Why an accountant is a cybercriminal’s favourite target

Justin Dolly of Malwarebytes looks at what accountants can do to protect their data and minimise cybersecurity risks.

When most people think of a data breach, they often think of hospitals, retailers or even banks being victimised. But what about accounting firms? Think about it – everyone trusts you with their personally identifiable information. As accountants, you hold the keys to tax identification numbers, social security numbers and numerous logins to the financial footprint of the average consumer.

To make matters worse, one instance of a cyberattack has the potential to shut down small and medium-sized accounting firms for good. These firms don’t have the same capital that large firms have and taking one hit from a breach could spiral them into bankruptcy. In fact, the Department of Homeland Security’s small business tip card shows that nearly 59% of US small and medium-sized businesses do not have a contingency plan. And according to the 2017 Hiscox’s Cyber Preparedness Report, small businesses lose an average of $41,000 per cybersecurity incident.

With tax season in full swing, the implications of this are even more critical. Attackers recognise that, similarly to banks, accounting firms hold valuable information such as bank information for tax refund direct deposits. However, they also recognise that accounting firms typically have fewer security defences than banks. It is easier for them to attack those who are unprepared. Their attempt to gain access to your systems containing sensitive financial information may result in a legal duty on your part to notify your clients that their confidential information may have been stolen. Bottom line? You can lose clients due to a lack of cybersecurity, and possibly lose your entire business.

The data that these firms hold is not only often accessible, it’s uniquely valuable to attackers. Accountants are not only trusted with financial data; they are trusted with the entire financial and personal histories of all of their current and past clients. During the first month and a half of the 2016 tax season alone, the IRS identified more than 42,000 tax returns, according to the Treasury Inspector General for Tax Administration. Tax return identity theft is a growing concern and occurs when the taxpayer’s personal information is used without the taxpayer’s authority to file a fraudulent tax return. This type of theft carries serious consequences, especially if your firm’s lack of cybersecurity allowed the hacker to steal the sensitive information.

Security challenges

Fortunately, there are several easy ways that small and medium-sized firms can take action now to make themselves more secure. But first, it’s critical that accountants fully understand the security challenges in play.

Despite being trusted with all of this sensitive data, the average accountant or local accounting firm does not have the same security measures in place as a large institution. They are often required to spend the majority of their budget on business expenses and the line item of security doesn’t make the cut.

Without putting security defences in place, accounting firms can easily fall victim to the biggest attack methods, including ransomware. Ransomware encrypts files and blocks access to computer systems before requiring you to make a secure payment in order to gain control of their computer. This can be devastating to your business. Even if you pay the ransom and make the secure payment, there is no guarantee that you will receive your information back. Additionally, they can give you control of your computer back, but leave with your data, and your clients’ data, or erase it all together.

Passwords also continue to be a major security risk for accounting firms as they can be lost, stolen or easily guessed. And most importantly, phishing scams can occur within firms at the drop of a hat. Especially during tax season, malicious emails masking themselves as the IRS or other related entities plague the industry every year.

What can accountants do to minimise the risks?

Despite the odds stacked against the industry, there are a few critical, and inexpensive, actions that accountants can take to protect themselves and their firm.

Deploy endpoint protection

If not already implemented, look into endpoint protection platforms that can be deployed remotely and managed from a central location. An endpoint protection platform should also include a strong anti-exploit component in order to shield unpatched programs or legacy systems.

Educate staff

A common misconception regarding security is that you have to be an expert to make any steps in preventing an attack. This is absolutely not true. The key is education, training and discipline. All employees and partners should be educated on the risks of cyberattacks and the current state of cybersecurity. This will allow them to understand their training and be able to spot suspicious activity. Everyone with access to your client’s personal information needs to be cautious of any communication they receive. They also need to proceed with caution when visiting websites and giving computer access to non-employees. By educating your staff on proper security protocol, you can also empower them to serve as security ambassadors.

Conduct frequent backups

Do not underestimate backups as a means of security. Not only hard-drive problems can cause a need for backups. So, make sure you have backups, preferably outside of your system. External drives, DVDs or in the cloud are the most common options. Programs making backups continuously do use resources, but they take away the need for you to remember to do it yourself.

Encrypt communication

Since emailing documents or sensitive information is a common practice, using a secure email program that encrypts messages is key. For example, cloud-based applications can provide this type of security as well.

Final thoughts

Protecting your firm from cyberattacks requires constant vigilance. Just because you don’t have the resources of a large firm, such as access to an IT department or provider, doesn’t mean that you can’t protect yourself, your firm and your clients. By understanding that you are at high-risk, implementing new security solutions, educating staff and completing a full security assessment, you can make huge strides in remaining secure. These simple steps will boost company wide awareness and make cybersecurity a crucial part of operations, giving your practice and your clients peace of mind.

Justin Dolly is EVP, chief security officer and CIO at Malwarebytes.

Related reading