5 Questions To Ask Your Accountant About Their Cyber Security (#GotBitcoin?)
Your social security number, address, and DOB might go for a few bucks on the black market. Sadly, when sold in bundles, $2 per record is enough to bring in a legitimate cash prize for hackers—giving them ample motivation to hack into your accountant’s network. 5 Questions To Ask Your Accountant About Their Cyber Security
Is your accountant as motivated to protect your information as hackers are eager to steal it?
Here Are 5 Questions To Ask Your Accountant About Their Cyber Security Practices. Use Them To Evaluate Your Level Of Safety This Tax Season:
1. How Will We Transfer Private Files This Year?
This basic question allows you to A.) easily initiate the conversation and B.) quickly take the temperature of your accountant’s awareness of data theft risk.
- Digital files will be emailed as encrypted and password-protected files (not using public wi-fi), or…
- Files will be uploaded to an encrypted, password-protected online portal (not using public wi-fi), or…
- Files will be delivered in person.
You Should Be Concerned If You Hear:
- Email. (Simply emailing files with no encryption, even password-protected files, can be risky. If you must email, your files should be encrypted.)
- Whatever works for you. (A security-minded CPA would have at least some suggestions to help protect you–discouraging uploading your files on an itty-bitty USB drive that you could easily misplace, for example.)
2. How Many Individuals Have Permission To View My Personal Information?
Employees are the primary target of hackers, whose clever phishing emails can be terabytes more successful than a brute force attack. A successful phish can result in the hacker obtaining the employee’s credentials—and gaining access to everything the employee has permission to view.
Once that occurs, it can take minutes before all of that data is copied, stolen, or altered.
To lower the potential impact of stolen or sloppy passwords (like CompanyName2017!), accounting firms should structure data so that it is accessible only by those that need it to perform their duties. Your accountant should be able to account for exactly how many people have permission to see your data.
Bonus question: Must the people that have access to my data enter more than one password (or other method of authentication) to see it? “Yes” is the answer you want to hear.
3. What types of network security have you implemented?
Find out if your CPA has implemented the following—and don’t forget to follow up by asking who is managing these things on their behalf:
- Security Awareness Training For All Staff
- Spam Filter
- Regular patching
- HIDS, or Host-Based Intrusion Detection System, or NIDS, Network Intrusion Detection System (More advanced)
- Managed Security Services by Qualified Vendor with an SOC (Can be more advanced, recommended)
4. How Do You Back-up Your Data?
Regular data backups are critical to ensure your information is protected in case of system failure or manipulation.
Your accountant’s data should be updated at least once a day (more is preferred) into both cloud and physical storage devices.
Backups should also be tested regularly to ensure they’re working correctly. Ask: When was the last time you verified your backups were working?
5. May I See A Copy Of Your Documented Cyber Security Policies?
This is perhaps the most telling question about your identity risk this tax season. Without policy documentation, there is no real way for your CPA to prove or enforce solid security practices.
If You’re Able To See Your CPA’s Policies, Look For:
- Mandatory And Paid Employee Security Training (Held At Least Once A Year, But Twice A Year Is Preferred)
- Social Media Policy And Training
- Password Protocol
- Web Browsing, Clicking, And Download Protocol
- Patching Protocol
- How Safe Data Handling Is Monitored, Reported, And Enforced
- Incident Response Plan
Hackers Specifically Targeting U.S. Accounting Firms
Much to the ire of businesses worldwide, hackers have ceaselessly attempted to penetrate their computer systems and abscond with valuable information. While seemingly no business sector is beyond the reach of opportunistic hackers, the financial services industry has been particularly sensitive to these intrusions due to the vast quantities of personal information stored therein. Yet, like all systems found in the business world, specialization of skills is a natural outgrowth.
Unfortunately for accounting firms nationwide, this specialization has resulted in an alarming new finding. Hackers are now specifically targeting your firm. With most firms using relatively similar software and service providers, a flaw found in one system can be easily replicated in countless others. The game of cybersecurity cat-and-mouse is quickly accelerating against your firm.
Q: You’re most famous in the cybersecurity world for discovering some of the most high-profile breaches in history such as those at JPMorgan, Adobe, and Lexis Nexis. How did you discover that there is a gang of cybercriminals focusing on CPA firms?
