VIP Video Library – Session 9

VIP Video Library

The Irish Accounting & Tax Summit

Session 9 - Your Biggest GDPR Risks - IT or People?
(And the Practical Steps to Solve Them)

Session 9 - Presentation

Session Transcript

This transcript was created using AI and may contain some mistakes.

So in terms of the current state is something I’ve talked about before. And it’s very, very similar to tobacco, March and April, um, in terms of the current landscape. So since 2018, although in Ireland and in the UK, we haven’t seen a lot of fines. They’ve been high, fine rates across Europe. So about 235 in total,

you can own and combine with just one each, but they’re both quite significant in size. And as I’ve just mentioned, that the DPC in Ireland is under pressure at the moment from other nation States, particularly Germany, who’s making a lot of noise that the Island needs to be seen to act in a significant way. Um, with regards to fines against both Facebook and Twitter,

which are expected by early summer, which, which we’re in now basically saying it’s going to be really interesting to see how Harland issues, fines, how big those fines are. Um, but as I said, the focus has been on education and awareness because it is really important to, to help businesses understand how they need to manage GDPR. It’s not just about issuing fines on a constant basis.

Um, and in the UK, I’m not quite sure why, but I know that in the UK there’s been heavy over-reporting of breaches. So we’ve seen every one breach that needed to be reported. Three of them reported them. I think that’s definitely weighed down on the resources in the UK to actually investigate breaches adequately. So in terms of countries across Europe,

you can see some huge differences here between the likes of Ireland, UK. Uh, and then when you look at sort of Germany, hungry Romania with fines in the mid twenties, but then you can see Spain out on its own with 80 fines. There are various different reasons for this each nascent state and each, each supervising authority has a different tactic in terms of how it feels it should dry GDPR awareness.

And it also is effective by where those fines and those monies go to in terms of whether they go into the public purse, which they do in the UK to go into the treasury first, or whether it’s as in Spain, my belief is that that’s, uh, goes into the coffers of that supervisory authority. So it very much depends on the school of thought within the cyber security community varies greatly.

So, uh, those like myself feel there is a balance between education with a need for finding, because you need to be seen to show implications of noncompliance because the longer it goes on without any fines, the harder it is to prove that compliance is really important. Although having said that reputation of damages is probably more damaging than fine to an organization, especially in accountancy when fines or when fines are going to the actual supervisory authority,

Richard. And it does add an additional incentive rather than as you say, when fines are going through the public parts and part of a bigger budget. Definitely. Yeah, I remember, but I do like about the Spanish model is that fines can be, I mean, they can range to your big fines, quarter million euros for instance, but some of the fines are a determinant 500 euros,

and it’s just the visible wrap on the knuckle for a small act of noncompliance. And I think those sorts of fines are quite useful because they can, they just evidence the fact that you’re being watched, you’re being observed and in are implications, but the publication of your breach is much more damaging. And I think that’s, you know, when you’ve been in an accounting firm context,

when you’ve maybe built a firm’s reputation over many years to have it thrown away, or maybe a careless act, or as we’re going to talk about maybe a phishing email that one of your staff has collected through a lack of training and awareness would be a real shame. So there’s, there can all be avoided. Sure. I know you’ve got hundreds of finds on screen here,

and I know this is just the intro part of your presentation, Just, just to put in the context. So we understand that Ireland people that are not being fined at the SME accountant level, like we have on today’s session. Yeah. The reasons for that. So the data protection commissioner, the American, there’s just lots of reasons. And we’ve got Some of the biggest it companies in the more we house here in Ireland,

but to look around Europe, Richard Small businesses are being fined for noncompliance as you’ve described. And accountants need to be, I believe under no illusion that this may not come in 2020. No, but this is coming that the Irish data protection commissioner cannot be seen to be ignoring SMEs in favor of large entities because that can cause problems. Absolutely. So, so the GDPR GDPR applies to every business.

So it’s all going to be basically about contacts. And I think the honeymoon period for any supervisory authority, like in the UK or in Ireland, where they focused on education is coming to an end. And I think that had, COVID-19 not occurred. We would have seen it probably this summer where we’ve started to see these gradual small fines. Um, and I believe you mentioned on a previous webinar about the incentive now because of the cost for governments from the recovery process of,

of COVID-19, is, will there be an incentive to try and generate monies through the GDPR fines at the time? I wasn’t sure, but I believe now in context, there is, is a means to generate incumbents back into the public first. So I think we will start to see this there’s these smaller fines on SMEs. Um, I think if we don’t,

then there’s going to be question marks over the GDPR is fit for purpose going forward. Um, so I think there’s, there’s going to be pressure maybe even by this ultimate, we’ll start to see regular fines once they, I see on our next slide, Richard, did you have a trend pattern here that 64% of all funds has been done The last six months?

Yeah, so that, that very much sort of backs up what I just said really. So had we not had this big COVID-19 situation? I think this, that, that curve would have continued to be very, very steep throughout the remainder of 2020 and willing to 2021. Um, so, you know, I mean, you look at it in this context,

there were very few fines in the first 16 months, the last six days, last six months, it’s really gone through the roof. So, you know, we got to Christmas, we got to March. Um, if we hadn’t had the situation that we’ve had, I think we would be having a very different conversation today. And it wouldn’t be very much about accountants realizing that they were getting fine.

They knew other practices locally that they can find, and it will become part of our culture going forward that you will be fine regardless of size for a GDPR breach. So that’s absolutely the way it’s going to go, you know, once we’re back to normal, whatever that is, um, that’s what we’re going to be looking at. So, um,

just as a, as a snapshot, these are the two fines that we’ve seen in the UK and Ireland. So, uh, both were in health and social care. Interestingly enough, uh, Tusla was the first to be, to be finding on in 75,000 euros, um, worth adding at this point that Ireland has the highest reporting rate of data breaches in Europe.

