ICAEW.com works better with JavaScript enabled.

Cybersecurity isn’t just an IT issue

Author: Karen Morall, Lockdown Cyber Security

Published: 25 May 2021

The first step to protecting an organisation from a cyber attack is to realise that it will happen, you just don’t know when. Cyber risk is real and everyone in a business shares responsibility. Karen Morrall explains why finance teams need to start thinking differently about cybersecurity.

“As financial professionals, we often hold the keys to the crown jewels - prized assets of our organisations. We have access to financially sensitive and confidential information, pricing, strategy documents, business plans, IP, forecasts, accounts and payments. This is gold to cybercriminals.” says Karen Morrall, CEO of Lockdown Cyber Security.

“Accountants cannot bury their heads in the sand and think that cybersecurity is just an IT issue. Cybersecurity is the most critical risk any organisation faces today and will be in the future, regardless of location or size.”

An experienced finance director and a chartered accountant for more than 25 years, Morrall has found herself increasingly drawn to working with technology companies throughout her career.

“I love innovation and technological advancements. I worked in a data integration company and could clearly see the power of digital transformations and big data,” she says. “But it also revealed the additional cyber risks, with all the different systems and software used, which are continually being patched and updated. When you acquire businesses, you inherit more systems that you either need to integrate or replace, or when you divest you need to extract them. This is the danger posed by legacy systems and the constant movement of innovation. It showed me the danger of technology advancements too with the potential cyber risks it brings”

The growing risks posed by cyber threats, particularly for those in finance, became so compelling that in 2019 she decided to co-found a cybersecurity consultancy providing cyber training services that also works with insurance partners for cyber insurance services.

“I see cybersecurity through the lens of the finance professional, rather than the traditional technologist view,” explains Morrall who is partnering with ICAEW to offer training on cybersecurity.

“As accountants, we rely on producing accounts that adhere to legislation, accounting standards and accounting principles, that present a true and fair view of our organisation’s performance. Can you imagine if you can't rely on the data held in your accounting systems or as auditors you can’t be sure that the financial information you are auditing is complete or whether data has been corrupted, that your data integrity is in question? How scary that would feel.”

This is a real threat that successful cyber incidents can pose.

“Cybercriminals often sit inside IT systems undetected for days, weeks or even months before they are discovered. That’s really frightening because they may be watching or learning what we do and can corrupt data and back-ups.”

Technology is not the weakest link

The key misconception often held by finance professionals and business leaders is that cybersecurity is a technology issue that can be delegated to IT experts and teams alone, according to Morrall.

The reality is that technology is just one of three key elements involved in cybersecurity, alongside processes and people, with people being the weakest link. “More than 80% of cyber-attacks are people-related,” confirms Morrall.

Cyber is the teaming of people to computers. People risk is the biggest problem. “You can spend millions on technology, but the highest cyber risk you have is someone clicking on a phishing link, being impersonated or socially engineered.”

She warns: “If you're in an accounts team or a finance leader, then you are a very attractive target to cybercriminals because of the access you hold to valuable data.”

A cyber breach can bring into question the integrity of all the financial and non-financial information held by an organisation, and Morrall warns that too many finance teams are complacent about that risk.

“Many people don’t think cybersecurity is an issue until they've had an attack and then they are humble to it,” she says. “The statistics are frightening. Even big corporates that spend millions building cyber defences still suffer an incident or data breach.

“When criminals pass through security defences, they can tear a business to pieces in minutes and leave staff with no access to systems resulting in the need to operate with pen and paper alone. This is why it’s so important to act before a breach.”

First steps to deal with cybersecurity

The key to getting to grips with cybersecurity is to be proactive and to understand the risks to your organisation. Morrall advises: “Every organisation has their crown jewels, and that will be different for every business, but if you identify what they are and where they sit in your systems, prioritising, segregating and then enhancing cyber resilience layers to try to protect is a good start.”

Such plans could involve ringfencing data or systems additional firewalls or multifactor verification. This would ensure that if a cyber breach did occur at a broader level then the criminals won’t have access to the most valuable assets in one go.

Once the ‘crown jewels’ are identified, their protection will lie at the heart of a much broader cybersecurity strategy and plan. Alongside organising educating staff, and ensuring processes and systems are designed with cybersecurity in mind, Morrall says businesses must start planning for the worst.

“If an attack happens, what you're going to do? What's the first system you're going to bring back and how are you going to do it?” She asks.

No easy solution for cyber resilience

Like so many things in life and business, there is no quick fix for cybersecurity, it’s something that takes significant and maintained effort.

“Organisations have to move away from thinking that they can spend X amount of money on a solution that will protect them,” says Morrall. “This is a way of life. It is about understanding risk and how to build your systems, people and processes to be able to cope with that.”

