Digital transformation is making cybersecurity increasingly important. And this is a particularly complicated matter for smaller businesses. GEIGER, an innovation project funded by the EU, aims to provide a solution to this problem. A pilot and training programme targeted at accountants in the Netherlands is being implemented by the SRA, association of accountancy firms. What does GEIGER involve and what does it aim to accomplish? Below is an introduction.

Cyber risks are part and parcel of society today. As digitalisation in small and medium-sized enterprises grows, so does the threat of cyber incidents. The consequences for business owners can be huge, so it is essential that they and their accountants are aware of the risks, including those that are not immediately apparent. This was why the name GEIGER was chosen, explains Frank Grimberg (Registered Accountant).

Grimberg’s involvement with the project comes through his role as Senior Researcher and lecturer at the FHNW University of Applied Sciences Northwestern Switzerland. “We decided to compare the threat to radioactivity. It’s not something you can smell or see, but it is dangerous. The same applies to cybercrime. When you’re online, you often have no idea of exactly what risks you’re being exposed to.”

As trusted advisors to SMEs, accountants have a role to play here, Grimberg points out.

“Cyberattacks can directly impact the figures auditors verify, so it’s a topic they cannot afford to ignore – both for their clients’ and their own organisation’s sake. In their consultancy role, accountants can help to put cybersecurity right at the top of the business agenda. At the same time, the accountants themselves will need to ensure they properly protect the business figures received from clients.”

Geiger indicator

GEIGER has been specifically designed for SMEs, to raise their awareness of the risks they face where data protection, privacy and cybersecurity are concerned. And to help them to mitigate those risks. The solutions the project aims to provide must meet the needs of businesses that do not employ a cyber specialist and cannot invest in costly and complicated security alternatives. “The GEIGER project involves us working on a combination of three equally important components,” explains Tony van Oorschot, Information Manager at SRA. “We develop tooling, training and support under the ‘Certified Security Defenders’ programme.”

The tool is a ‘GEIGER indicator’ – software that business owners (and auditors) install to measure and highlight a number of generic issues. This highlights cyber risks according to type of attack, such as phishing. “The software will be powered by the specialised security centres in the EU that are involved. After all, threats are no respecters of borders. This way, the tool also remains up to date.”

“The idea is that the tool not only shows which cyber risks the business owner is being exposed to, but also provides practical tools for significantly reducing this exposure. The first version of the tool will be made available this year.”

Training and support

‘A fool with a tool is still a fool’, so there is more involved than just the technology. Making the cybersecurity solution as accessible and effective as possible necessitates an understanding of how it works and what the results mean. This is not something the business owners themselves need to have. To make things easier for small businesses, GEIGER is working hard to set up a Europe-wide network of specialists who can offer targeted support. “SRA is working with project partners to develop an educational programme that will train Certified Security Defenders,” continues Van Oorschot. “These are certified individuals who know how the technology works, but who can also provide targeted advice on the results obtained from or problems identified by our tool, thereby increasing cyber resilience.”

“This is not always about the technology itself. It can also be about creating a greater awareness of cyber risks and data security.”

In the training pilot project specifically aimed at the accountancy sector in the Netherlands, SRA is working at different levels. There is a training course for accountants who don’t know much about cybersecurity as yet, and one for IT Auditors who already have considerable knowledge of the subject. “In the case of the latter, all that is then needed to become a Certified Security Defender is some additional training.” Once they have completed their training, Certified Security Defenders act as ‘ambassadors’ who pass on their knowledge to the businesses they work with. “We’re not aiming to put any IT suppliers that SMEs currently use out of business. Such suppliers can also become Certified Security Defenders,” Van Oorschot is keen to point out. “The training programme has been designed for a broad target group. We don’t want to disrupt the IT process, but rather to be supportive of it as a whole. That is our ambition.”

Opportunity

GEIGER is part of Horizon2020, an EU funding programme for Research and Innovation in Europe under grant agreement no. 883588. Pilots are currently under way in three EU countries, with the approaches taken as diverse as possible, says Grimberg. “In the Netherlands, working with SRA, the focus is on the accountancy educational programme, and there is support from the NBA (Netherlands Institute of Chartered Accountants) and the Digital Trust Center. In Switzerland, we’re working with the apprenticeship system and SKV, the SME association. This involves, for instance, training hairdressers still learning the job who can then, in turn, take the knowledge they have acquired with them when they start working for a business. In Romania, the emphasis is on start-ups. The various approaches were a deliberate choice. If the pilot in the Netherlands is successful, we can roll it out across Europe. The same applies to the pilot involving apprenticeships in Switzerland and to the start-up segment in Romania.”

As SRA sees it, facilitating the pilot goes beyond GEIGER alone. Van Oorschot: “At the end of 2019, the Dutch Authority for the Financial Markets (AFM) published 11 principles for information security and you can see this topic becoming more important right across the board. Though it is not yet mandatory, the AFM model does state that you should look at matters such as your policies, governance and risks, and implement appropriate measures. GEIGER is positioned at the intersection between hazard identification and measures. It offers a specific solution within the framework created by the AFM principles.” GEIGER definitely represents an opportunity for accountants, Grimberg concludes.

“It fits very well with the role of trusted advisor and really allows you to stand out from the crowd. It raises your profile as an accountant.”

Pilot

SRA plans to start piloting the educational programme in the third quarter, taking seasonal work pressures at firms into account and offering excellent support. Any firms interested can contact Tony van Oorschot at tvanoorschot[at]sra.nl.

This is a translation of an article originally published in Dutch by SRA in the SRAadviseur magazine (nr 2 2021).