Alex Holden: We monitor a number of Dark Web forums and information exchanges. In this particular case, one of the lesser known forums was used for this type of data exchange. Fortunately for us, hackers disclosed more information than they wanted to, allowing this glimpse into their activities.
Q. Do you have any indication where these criminals are located geographically?
Alex: We have no clear indication where they are from geographically. We can only assert that one of them spoke Russian natively but communicated in broken English.
Q. Why would this group be focusing on accounting firms specifically?
Alex: I believe that the main direction is tax fraud. Accounting firms were targeted but also other sources of W2 information and other financial data were on the targets list.
Is there a specific avenue of attack, such as keyloggers or ransomware, that these criminals prefer?
Alex: The CPA’s computer had some kind of virus allowing data logging along with screenshots and keyboard inputs from the victim. This was non-disruptive, seamless, for the victim as likely the infection and operation of his computer.
Q. Once the criminals have stolen data from these firms, how are they distributing the data?
Alex: The stolen data is not as useful as the hackers’ ability to generate profits. This crime model deals more with tax refunds than any other abuse vector. It is unclear how if actual data was exfiltrated or was the victim’s computer was used as a conduit to commit tax fraud.
Q. In your experience, what size accounting firm are they targeting, and why?
Alex: Accounting firms are targeted not based on size but on an opportunity. While larger firms may have dedicated IT and data security staff, they are also a significantly attractive targets for potential profits. Yet smaller firms who operate on a one-on-one basis are easier targets because of lack of data security measures. At the end of the day, you are likely to do business with a smaller firm because of personal touch and trust, but this personal touch may come with an expensive price tag of missing a lot of critical data security safeguards.
Q. For a small accounting firm, with a very limited cybersecurity budget – if any, what are some cost-effective ways that can lessen their odds of being compromised that are often overlooked?
Alex: Smaller firms invest in commercial-grade accounting software, yet the data security side is far below the commercial grade or may be missing.
Basics: Patch your system regularly, don’t miss any updates; buy anti-virus and anti-malware software and keep it up-to-date; do not use your work computer for any other purpose than work; and lastly, become more educated about email scams, viruses, hoaxes – don’t get victimized yourself and endanger your clients.
Q. For large accounting firms with a dedicated cybersecurity budget, what is one area they continually overlook, but should pay much greater attention to?
Alex: Larger firms may not have a challenge with commercial-grade security software, yet the employees are still often tasked with upkeep of their devices as they travel and do not always connect to the corporate networks. Stricter data security policies are definitely needed. But what is usually lacking is a deeper understanding of security threats and poor password policies. End-user education around data security must be a paramount concern for larger firms and re-using or assigning weaker passwords should not be tolerated.
Q. What is deep web monitoring and why would an accounting firm need such a service? Could they include this service for their own clients?
Alex: This tax season we saw tax data of tens of thousands of victims traded on the Deep and Dark Web by hackers. At the same time, exploitation of accounting firms is visibly on the rise and this particular incident is not a unique occurrence. To see what hackers are targeting and if you are on a list of targets or victims is sometimes a quick check that may save you not only money, but reputational loss. And knowing if your clients have been already compromised, in many cases, may allow you to help them proactively as recovery from tax fraud is not an easy task at all.
Q. Understanding that no computer system is ever 100% secure, how important is a breach response plan, and when should a company start seeking assistance in crafting and implementing such a plan?
Alex: Breach or Incident Response Planning is essential for a company of any size. Pretty much like dealing with any kind of incident (car accident, fire, etc.) it is much better to put some or a lot of thought into your response than trying to ad-lib during crisis. Your ability to find the right partners that will help you with the recovery process cannot be hindered by timing of a breach. Knowing who to call, what to do and how to respond is critical. In many cases, doing things the right way and quickly can minimize the impact of an incident.
Q. Are there any new cybersecurity tools that you are particularly excited about that firms should be aware of?
Alex: I do not want to endorse any specific vendors but rather want to highlight technologies, many not new but enhanced. Anti-phishing solutions, ransomware protection, robust anti-virus and anti-malware solutions, and Internet traffic filters preventing computers from going out to malicious sites.
Q. Within the next 5 years, do you expect the frequency and severity of cyber breaches to increase or decrease, and why?
Alex: I believe that the overall amount of breaches is on a slow decline as security tools are getting better. However, the severity of each new breach will become more and more devastating as hackers are getting better at their evil tasks and not caring about the devastation they leave in their path.