So in contacts with the, with the balance of the lack of fines, the reporting rate is really high. So if there’s one country that’s going to see, um, consistent finding going forward, it’s going to be because What are the sources, those reporting? And Richard, is it self reporting? So it likes of an accountant. And we come across accountants regularly who are breaches,

who are self reporting? Are, is it more, is it self reporting or is it driven by third party reporting with this person that had a breach? And my dad has been compromised. Yeah, there’ll be a high, high prominence of self reporting, uh, businesses that are aware of their responsibilities. Um, putting the hand up and saying, we’ve had a breach,

we need to tell you about it. However, within the GDPR quite clear that not every breach needs to be reported. So that’s something, um, if any of the guests today wants to talk to me about, uh, separately about whether they need, what types of breach need to be reported, we can have that conversation, but it’s very much about whether you believe as a damage to the rights and freedoms of those people affected.

Um, so it’s, it’s a kind of a measurement that you have to go through a bit of a process to work out, but it’s, it’s definitely clear that, um, businesses and on it, no, no, a breach when they see one and that definitely reporting it. Uh, and again, that might be part of the problem with the finding and the investigations,

because there’s been so many reports of breaches in 20, 20, 28 and in 2019. Yeah. So, so quickly moving on then. So GDPR is in very different subjects. Um, although they, they go hand in hand, um, and what really drives it is the human science. So hopefully it will be really interesting to people cause it’s not exactly how,

if you were kind of logging on to a cyber security webinar in normal circumstances, they would be very much talking about the technical solutions to keep your practice safe. We’re very much in the view that it starts with the people. Um, and Adam Anderson, who spoke at TEDx in Greenville a couple of years ago, said he is, and he’s attacking self-professed tacky.

The cyber security is not about computer science. It’s all about behavioral science. Um, and the V really is that in cyber security globally work, we’re prescribing the wrong solution. Um, so technology or computer science, technical controls that an it company was so used to cyber crime people are, um, on a really good analogy of this is if you go to your doctor,

um, and you’ve not been to well, they are, you have a conversation about your lifestyle, what you eat and what you drink, whether you get any exercise, um, that’s, that’s the key to the longterm solution for you as, as a, as a human being and in terms of your, your wellbeing, yes, they may prescribe some tablets too,

or some medication, but ultimately that won’t work unless you make changes to your lifestyle. And in the same way, if you go onto a construction site and you’re given a hard heart to where the hard heart won’t keep you safe, if you haven’t had the education and the awareness to go with it, the hardware is just an extra. Um, so,

so what we’re suggesting and what we’re proposing is that in most cases, the change of lifestyle in terms of how your employees work and how aware they are, of what their responsibilities and how to recognize a phishing attack, for instance, will improve the health of your business. Yes, technical controls alongside it will reinforce that, but ultimately it’s going to come down to your people.

So it’s a very different approach. I find this really interesting Richard, because I, in a total, none relieve topic, right? But I’m talking to accountants about improving their business and improving their service to their customers. What I’m increasingly finding is that technology is seen as a silver bullet technology seen, okay, well, I buy this app or employee that app,

or I plug this into that. And when I Boyd this, it’s going to solve the problem for me, the reality that I’ve been saying for years. And so the technology companies don’t like me for it is technology is an enabler. It needs to be part of an integrated strategy. You can just see on by this piece of software to solve all my problems.

What you’re talking about is something that we’ve experienced with our own it company. I have huge time for artists. They’re a brilliant player. They’re the, you know, like they, they work with us. They, they, they, they, it’s not like, it’s not like it’s this perfect relationship. We meet challenges, but we go through them together.

But it’s really interesting what you’re saying, because it reflects the conversation I had with orcas. They’re saying we can have every firewall in the world. We can have every protection or we can have everything, but we can’t solve the entire problem. So, so, so technology, most people think GDPR technology solves the problem. Yeah. Technology is the enabler,

but it’s still, the firm has to have the strategy to pharma has to have the responsibilities. And it’s not like an audit program. Just that I checked us, isn’t going to do it here. It did it at the start putting on an ongoing basis where we are now. That’s not good enough anymore. No. And I think that, you know,

part of the change in mindset has to come with accepting that technology within an accounting firm is no longer just a bolted on tool to help you do things the way you’ve always done them. Technology is now part of it, DNA as a business. And it’s part of what you do and how you do it. So it’s not, not enough anymore to,

to just, um, just to build a wall around yourself and saying, okay, I’m safe. Now you need to understand it to some context don’t mean that everyone in the business needs to understand technology, but they do. Do you need to understand the dangers of the internet, the dangers of email, the dangers of texts and SMS, because that as equally insecure.

Um, so, you know, we, we were given the internet 30 years ago and told, you know, that you go, go, go use that. And let me say volt into something completely different to what it was 30 years ago, um, with, with the adoption of cloud and the adoption of technology by counseling, you know, there’s an urgent need at this point for,

for every employee within a practice to, to understand, to some, some extent how they can impact on the security and the future of that business, because it’s business ending stuff, this isn’t, this, isn’t the kind of thing when it goes wrong, it’s just going to be done in an accounting firm. It could be, could be a terminal incident.

So yeah, there’s definitely definitely a case of, um, the, the education being key. And if you look at the chart, that’s on the screen now, in terms of causes of data breaches, you can see employee hour or lost or stolen device. So this is people using work, laptops, work, mobile devices, phones, tablets that get lost.

So if you put those two percentages together immediately, you got 60% which are due to human beings. And then in the criminal attack, we have to include them fishing and smishing. Smishing is a fishing attack, which comes from an SMS by the way, it’s a text, which is becoming more prevalent, excuse me. So it’s very easy to see that already.

