Step 1: People

Having robust processes and up-to-date technology is part of the cyber security puzzle, but there's another crucial piece that shouldn't be underestimated – the human element.

Successful cyber attacks typically involve a business owner or one of their employees being tricked into opening a phishing email, purporting to be from, say, a financial institution. Or being duped into downloading a virus.

It's important to build a culture of cyber security where every employee has a role to play and where cyber vigilance is baked into your way of working.

Raise general awareness

The people in your business – ranging from the most senior partner to the most junior intern – may not be aware of how prevalent cyber crime is and how vulnerable finance industry SMEs are.

So, the first step is to raise awareness. This can be done by:

• convening an informal group chat
• sending an all-employee email
• running a ‘security week’ with fun security games and quizzes
• arranging an offsite cyber security training day
• making cyber security training part of the induction process for any new hire.

Identify specific threats

Cyber criminals are incredibly enterprising and they’re constantly developing ingenious ways to extract money or data from their victims.

While it’s difficult to educate yourself about all the cyber threats out there – from phishing, smishing and whaling, to ransomware and business email compromise – it pays to stay across current scams to better protect yourself, your business, and your clients.

During the lockdowns, malicious actors exploited the disruption created by remote working to engage in a form of phishing called business email compromise. That is, they convinced individuals struggling to adjust to unfamiliar working arrangements to pay fake invoices, to send shipments of goods to fake clients, or to start paying employee salaries into a ‘new’ bank account.

To help mitigate the risk of falling foul to these types of scams, and potential financial and reputational damage that can result, you can keep up-to-date with the latest cyber scams at the Australian Competition and Consumer Commission (ACCC) Scamwatch website.

Have a communications plan in place and share information about the latest scams via email, articles on your intranet or in regular cyber security catch-ups.

Create a cyber security-conscious culture

While it's impossible to create business processes that allow employees to recognise and deflect every conceivable cyber attack, you can create a 'safety culture' that prioritises cyber security.

To help illustrate this point, most employers have now encouraged the development of safety cultures that help minimise the risk of a workplace accident. There is no reason why similar cultures could not be introduced to help minimise the risk of cyber attacks.

What does such a culture look like in practice? It’s one where employees, among other things:

1. Change their passwords frequently and avoid using public wi-fi networks wherever possible.
2. Use work equipment rather than unsecured personal devices when working with sensitive data.
3. Query payment and order requests that seem unusual.
4. See cyber security as their responsibility, not just what the IT team does.

For example, the Australian Government is currently considering holding directors responsible if they fail to adequately manage cyber security risks.

So far, it’s only directors of listed companies in the crosshairs. But it’s not hard to imagine accounting firm partners being held to a similar standard one day soon.

Rather than waiting for that day to arrive, why not be proactive and immediately start educating your firm’s workforce about the very real danger posed by cyber crime?