Home
/
Posts
/
Blog
/
The crooks love accountants

The crooks love accountants

Accounting firms are a very attractive target for crooks due to the sensitive financial and private client data that is held on firms’ systems. Much, if not all, the information needed to successfully steal an identity can be found in client data.

by DSmith | Apr 27, 2018

The crooks love the internet. Without leaving their lair they are presented to the door of almost every accounting firm. All they need are the keys to open the door.

All too often the keys are left out in the open or the door is left unlocked and the criminal waltzes in, grabs the treasure trove of data and leaves, often with the victim being completely unaware.

Imagine having to tell your clients that their information has been stolen or worse having the breach reported in the press.

There are a growing number of stories of firms being breached. In our ATSA 2017 Technology survey completed in September 2017, 14 per cent of firms reported that they had been hacked. Crooks are getting into tax return data. Crooks are getting into small business accounting systems and stealing the employee details to use their identity for criminal purposes. Crooks are lodging employee tax returns to steal the PAYG. Certainly, all very worrying.

So the time has come for every accounting firm to conduct a security review. While nothing is 100 per cent secure and a crook with enough determination, talent and time can still probably get past your security, there’s a lot you can do to slow the crooks down so much that they may find it easier to hack someone else than waste time trying to get past your defences. There are a number of professional organisations that will conduct a security review of your practice, but there’s some basics that every firm should be putting in place.

Poor usernames and passwords are the first line of attack. If one of your service providers has been subject to a widespread attack such as companies like LinkedIn, Adobe and others have experienced, it is likely that the username and password combinations that you had for those services can be obtained by the crooks and used to break into your accounts on other services. Perhaps the days of having your password on a post-it note on your screen are over. Remember security breaches can be internal as well as external.

Of course the obvious also applies. Use different passwords for different services. Use passwords that are difficult to break. Use software that generates passwords. It’s all a hassle but in this day and age one has little alternative. Many are using password locker applications to manage the growing number of username and password combinations they have for different services. But using these systems has its own risks. LastPass, one of the more prominent password managers has been breached twice, although in neither case did the hackers break past the encryption protection and access the password database. That does not mean it won’t happen in the future. There are ways of storing your passwords securely locally on your PC using applications that create encrypted drives, but if you ever forget the password for the encrypted drive access will be lost forever.

So there is no easy answer here. Many people feel that after weighing up the pros and cons using a reputable password manager is the lesser of the evils.

These password managers have one additional advantage. Many provide access to a nominated third party after a specified period when the user does not respond to a request by the nominated party to access the password manager. This means in the case of death or disablement a family member or other nominated third party can gain access to the password manager to have the passwords to manage your affairs.

Of course passwords should also be changed regularly.

Over time we are going to see more use of biometrics (fingerprints, voiceprints, retina scans) to avoid the need for passwords. This technology is still being refined. It can be a little unreliable.

Using two-factor authentication is a critical safeguard. It should be turned on where available for every service that you use. Two-factor authentication involves sending a code to your mobile device, which means you need to have the device as well as a password to gain access. However, it’s not infallible. The crooks are managing to find ways of redirecting SMS messages by hacking telcos and other means. For this reason, many companies are now using their own mobile apps to manage two-factor authentication rather than relying on SMS.

Other things that should be considered include:

Turning on remote wiping of mobile devices so that if the device is stolen the data can be quickly wiped.

Encrypting drives on laptops so that if the laptop is stolen and/or the drive is removed the data cannot be accessed.

Ensuring that you are using the latest versions of software, particularly operating systems like Windows as these are more likely to incorporate patches to close any discovered security flaws.

Ensuring you’re running an up-to-date reputable malicious software scanning application.

Ensuring you have effective data backups that are protected from malicious attack.

This is not an exhaustive list. Professional advice should be sought to ensure you have the best possible protection.

Nothing is 100 per cent secure. So, the next thing you need is a plan. You need to have your client communications ready. How would you communicate with your clients if a breach occurred? What would you tell them to do? What in turn should they be saying to their employees? You need to have templates ready to go with a moment’s notice. Time is not your friend. You’d need to notify anyone impacted as soon as the breach occurs to minimise any damage to them.

There are a number of guides and services to assist you should a breach occur. The Australian government’s Office of the Information Commissioner has a guide “Data breach notification — A guide to handling personal information security breaches”.

There are legal requirements for some businesses to report data breaches to the Office of the Information Commissioner and on their own website.

These laws primarily relate to larger business breaches that involve tax file number theft.

Training your team is also critical to ensure that they know what to look for and what they should do if they suspect a problem has occurred. Does your team know how to recognise a malicious email? Do they know to carefully look at hyperlinks before clicking on them? Do they know what to do if they get a phone call from someone who starts to ask for personal information?

Critically, your team needs to notify you as soon as a problem arises. Some malicious email attacks will instantly go to the breached user’s email address book and start sending the same malicious email to every contact in that address book. It is critical that these people are notified as soon as possible so that they don’t make the same mistake.

Cyber insurance is another key component of your risk management plan. How would you deal with a ransomware attack? How do you manage the risk that through a breach of your firm, your client’s data is accessed and/or their identity is stolen? Of course preventing the attack is the best option but cyber insurance should also be part of your risk management strategy.

It’s an unfortunate consequence of the connected world in which we live that the crooks are trying to take advantage. We try to have effective locks on our homes and business. We put in place insurance in case the house or business premises is burgled. Now is the time to think about your data in the same way and ensure measures are effective and if they’re breached, then your risk management plan will protect you and your clients as far as possible.

David Smith, director, Smithink