You’re probably looking around 80% of the breaches originate with the person. Um, so, so yes, the technology is really important, but if you don’t have that education and awareness in your phone, you’re still still exposed on a little bit, going back to that hard heart, you know, just by putting a hard hat on someone on, on a building site,

if they believe that the indestructible at that point, Huge mistake, You know, hard, high, isn’t gonna solve all problems, um, in context of where we are at the moment, um, and COVID-19 and cyber crime, uh, going back to April. So a couple of months ago, Google announced that it was seeing 18 million daily scam emails related to COVID-19.

Um, the key for me there is, is how quickly the cyber, uh, community reacted and evolved to situation. They were incredibly quick, incredibly innovative in terms of how fast they, they saw the opportunity to, to escalate their crime. And that included malware, phishing emails intended to defraud people. So a lot of this would have been going to,

uh, health and social care businesses who are desperately in need of PPE or testing kits. Um, basically suggesting that they had it for sale, or it could have been charity donations. Um, but it was also reporting 240 million, uh, daily spam messages every single day. So huge numbers and related to COVID. Um, but it was confident that even though algorithms were screening out 99.9%,

however, that 0.1 of a percent is incredibly high in terms of volume. I only solve a crime very much just based on the troller method, where you can kind of see what you’re going to catch. It’s no longer the idea of an angler by river, just looking for one particular target fish that they’ll catch everything that can, um, it’s organized crime.

It’s very well resourced. Um, and they only need 1% of respondents to, to click and they’re going to do very well. So it’s quite prolific. Um, and then some, some very breakup people in the United States, uh, sets out the COVID-19 cyber threat coalition. So these were all cyber security experts and they weren’t, they were very, very keen to,

to look around the same sort of time, mid April, um, what kind of stats were happening and how much the, the cyber criminal community that use COVID-19. And they were basically saying that it was, uh, it was prolific, it was a pandemic. And it’s like, right on that hundreds of thousands of fact domains will be set up for mid-February.

So there’s a fake email addresses, fake websites designed to defraud and do harm and around about 5,000 domains being registered every single day. Um, some of this, this worth adding was, was nation state attacking nation States. So very, very high level. It wasn’t just, uh, hackers in that back bedroom or a cyber criminal gang nation States were taking advantage of the situation as well.

Um, you know, if there’s anything we get across through the, these kind of webinars is that cybercrime is not just something that happens to other people it’s going to happen to all of us. It’s inevitable. It’s how we deal with it. That’s the key. I just, my observation here, Richard looking at this, and I think the message for our audience is don’t look at cyber criminals as criminals,

look at them as entrepreneurs in a criminal enterprise. Absolutely. They are entrepreneurs in the criminal enterprise. Richard has just given two examples of how they innovate. This is continually innovating and developing. It’s not just somebody sitting back and saying do it this way. And Richard talked about people. This isn’t just like a buck program that goes off and does something.

This is people sitting at computers, doing stuff. And like we had a, we had a situation a couple of weeks ago. Thankfully it wasn’t a breach. And because our it company cocks us before it got out of the spam box, it’s the whole issue of how they drafted an email and how they presented an email to look like really mailed. Thankfully we identified and didn’t click,

but if we had identified in cakes and it just, it looked so real, it was so convincing. And it was so acquainted and how it was worded. It was, it was like, it was like an email that I need to send or you’d send. And the other thing there, Richard, I wanted to pick up on his book. It’s just be really,

really clear on this. It’s not, if it’s when it’s not, it’s not, if it’s when this is an everyday issue and it’s an everyday occurrence and you are not immune, and I can see to somebody’s screen here, I’ve reduced the moment I can see Tom they’re down and Kerry, I can see Brendan. And it doesn’t matter where you are in the country.

You’re, you’re not a new, The head of the FBI or the former head of the FBI goes out and gets talks about cyber crime now. And he, his opening line used to be, there are those that have suffered a cybersecurity breach and those, uh, that haven’t yet. And he now changes that to those, those, those sites suffered a cyber security breach.

And those that don’t know they have. So the default now is that you will, or you have been breached and you just don’t know, and the best breaches are the most subtle. So you just wouldn’t know. Um, and then, so you don’t, you don’t have to, if you look on, for instance, uh, I got on the BBC news website and just go to the tech section,

you’ll see a breach every day being reported at the minute, easy Jack Bean and really significant one. Um, easy Jack, uh, had a breach in January based on their annual turnover. It could cost them a billion euros is probably going to end the EasyJet forever based on the fact that they also have situations because of COVID-19, um, that they’re facing litigation because it also on a personal level.

So each EasyJet passenger that’s been affected is claiming 2000 pounds as part of an organized claim. Um, and that’s going to cost them 18 million pounds. So, but that will paint into significance and consideration of what their GDPR fine could be. Um, and then you’ve also got a major university in the United States that was, uh, how to run some they’ve paid,

I believe over a million and a half dollars yesterday. It’s, uh, it’s constant, it’s prolific. They will, it does affect smaller businesses as well. And it’s just more subtle. Um, so we have to talk about how will this is possible. So those, those stats there on the previous screens, how, how did I manifest them?

What makes all of this happen? What makes it possible? And it’s all facilitated by normal people, which are your employees, regardless of the size of your firm and your practice, it’s your people that I’m helping happen. Cybercriminals rely completely on human trust. They rely on, uh, you know, putting the bait out loud. They rely on the fact that that bait will be taken by someone.

And it doesn’t, it kind of goes from there. If the bait is the wrong bait, or if the bait is ignored them, then they can’t do, they can’t do any harm. So that’s literally the simple, the simple fact, um, as I said, it’s evolving constantly. Um, if you think about in context, what would the response to cyber crime is just that the response is it’s reactive.

