Accountants reach new national standard in IT security – Cyber Essentials

SECTOR: Professional services

CLIENT: Absolute Accountants

LOCATION: Hatfield, Herts

BRIEF: To enable Absolute to gain the national cyber security qualification, Cyber Essentials

Paul Hutt was better placed than most high street accountants to imagine the cyber panic sweeping across the NHS following last June’s ransomware attack. As a former performance management specialist working in and around the health service for several years, he knew only too well the confidentiality issues surrounding patient data and security.

Now, for the past three and a half years, he and his wife, Letitia, have been jointly running Absolute Accountants, a small, busy and expanding Hertfordshire-based practice, which like many professional services sees the security of its clients’ data as an absolute priority.

So when the Hutts heard at a local network meeting about Cyber Essentials – a new government-backed cyber security standards scheme for small to medium size businesses, they quickly signed up with Assign-IT, one of the scheme’s certification bodies. “We liked their non-pushy approach. They would merely ‘recommend’ certain actions and really wanted to help us.”

Cyber Essentials ensures you have the right protection

Dave Privett, Assign-IT’s marketing director, described Cyber Essentials as a qualification that really challenges company perceptions of internet security. “Almost all information is stored electronically, so protecting it is a key part of any business. Cyber Essentials is about making sure you have got all the necessary protection in place.”

He told the network audience that the Information Commissioner’s Office was urging all businesses to adopt the scheme as the bare minimum towards complying with the General Data Protection Regulation – new and complex EU data protection legislation effective from May 2018. Meanwhile, accountants were all being urged to get certified by their professional body, the Institute of Chartered Accountants in England and Wales (ICAEW).

For Letitia and Paul Hutt, data protection meant securing reams of sensitive client data, much of it gathered from client ID checks to determine if the payrolls and tax returns being submitted were genuine or not.

‘What would happen if a virus struck?’

“We’d never had any security issues,” says Paul Hutt. “But as we scan and store everything we get electronically, our main security concern has been what would happen around our IT infrastructure if we received an email with a virus.

“Our own IT man had already set up safeguards against overwriting files and got us storing all our backup files within the EU to comply with existing laws — but our company is growing. We’d done IT on a limited budget using our own expertise and you can only go so far down that path.

“In the regulated industry we’re in, we know we’re exposed to a degree of risk we need to tackle sooner or later, so it seemed a good idea to tackle it while we were relatively small rather than wait till we might be much larger when something could go wrong.”

So how easy was it to overhaul all the IT facilities and not disrupt daily workflow? “They were very patient and flexible working round our unmanageable diaries. They simply explained any potential issues and weaknesses they found against their checklist and what we needed to alter, leaving us with several significant changes to carry out that we would not otherwise have thought of,” says Paul.

Cyber safety policies that will future-proof your business

Assign only spent one full day in the office looking at systems and processes in place, spending time on every computer. “They also helped us get the right policies and procedures in place to future-proof us, particularly as we are about to move office and take on more staff.”

One ‘must do’ task was encrypting all company laptops, all of which were already password-protected. Within a day Absolute had spoken to its IT man and upgraded its Windows system, which was then encrypted overnight.

Another issue was logons. Each staff member had a username and logon for their laptop. Assign now recommended two logons, one for administrator rights (used only for installing or removing software) and the other a local user logon just for working on the system. This way, if a local user imported a virus, it could not spread through the whole network.

How long did the process take? “Just two or three days to get the laptops encrypted and make all the other changes,” says Paul. “It wasn’t too disruptive.”

Questionnaire took just a couple of hours to complete

Absolute made several changes after Assign-IT’s one-day systems blitz in the office, with laptop update and encryption programs running overnight. Dave and a colleague helped the practice complete within a couple of hours the questionnaire that was required before certification.

‘We’d definitely go back to Assign-IT whenever we need to get any training, further advice or recertification. They were always calling to ask if they could offer more help.

“They even emailed a suite of documentation for us to use, amend and adopt as our IT own policies, rather than  pointing out we needed to write some. We were starting from scratch so this was a huge, unexpected time-saver.

“They also gave us indemnity insurance worth £25,000 they had told us we’d receive once we’d got through the process – another good reason for getting certified. I can’t imagine any of our other insurance policies protecting us against damages to any client through data loss.

“We are now much more confident about complying with the GDPR legislation,” Paul concludes. “And the ICAEW has officially recognised our certification!”