awareness training, and remediation.
“There is a bare minimum you need to be doing,” says Azunna Anyanwu, adding: “The problem, in many cases, is not so much funding, but having the right tools and organisations in place.” A growing area of client support for Aronson’s Technology Advisory service is compliance, especially for public sector organisations and government contractors.
Learning and sharing
Cybersecurity and IT professionals in member firms are working closely together to support one another and share best practice via the Praxity platform and working groups. The knowledge gained is being used internally and externally.
Tom Gardner explains: “Praxity has given me a forum to bounce ideas off my IT counterparts within other member firms and to share information about projects and useful tools. This was especially useful during the Covid-19 pandemic where I worked very closely with one of my Praxity contacts. It was valuable to know the person I was talking to was addressing similar challenges to me and we were able to support one another.”
“In addition, many new tools we’ve adopted over the last 18 months have originated from recommendations made to my colleagues in the Praxity conference working groups. Looking forward, I understand that Praxity will be launching an IT working Group at the forthcoming UK autumn conference. I think this is a really positive step forward and will further help us to communicate and collaborate, ensuring Praxity member firms are well positioned to navigate the ever-evolving IT landscape.”
“I think we should always consider that there could be vulnerabilities across the supply chain, as information and data flows between environments outside our control, and thus aim to support and assist others we work with, to ensure their IT infrastructures are strong and robust.”
In the U.S, accounting leaders meet regularly through Praxity working groups to discuss key issues including security challenges. Commenting on the benefits, Jorge Rey says: “The more we do, the more we can enhance our knowledge, understand what others are doing, and ultimately do things better.”
With an eye on greater collaboration in future, Chris Allen, IT Director at UK firm Shorts, says the ability to share experience and expertise using the Praxity platform “would better enable security amongst our peers and would help everyone”. It would also provide “a great way to reduce the ‘unknown unknowns’ that are a great risk surface for all of us.”
By sharing knowledge and expertise in this way, member firms are better placed to protect employees, networks and systems, while also providing support to help clients become more resilient.
Read the full article on Praxity.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.