It’s not proactive because they’re always a, had two or three steps. Um, but the core, the cause and the, and the core reason for it is the large amount of data that’s freely available in the social networks. Um, and how much we all give away on a daily basis is easily machine-readable. Um, and the advent of the social networks and the new trend of sharing information openly is created this,

this kind of open field really. Um, and then what’s happening with the, um, in terms of the cybercriminal fraternity that these were organized world or gangs. Uh, and then now engaging the services of experts, such as psychologists, marketing, marketing experts, and people who were experts in the human sciences. So it’s very much about understanding and trying to understand what will make us click and what will make us fall fall for the trick,

basically. So, um, some research and data from last year, which is significant. So over 90% of attacks from sophisticated cyber criminals are starting for email. So 90% chance that if you are going to be suffering a slug of attack, as a, as an accountancy firm is going to start for an email, which comes into your practice. Uh,

and the layers that they’re giving are based on entertainment, social reward, or recognition. And as I’ll talk about in a few minutes time, and one of the slice that coming scene, but how that works in terms of the human psyche. Um, and from a technical perspective, only 3% of malware tries to explore a technical floor. So when we’re talking about,

um, the OT provider that you might use on the things that they may put in place, you might spend 80% of your budget on, on technology, but only 3% of, of, uh, at the attack is going to come in and try to exploit tactical weakness. It, 97% is going to try and exclude your people. That’s hugely significant.

Um, and also if you fall for a scam, 50% of people who do or businesses that do will be scammed again within 12 months, because you’ll be seen as basically a target that may fall for the same thing again and in the UK. And it will be very similar in Ireland, 27,000 pounds, the average cost for UK business, as a result of an email compromise that doesn’t include any fines.

That’s just the cost of recovery, the potential loss of business, the potential loss of clients, your clients may start to migrate slowly, even though you don’t know they are. So once they, they don’t feel the trust in you as an accountant, they will begin the exit process. Even though that might take a couple of years, that’s something that your business will never recover from that you’re essentially tented by lack of trust and lack of skill,

And the figure, the finger in an Irish context, Richard, based on my experience is anywhere between 20 and 40,000. And so we, when we look at firms that have been maybe subject to a Bitcoin ransom, um, that it’s it’s cost significantly. That’s from speaking to both artists as an it company, but also speaking to, um, Mike Adams from an insurance perspective.

And just one of the things in terms of data, obviously thing is all about GDPR and Richard is covering not only GDPR, he’s covering cyber security, he’s covering lots of things. One thing that I should, that you should seriously consider as an accountant is to explore the likes of cyber insurance and cyber insurance. Obviously, if you’re with an it provider in their agreement,

in their contract, they may be responsible to make good any problems that have arisen. But if you look here on the slide here, and the only 3% of malware tries to exploit an exclusively technical floor. So even if you’re compromised, it’s probably not going to be your it providers perspective. It’s going to be this 97% emotional lure or social engineering. So I’m having cyber security insurance,

I’m having a senior called it provider. And a GDPR advisor is kind of part of the package and there are different sides of the coin. Yeah, This links really closely to the GDPR because the, the two things that the DPC will ask for when they investigate your data bridge, when it happens, if it happens will be evidence of your training and awareness that you’ve given to employees,

which is when we know that 90% of the tactic originally through your employees, it just proves how important it is to have that training and awareness program in place. And the second thing that asks for when there’s evidence of your policy documentation and the process and procedures that you’ve got in place to try and minimize that risk. So it’s definitely the training awareness and the documentation that your practice needs primarily,

uh, and an it company isn’t going to give you either. So it’s, you know, there’s, there’s really strong evidence to suggest what we’re saying. I’m backing it up. Um, it’s secure, I’m working. Um, it’s something that was forced upon. This is across, uh, as an emergency measure, some organizations would have had really good,

robust business continuity plans in place, whether it was a global pandemic or maybe a fire on their building. And they had the home office and backwards three, three and a half times more likely than corporate networks to be infected by malware straight off the bat. You’re working in a, in a home environment that won’t have all of the controls in place. And this is tactical controls as part of your infrastructure,

uh, the are as good or as robust as, as well you would have in your normal working office environment. So you’re probably working at home router, wifi, browser passwords, and never been changed. It should be changed, right? Hold the box. Uh, probably haven’t got up to date, uh, antivirus. You probably haven’t got firewalls.

All of those things that organizations would have in place in the office, they sent people home to work without those controls in place, because there was an emergency need. Um, we’ve also, as we’ve talked about seeing this surge in COVID-19 cyber attacks, um, it definitely paid really quick as people start to work from home. No doubt about that. And cyber criminal fraternity knew this.

They knew that people working from home presented on almost a buffet of, of opportunity, really. So, and that’s been pretty through the stats on a thing as we move into the second half of this year, we’ll start to see just how many businesses have reported a breach and how to be investigated. Um, we started to see increased criminal activity, targeted VPNs,

which are virtual protected networks. So this is what we’re working securely. We are actually working security and transmitting information via secure email. Um, but that started to come under attack as well. Um, is there always weldability accountants so very much getting into cloud? So cloud technology adoption is huge in the accountancy sector. Not all cloud based tools are secure.

There’s been lots of question marks for instance, about even on zoom and about how zoom is used and they improve their security because of that. Um, not so much with events like today, but for the smaller business, that’s got three or four people working. Um, I’ve even asked with my cyber security hat on and my GDPR hat on seeing so many screenshots on LinkedIn of accounting firms,

showing all of their staff on a zoom call and all with their names and all of their backgrounds, the home environment, it’s quite an insecure way to do it. There’s no guarantee that you’ve got permission from people to even show their names on screen. So there’s just, we’ve very quickly evolved and it’s not a safe way to do it in most cases.