Cyber resilience and cyber hygiene are phrases that Morrall uses. Protecting businesses is about good practice, but also acknowledging that no system is bulletproof.

“The key is layers,” confirms Morrall. “Layering staff training, layering new technology resilience, layering processes and controls, and monitoring everything.

“Having good cyber hygiene means that you know what you've put in place, where your weaknesses are and that you've got an action plan to correct it and be proactive rather than reactive if the worst should happen.”

Karen Morral is CEO of Lockdown Cyber Security and a speaker at ICAEW Virtually Live
Karen Morrall, founder of cybersecurity consultancy Lockdown Cyber Security, is leading the Virtually Live Day 3 session: Don’t bury your head in the sand when it comes to cybersecurity.

The growing risks posed by cyber threats, particularly for those in finance, became so compelling that in 2019 she decided to co-found a cybersecurity consultancy providing cyber training services that also works with insurance partners for cyber insurance services.

“I see cybersecurity through the lens of the finance professional, rather than the traditional technologist view,” explains Morrall who is partnering with ICAEW to offer training on cybersecurity.

“As accountants, we rely on producing accounts that adhere to legislation, accounting standards and accounting principles, that present a true and fair view of our organisation’s performance. Can you imagine if you can't rely on the data held in your accounting systems or as auditors you can’t be sure that the financial information you are auditing is complete or whether data has been corrupted, that your data integrity is in question? How scary that would feel.”

This is a real threat that successful cyber incidents can pose.

“Cybercriminals often sit inside IT systems undetected for days, weeks or even months before they are discovered. That’s really frightening because they may be watching or learning what we do and can corrupt data and back-ups.”

Technology is not the weakest link

The key misconception often held by finance professionals and business leaders is that cybersecurity is a technology issue that can be delegated to IT experts and teams alone, according to Morrall.

The reality is that technology is just one of three key elements involved in cybersecurity, alongside processes and people, with people being the weakest link. “More than 80% of cyber-attacks are people-related,” confirms Morrall.

Cyber is the teaming of people to computers. People risk is the biggest problem. “You can spend millions on technology, but the highest cyber risk you have is someone clicking on a phishing link, being impersonated or socially engineered.”

She warns: “If you're in an accounts team or a finance leader, then you are a very attractive target to cybercriminals because of the access you hold to valuable data.”

A cyber breach can bring into question the integrity of all the financial and non-financial information held by an organisation, and Morrall warns that too many finance teams are complacent about that risk.

“Many people don’t think cybersecurity is an issue until they've had an attack and then they are humble to it,” she says. “The statistics are frightening. Even big corporates that spend millions building cyber defences still suffer an incident or data breach.

“When criminals pass through security defences, they can tear a business to pieces in minutes and leave staff with no access to systems resulting in the need to operate with pen and paper alone. This is why it’s so important to act before a breach.”

First steps to deal with cybersecurity

The key to getting to grips with cybersecurity is to be proactive and to understand the risks to your organisation. Morrall advises: “Every organisation has their crown jewels, and that will be different for every business, but if you identify what they are and where they sit in your systems, prioritising, segregating and then enhancing cyber resilience layers to try to protect is a good start.”

Such plans could involve ringfencing data or systems additional firewalls or multifactor verification. This would ensure that if a cyber breach did occur at a broader level then the criminals won’t have access to the most valuable assets in one go.

Once the ‘crown jewels’ are identified, their protection will lie at the heart of a much broader cybersecurity strategy and plan. Alongside organising educating staff, and ensuring processes and systems are designed with cybersecurity in mind, Morrall says businesses must start planning for the worst.

“If an attack happens, what you're going to do? What's the first system you're going to bring back and how are you going to do it?” She asks.

No easy solution for cyber resilience

Like so many things in life and business, there is no quick fix for cybersecurity, it’s something that takes significant and maintained effort.

“Organisations have to move away from thinking that they can spend X amount of money on a solution that will protect them,” says Morrall. “This is a way of life. It is about understanding risk and how to build your systems, people and processes to be able to cope with that.”

Cyber resilience and cyber hygiene are phrases that Morrall uses. Protecting businesses is about good practice, but also acknowledging that no system is bulletproof.

“The key is layers,” confirms Morrall. “Layering staff training, layering new technology resilience, layering processes and controls, and monitoring everything.

“Having good cyber hygiene means that you know what you've put in place, where your weaknesses are and that you've got an action plan to correct it and be proactive rather than reactive if the worst should happen.”

Hear more

Karen Morrall is speaking at Virtually Live 2021 on cybersecurity and why accountants need to wake up to the risks posed. She’ll be talking alongside cyber fraud expert Robert Brooker, from PKF-GM. Fraud is now 90% cyber-related so the conversation of cyber risk and fraud risk go hand in hand.

ICAEW Virtually Live - 15-17 June 2021