When asked for comment concerning the above revelations, Anthony Valach, counsel at BakerHostetler cautioned accounting firms to consider the larger ramifications for their own clients. “It doesn’t matter what time of year it is, it’s always W-2 season. Remember, the main goal of these actors isn’t to steal someone’s identity, it’s to monetize the information as quickly as possible. If they get W-2s, they will try to file fraudulent tax returns.”
On a more optimistic note, he did add that many breaches he works on center around fundamental security measures that would have been easily rectified. “Yes, there government-backed actors looking to cause chaos, but the run of the mill hacker is trying to turn information into money as quickly as possible. If they can’t do that easily, or at least have a reasonable chance at doing so, they will move on to the next one.”
Garrett Wagner, CPA/CITP and founder of consulting firm C3 Evolution Group, emphasized the need to educate your staff. “Internally, they need to provide regular training and reminders to their staff about the various threats and email attacks currently being used.” Furthermore, he noted the often-overlooked client vulnerability saying, “Externally, they need to remind their clients of the tools they have to send secure communications. Nothing is worse than having all the tools and resources to keep data secure than to have all your clients email un-encrypted emails into the firm on a regular basis.”
No matter how secure you may think your computer systems may be, we are entering a new and dangerous phase for accounting firms worldwide. It is well worth the time and energy to commit to investigating new cybersecurity technologies and employee training programs. As with all things in life, the longer you wait, the more painful and costly the transition may become.
Accounting For Risk
Why Accountants Need to Worry about Being Hacked
According to USA Today , at a recent cyber security event the FBI issued a warning emphasizing just how frequently hackers have been able to steal financial records. In fact, in the last 12 months, 500 million financial records have been stolen in data breaches and other hacks.
Of course, this shouldn’t come as much of a surprise to anyone who pays even the slightest bit of attention to the news. Stories of major data breaches have been coming out every few weeks. But does any of this matter to accountants and finance professionals?
As the owner of a small accounting, bookkeeping, or finance firm, you’ve probably fielded questions about your cyber security and whether your firm might be hacked in the same way that larger financial institutions have been. The short answer is yes. Let’s look at what a data breach at an accounting firm involves and what you can do to prevent cyber attacks.
Case Study: Data Breach At Small Connecticut Accounting Firm
The Monroe Courier reports how one small Connecticut accounting firm was hacked, losing 900 clients’ records in the process. According to the Courier, the firm, an all-purpose accounting outfit with fewer than 10 accountants, had to inform its customers that criminals had stolen their data and might use it for identity theft.
Such a breach was undoubtedly damaging to the accounting firm’s reputation. When you’ve built up a client base over years of hard work and have to inform them that their Social Security numbers and financial records are now in the hands of criminals looking to commit fraud, you might take a bit of a P.R. hit.
That’s because data breaches aren’t just about lost data. They’re about lost trust. And small accounting firms rely on that trust to maintain their client base. We’ll look at what you can do to manage the financial and technical risks of data breaches, but don’t forget that a data breach could do irreparable harm to your business’s reputation.
Three Tips To Improve Your Firm’s Cyber Security
These three strategies can help accounting firms strengthen their firm’s tech defenses, prevent data breaches, and guard against the financial losses that come with a cyber attack:
- Work With IT professionals. Hire an IT consultant to set up your firm’s network and make sure your data in encrypted and protected. Part of your professional responsibility as an accountant is to make sure that data is secure when it’s in your custody.
- Invest In Cyber Liability Insurance. Cyber Liability Insurance (also called Data Breach Insurance) pays for the cost of cleaning up a data breach and contacting your clients about their compromised data. Cyber Insurance also pays for P.R. experts and crisis managers to handle your breach response and limit damage to your reputation.
- Have A Data Breach Response Plan. CPA Practice Advisor reports that data breaches at small accounting firms have increased, and that it’s important to have a response plan in place. This plan should outline what you need to do and whom you need to contact after a data breach. It should be a step-by-step guide to what you need to do to comply with state and federal laws and inform affected customers about the incident.
While the national media mainly focus on data breaches that occur at large financial institutions, the truth is that cyber attacks can and do occur at small accounting firms. But it’s not as if you’re helpless. By taking action to implement a risk management strategy, you can prevent attacks and limit your financial risk exposure.
Your questions and comments are greatly appreciated.
Monty H. & Carolyn A.Go back