Um, but again, number five is key. So it’s a very, very few accountancy firms in my experience have a tested business continuity plan that they put into action back in March. It was very much off the cuff. You need to go home and work. Um, so, so moving forward this kind of line in the same and where we are now is we’ll,

we’re moving out with business continuity and we’re moving into a state of permanence. And if can I Just backtrack though for a second, Richard? Okay. So just looking at some of the names and some of the people I attending today that I know would have intimate knowledge of their firms. There’s lots of people who managed to go remote when they had to,

just because you were able to work remote doesn’t necessarily mean that you’ll have a business continuity plan now. So, so business continuity comes from a commercial perspective or one thing, but if you don’t have a proper business continuity plan, you’re not GDPR complaint. So, so, so, so business continuity plans, and one of my concerns is, and I know you’re going to make a point in a second,

but one of my concerns is that as people come back into the office, as the pressure is off well, that’s covered. But if you don’t have a proper business continuity plan, you’re not actually covered. And now if, if, if you look at ignorance as a defense, well, ignorance is, well, I didn’t know, ceremony is small account insurance,

you know, really, but actually we can’t use that defense room. This is continuity plans anymore. And that’s, before we go on to talk about what Richard’s going to bring up next, in terms of, of remote working policies, procedures, and making this a permanent way of leafing the new normal rather than just a reactive. Yeah. I mean,

I have a worker essentially is it’s a regular homework. It needs to be working at home maybe three days a week or more. Um, so under the GDPR and under cyber security, if someone works at home occasionally one day a week, you wouldn’t necessarily have to go through the same process as an employee, as an employer that you would when they’re more of a permanent,

however, permanent, I work as we’re all at the moment. And if we keep people working from home as an employer, you have a responsibility to carry out our physical risk assessment on that home office. Do you need to go to every employee’s home need to make sure that it’s physically secure? It’s not just about cyber security. It’s about locks on the doors.

It’s about lockable cabinets. It’s about that device has been locked away. Um, it’s just, it’s even down to fire. So if you have an it audit, for instance, that we’re looking at heat sources is all sorts of his permanent responsibilities. Now that will fall on two employers and, and you need to ensure that they have adequate artists security in terms of firewalls antivirus.

And if they haven’t, the ownness of cost is going to be on you. So it’s not just a cheap alternative to keeping people from working in the office, keep people working from home. You’re starting to assume a bigger responsibility now, as we move our business continuity and MC into a permanent state. So I would urge any organ, any accountant to make sure that they don’t kind of view this as a seamless transition.

Um, if you’re asking people to work from home permanently, it’s a different ball game altogether, and you need to seek some advice on that. So I think the mass, this is a message which has come through all the way. So your people are the key. So you’re insecure. Human error is the number one cause of data breaches. It’s responsible for up to 80% of incidents in terms of cyber crime as a,

as a, as a criminal cost. It’s now, uh, around five and a half trillion euros globally. It’s overtaking the drug trade, um, for the first time, uh, it’s not on social security spendings on the rise, but it’s only reaching about 115 billion globally. Uh, so if you look at the comparison of the cost against the rise on the spend to,

to mitigate against the risk, it’s really minimal. Um, and I imagine that everybody on this call today has in house insurance has car insurance, life insurance. Um, you know, if you, if you deem all of those things to be important, then you definitely need to think about cyber security insurance. And you definitely need to think about, um,

making your staff aware and investing in that training and guidance. So if you don’t, it’s this, uh, it’s remiss, um, at the moment, just over half of employees receive annual training on the GDPR, but needs to be a hundred percent. Um, and if you do suffer an aggressive cyber attack, 50% of the organizations on the call today wouldn’t survive,

uh, probably about six months is the average from a cyber attack for those businesses to close. Just to, just to clarify, and to bring things back to a familiar frame of reference, you’re saying that the cybersecurity training and GDPR training, it’s a little bit like money laundering. It’s a little bit like CBD in general. This is something that you need to demonstrate that you’ve undertaken annually.

Absolutely. Yeah. So it needs to be revised annually. Um, so what we’re saying is that you have to assume that at some stage you will be attacked and you will suffer a data breach. And it’s very much about putting as many measures in place as possible to minimize the damage and to mitigate the risk. So it’s not just about reducing the damage to your firm.

It’s also being able to defend to the, to the DPC when they come and knock on your door, that you have actually done this stuff. And you’ve got the evidence to prove to prove that you, you did all you could to, to mitigate that risk. Um, and you’ll find that the consequences will be much less severe. If you can prove the effort.

That’s the key. If you’ve made no effort to, to make your staff aware or to put any controls in place, it’d be very difficult to defend. Um, and it would be likely that you’d be the same thing would happen again. So you’d find that your you’re fine and you are, the implications would be much more severe. So it’s well worth the effort to invest time in making your staff aware.

Um, and, and just a bit more research to kind of back that up, um, social engineering techniques, as we’re going to talk about a bit more depth in a second 33% of incidents that affected infrastructure were caused by social engineering. It’s people, uh, 88% of small businesses to experience a breach say that social engineering was part of that attack.

Uh, and 90% of data breaches in the cloud will happen due to social engineering with targeted employees are not caused by technical, um, by the, by the software. So what I’m saying is you don’t have the best software in the world. You can have the most up to date systems. Um, but again, if your people aren’t trained, it’s going to be your people that are the chink in the armor that the hole in the wall that’s.

So we’re going to, it’s been talked about a lot more in, in, uh, in the media now. And basically what it is is that they are I’ve exploiting human psychology rather than technical hacking to gain access to building systems. Uh, so this was some Joshua and another Taki who’s now coming around to the view that actually it’s, it’s people that hold the key.

Um, traditional hacking is now changing. It’s evolving and more social engineering used to be a niche. It used to be that something only a small percentage of cybercriminals would use and utilize is now the default method to attack a business. Uh, social engineering fishing gets talked about a lot. So I’m going to just going to give you an explanation of what fishing is.

Um, it’s basically the most common type of social engineering attack. It’s talked about constantly as with most things in cybersecurity it’s talked about without an adequate explanation. Um, but basically it’s an email that will come into your, your business, um, seeking to obtain personal information, such as names addresses, social security numbers, for instance, cause it can happen to,

I can individuals, as it happened to my mom, who’s 77 and spotted one last week, very pleased. Um, we’ll use shortened or misleading links that redirect you to, to a suspicious website or there’ll be a fake website, or they might have hacked a genuine website to take you there. Um, and it’s basically about generating fear or sense of urgency you that you need to respond.

Um, and it’s very, very much about emotion as I’ll talk about a few minutes about the emotion and the human emotion that leads people to do things they shouldn’t do basically. Um, I’ll very quickly go through 10 social engineering tactics because you’ll see all of these phrases and, uh, be abandoned around online. And these are all different, genuine social engineering tactics that are being used to attack your business every day.

So fishing we’ve talked about, which is about deceptive emails, spear fishing is used in any more targeted way. So that will kind of, so, so use you as an example, does, um, if there was a phishing attack on normally pro a spear phishing attack would be well on you individually, that’d be something that would be used to, to,

um, to, to get you as an individual to learn you, which would then potentially be spread across the business. It might be that you’re such a vigil in the business that they’re going for you in particular for a reason. Um, dating kind of is what it says on the 10 really it’s an online, physical, social engineering attack. Um,

that basically gives you a reason to reach out, grab it, um, as opposed to it coming into your inbox. Waiting is a really interesting one because that’s also known as a CEO fraud. So that’s basically a spoofing, an email address hacking the email address of a very important person within an organization, and then sending emails from that account because that’s much more likely to be trusted by your employees.

So if people see an email from you, they’re going to trust the fact that it’s genuine and now response increases the percentage of respondents and increases the damage. So that’s becoming more and more popular. Malware is talked about a lot. So that’s basically about victims believing that, um, something safe and then by clicking now install malicious software into their machine. Um,

and, and often often cases with, with the ransom side of it, there’ll be a ransom that you pay in order to resolve the problem or get that data back. Pretexting becoming used again, quite commonly now about false identities to trick people into giving information. This has been used quite a bit with the world health organization with COVID-19 or NHS Brown, something.

We’re not going to cover it today, but it’s going to become a really big issue across the world is the track and trace apps with the, uh, with the nation, the different nations and the way they’re using it. And the fact that you could send somebody a text and say that you’ve come into close proximity with someone who has COVID-19, that’s going to generate a lot of response.

It’s going to take a very, very capital and who’s not going to fall for that. A quid pro quo relying on exchange of information or service. So there’s a kind of two, two ways that you’re building and someone’s coming in behind you. You open the door and you let them in, um, that’s called tailgating. And that’s very much about the human science,

about how we look at someone as an individual and how we formed trusted that genuine. It could be the fact that we’re in a shirt and tie makes us feel that they are personable authority and we should let the men so can be really subtle. Um, vishing is urgent. Voicemail’s not past social engineering attack that info in facts, web and its visitors with malware.

So it kind of sits in wait, so I could essentially set up a fake website, wait for people to come to me and I do damage that way. So all of those tags are being used on a constant basis. We’re not asking people to become experts in this stuff overnight. It’s just about being aware that this kind of thing is going on.

And because of that, we’ve kind of led us to develop what we call the post pyramid. So you can see prevention at the bottom. So prevention is very much the foundation of keeping your, your accounting firm secure. Um, and you, you get that through awareness and knowledge and empowerment, and that leads to them being able to build a human firewall,

which I’m going to talk about in a few minutes time after that you got protection. So you’ve got the technical controls, the software security it stuff that will be sold to kind of, to support the prevention. So prevention first protection. Uh, and then if both of those methods fail, you then need to have really good intervention methods and remedial action because ultimately on some occasions,

all this stuff is going to fail. Criminals are going to get through. So you need to be able to recover quickly as well. So all of those things go together. However, a clever person solves a problem or wise person avoids it. That’s our, that’s our kind of, that’s our message today, really? So, um, a sensible person doesn’t go straight into a problem to solve it,

or there’s a hole in the ground. You don’t work out how you’re going to get out of it and you walk around it. Um, uh, if Feinstein says that it’s good enough for me, vulnerability, you know, this is where we get into quite sad, because what we’re basically saying is that one of the human strengths and what makes us great as human beings is our ability to trust them,

see the good in things and the good in people. But unfortunately, um, that’s also a vulnerability and that is the vulnerability that cyber criminals will play on. Um, uh, Nick Espinosa, who’s a chat blog with anybody to follow because, um, basically what he does in his own words is convert nerd into plain. English is a, is a,

is a former Harker. Um, and he knows through the fact that he used to do this stuff that in cybersecurity, trust means wrong ability and trust will get you, uh, saga defense is only as good as our weakest vulnerability and that is trust. So cyber criminals need us to trust what they put in front of us to be genuine. If we won’t click and they don’t profile of our,

of our weaknesses and Doris brothers, who’s not anything to do with cyber security, but as an expert on trust, um, this is really interesting and this is how we lead into heuristic and critical thinking. So for us, we don’t sink all the time about whether we should trust company instinctive thing. And we don’t really ask ourselves whether we should trust and we don’t trust those major things around us.

You know, we don’t constantly ask about weather, how gravity is keeping the planets in a little bit, or whether we trust the fact that, um, our Island is an Island of the UK. We trust that stuff. It’s a given, it’s a given knowledge. So we don’t crush and everything. And that’s what makes us, makes us weak.

And we need to use a trust filter every single day, which is hard work. So, you know, it’s not, doesn’t come naturally to us to question everything, but when it comes to emails in particular answer, texts that we might receive, we need to be a little bit more careful and we need to apply this filter just before you go onto the Pentagon there.

Richard, there’s a question from James. Yeah. I suppose once GDPR came, the whole concept of cookies became front and center and like most websites, James is pleasing here. The revenue commissioners at require you to accept cookies. And now I suppose the theory is, well, if you don’t accept the cookies, you can leave the site. How do you deal with sites like that?

And it’s very, Jane says it’s very difficult to move forward without accepting the cookies. There are certain sites you need to be on. Is there anything accountants need to do or think about in terms of protection, but I mean, it’s a case by case basis, and that really depends how that website’s been built. So, so technically speaking, what should happen is that if you’ve got,

if you visited a website that has cookies that are active, there should be a very, very clear, specific the explanation of what each of those cookies is there. And you shouldn’t make any way in terms of the security of the site. Um, so it should be HTTPS for instance, instead of HTTP, if you get any warning popping up saying the site’s insecure,

I wouldn’t, I wouldn’t stay on that site. Uh, in terms of the cookies, if you feel you’re not being given a choice and you’re not confident about proceeding, don’t proceed. This is my answer. There. Maybe be give that company that, um, most satisfactory answer, but we’re talking about something which is outside of our control, cause that’s managed and controlled by the proprietor of that website.

And maybe they need some education map, but that the thing with cookies is that some can be quite Hondas and they can be collecting data that nobody ever looks up. But, um, being a cynic and being in the trade that I’m in, I’m very cautious about sites that I visit. Um, if I’m not being given choice, I see that as a potential cause for concern.

So the one thing that GDPR talks about and it runs through is this specific newness. So, you know, in terms of consent under the old, the old legislation, it was very, very loose. Now it has to be very specific and it has to be very, very specific and unique to each use of your data. And that should be the same cookies can definitely speak to Janie separately about that and to explore that further.

And James is James James. His point in response to your answer at Richard is yeah, but if we were to read down true, it takes half a day to read. I agree with James on that, it takes half a day to read, read the consent. And then the other thing is I’m not a cyber expert. So reading the stuff is already confusing.

And the target issue is it’s written in such a way to get you to click it. They want you to click. So it’s, it’s very much, it feeds into your whole concept of trust and Richard, and it reflects back for me to your last slide. We need to use the trust foot or every day. Absolutely. Yeah. We’re just quickly going back to that point as well that James has made most of the cookie notices or the privacy notices that are on websites now were quickly put together in 2018 where people were panicking about GDPR compliance and things have evolved and,

um, businesses need to evolve now. So it’s not just about saying, okay, I’ll tick that box. It needs to be user friendly and it needs to be engaging and it needs, yes. You know, you need to have the legal notice kind of stuff, but actually it’s about making sure that you’re not just ticking a box to keep your business compliant.

You need to make need to protect your site visitors as well. Cause it’s when you visit a site like that, that’s all about protecting the proprietor of the website. It’s got nothing to do with the positive impact on the visitor to that site. So there’s definitely think it will take time. Um, but I think we need to kind of reset now,

and two years has gone and we need to kind of think about, okay, it needs to be adding more value now. Um, but you know, when it comes to a big notice that you’ve got to read now how many times did when we sign up for something, do we, do we not read the terms and conditions before we click the box?

Cause it’s just too much effort. So that’s again, social engineering. So it’s not, it’s not criminal activity, but it’s social engineering designed to put you off reading it. Um, so that, because it’s going to encourage you to click and tick that box. So what you can see on the screen now of five triggers that social engineers and criminal gangs will use against you,

um, to manipulate you basically into, into agreeing to click or to visit where they want to visit. Um, so this is something we urge everyone to, to consciously check. Um, and this is what’s used against you. So the most common one is authority. So the sender will, will claim tribal authority or that the, the design of the email will be,

will be visually such that it would make you feel that it’s authoritative and it’s genuine, um, that someone, someone official and the most common one in the UK is from the HMRC, the tax office. That’s the one that seems to get people to fall for it, most of most of the time. Um, but we’re seeing now with world house organization,

NHS, um, and how, how easy it is to design a good email template. You know, we’d only take a couple of hours to design a reasonably VALIC website in terms of how it looks with a genuine domain. So authority is the key, that’s the first thing. And that goes back to us as kids and the way that we were taught about authority and to respect authority.

Um, the fact that if we see somebody in a shirt and tie that authorize either, maybe someone who’s wearing a tee shirt and jeans does that kind of makes sense. Yep. Yep. So that’s kind of where we’re looking at that. Um, and then the second thing that’s used against us, this urgency we’re told there isn’t much time to respond.

So we’re told that if we, if we collect today, we’ll get a refund. You’ve only got 72 hours, that kind of stuff. So that’s, that’s about limited time and urgency fearful, hopeful, or curious. They might make us feel good about ourselves. They might make us feel that we’re wonderful and that we collect. We’re going to get something from it.

Now at this point, I’d have to say that these things are very rarely used in isolation. It’s very collaborative, cleverly combined. Um, and then the next two are very, very relevant to COVID-19. It’s about demanding something that’s in short supply. So this is where the health sector has fallen, foul quite, quite significantly in recent months about PPE testing kits for COVID-19 and the fact that it’s topical and we would expect to receive it.

So if we, if we receive something that’s topical, we’d expect to, um, then chances are, we’re more likely to click when all of these five things are combined, it becomes very powerful, very powerful weapon. It’s very interesting, Richard, as I look at your slides and your, your, your topics, there are absorbed into my bookshelf over here to see if I have a book and I must be in the library in the office.

What you’ve just put up on screen are very much resonates with the context of sales and human influence. They called Robert Chiodini created, wrote two books, we’ll call influence one called persuasion, but it’s used by salespeople all the time. And this is why I say we need to not look upon them as hackers. They’re actual, they’re actually entrepreneurial online criminals is what they really are a hundred percent.

Yeah. A hundred percent of the grant, like I said, so, yeah, so these, these are skills, you know, this isn’t, this isn’t something that’s the cyber criminal community is created or invented to create, to cause damage. You know, this, these are really positive selling tools that are just being turned around in order to get you to do something.

You shouldn’t do that. That’s that’s really it. Um, but this, this, hopefully this will be really into, because this, this fascinates me in terms of how the human brain works and how we as human beings processed. Um, so Herbert Simon, who was a Nobel prize, winning psychologist said that while people strive to make rational choices, human judgment is subject to cognitive limitations.

So purely rational decisions would, we would involve such factors as potential costs against potential benefits. Now, if you think about how we operate from the minute we get up in the morning. So when we go to bed at night, we cannot be making rational, conscious decisions, critical decisions on a constant basis. It just isn’t feasible. So the subconscious mind takes over and the same way that when we’re driving along the basis,

um, and that’s, that’s basically heuristic thinking. Um, so it’s essentially shortcut that allows people to solve problems and make judgements. Um, it speeds decision making and us to function without stopping to consider the courses about courses of action or implications. And it leads to the development of automatic trust and bias. You can see that already, that that will be just an absolute nightmare for phishing emails or cyber security.

The fact that we’re forming really quick decisions without actually looking at any of the facts, but the fact that we’ve looked at an email coming in from the tax office with a logo on it. And we think, okay, yeah, there’s recognizable signs that tell us we can trust them. We really shouldn’t. Um, so it’s great for daily daily tasks,

really bad for improving cyber security, as opposed to critical thinking, which is the applying rationale and understanding the logical connections and ideas. And then now assess of the available facts to form a data led judgment. So as a business analyst, this is kind of where I’m at. Um, and it includes rational, skeptical, unbiased analysis. Skeptical skepticism is key here.

Um, and it’s ultimately to arrive at the best possible solution, not practical for day to day tasks, space. Perfect for cybersecurity is perfect for applying to emails that come into our inbox. Um, although depending on how many emails you get a day, it can obviously add some overhead to your daily processes, but, um, that’s, that’s basically what you need to do.

You need to apply that, that critical thinking. And one of the things, There’s a question from Brendan, any slaves, and I just, I just put a link up there. And so if you, if you take that link and that will bring you back into the portal and you’ll be able to access your, your, your, your slides and notes on your dashboard,

so on your session dashboard, but I’ll put that link in the chat box for you. Yep. So the human firewall, this is where we’re, we’re a lot of things culminate Richard. Yeah. So we’ve, we’ve talked about this before. I think on an it’s basic, the idea that your people are the other protective force around your counseling firm.

Um, so what is the human firewall? It’s your first line of defense and that’s a commitment and that’s a really big factor that they have to want to do it. And they have to be engaged, uh, of a group of employees to follow best practice, to prevent any data breaches or suspicious activity. And they need to understand that GDPR, as well as cyber security and how to report breaches,

and they need to be confident regardless of their status in your firm. So whether they’re an apprentice or an entry level person, they need to be confident enough that the hierarchy is flat and then they can change the CEO, Uh, in terms of that Activity. And that’s a question because if they, if they aren’t actual confident in doing that, the human firewall won’t work and it won’t be effective.

So it needs to be from the top down, but it needs to be flat and everyone needs to feel part of that. And there are five pillars to the human firewall. So you need to evolve that cyber security culture. You need to accept. People came from as much as any other aspect of what you do. I need to encourage your employees to care about cyber security,

okay. If they know the impact they can have on it, if they understand and relate to the fact that that carelessness or with our actions can actually ruin the firm they work for, they’re probably going to carry a lot more. Um, so you need to build awareness and knowledge for examples, um, as many projects, any good project you need to measure and monitor performance and their ways of doing that.

So we can potentially send, uh, w phishing emails, the firm, and we’ll see how many people respond to the fish. Uh, and that’s a good, a good measurement of how well we’re doing. So if anyone reacts to it or too many people react to it, we know we’ve got some more work to do. So that’s a good way to test.

Uh, but the human firewall is essential and every organization needs it. It will look and feel the way you want it to look and feel. It will be based on the culture of your business. Um, but training and awareness and all the critical factor. So, so training employees to form format firewall should become central to everything you do with your security.

Uh, cyber security applies to everyone it’s seen as a tacky subject. It’s really not hopefully to prove that it’s not actually subject, it’s a human subject, um, on the board and partners and senior managers must buy in. So cyber security and GDPR should be reportable every board meeting. And there should be a representative at board, uh, who has our responsibility to before training needs to be comprehensive.

It needs to be regular. As, as we said, it needs to be something that’s repeated annually and involved because there’s no point in training someone in GDPR on cyber security in 2020, because by 2022 or even 20 firms, you’ve gone, the threats will look very different. So it needs to be kept up to date and as, and when these threats become apparent,

that needs to be a seminar across the business. And the firewall will evolve naturally if the training awareness of good. So if you’re training in awareness of good, and they’re interesting, and they’re engaging and you can relate it to two people at home as well, and keeping their own families safe, then the human firewall would evolve and people will become, they’ll feel parcel there.

That’s really pretty important. Um, and that was my last slide. Okay. So first of all, you can see her to get Richard on his slide there at pulled cyber dot code out in cake. And he does work with Irish accountants. You, I want to see a bit more of Richard, but also, and we’re collaborating on a number of projects to help Irish accountants.

And one question, one observation that I have accountants right now in relation to GDPR. And it’s not just About, Oh, sorry, I moved my camera. It’s not just about having policies and procedures. It’s not just about having the right T Royce. Like what Richard is Australian for me today is it’s about having goals as fundamentals. If you go back to GDPR in 2018 and 2019,

that was kind of all the walls. As you can see here, Richard has presented very much a blended approach in relation to, yes, you’ve got to have the fundamentals policies, procedures. You’ve got to have your it, right. It’s this continual evolution and training. And as Richard as finished here, um, the human firewall. So we’re a couple of minutes over.

I don’t want to troll the schedule for the accounting and tax someone off. So we’re going to wrap up here, Richard. I just want to thank you for attendance or for your presentation. I want to thank everybody for their attendance and attention, and I hope you enjoy the rest of today’s program.