More than four billion records were stolen last year. There is exponential growth in the black market for stolen data. We are in a cyberwar.
If those words aren’t enough to get your attention, I have plenty of other statistics to add that I shared in my presentation, “The Future of Accounting Technology — Delivering Innovative Cybersecurity Solutions,” at Accountex USA 2017 in Boston.
Like the fact that weak or poor password management problems are at the root of more than 80% of cyberattacks. Or that more than 55% of businesses reported breaches last year. Or that 30,000 websites are hacked each day.
Before founding my cybersecurity company, I was a CPA with my own accounting company in Chicago. So I know firsthand that accounting firms are prime targets for cyber attackers because they have precisely the kind of data the bad guys seek: Social Security numbers, contact information, income data, and date of birth.
If a hacker has those things he or she can monetize them. That’s done on black markets on the dark web where medical records can fetch up to $1,000 each for their value in insurance fraud.
Small and midsize businesses are especially vulnerable. They usually don’t have formal IT budgets. Most don’t have IT managers on staff. SMBs typically have weaker protections, so they’re targeted first.
High Stakes for Accounting Firms
Accounting firms of all sizes now have more at stake. Forty-seven states have imposed fiduciary responsibilities on accountancies over the past decade, meaning that they may have to share the costs of a breach. Those costs can include lawsuits, penalties, reputational damage, and a share of damages suffered by clients. The average cost of a breach is now $7 million. If you have a small firm, can you really afford that?
The costs of recovery are a lot higher than many people know. One department store that had 40 million accounts stolen four years ago spent $120 million just to reissue credit cards. That doesn’t include the $2 billion in lost market capitalization, legal fees, customer communication costs, and the intangible value of a tarnished reputation.
A Changing Landscape
Today’s cyber criminals are smarter, better equipped, and more opportunistic than ever. Many people hold an outdated view of hackers as lone wolves who seek to do as much damage as possible. The reality is that the new breed of attackers specializes in precision and sophisticated deception. They’re smart, tech savvy, and often sponsored by deep-pocketed organizations. In the past, they were opportunistic; now they’re targeted.
That’s evident in a new breed of phishing attacks, which target individuals with emails that look legitimate in every sense. A message purporting to come from an IRS employee may sport an authentic-looking signature line and logo. It invites recipients to click through to a professional-looking website to verify their credentials. Once victims have entered their Social Security and phone numbers, their identity has been stolen. In most cases, they aren’t even aware they’ve been a victim.
A favorite new tactic of hackers is to use stolen Social Security numbers to file fraudulent tax returns in order to steal refunds from honest taxpayers. Criminals did this to the tune of $30 billion last year. The IRS reported that the volume of phishing emails requesting W-2 information from recipients has increased 870% this year alone.
Smartphones are a favorite new target of today’s hackers because they contain all sorts of useful personal information, including email addresses, social media accounts, calendars, contact lists, and login credentials. Some 70 million smartphones are lost or stolen each year and fewer than 10% are recovered. The other 90% are keys to a treasure chest of personal information. If I have physical access to your device there’s a 70% greater chance that I’ll be able to crack it.
Improved password security is the best defense against attacks, but awareness of good password hygiene remains surprisingly low. Keeper’s research on the most common passwords of 2016 found that the 25 most common passwords made up more than half of the 10 million that were examined in the study. Can you guess what was the most common password? “123456.” I know, I can’t stop shaking my head either.
Criminals know this. As a result, their attacks are using increasingly sophisticated dictionaries that apply the most common passwords to stolen databases. That means using one of those top 25 passwords is as good as using no password at all.
Then, as noted already, there’s phishing, a deceptive specialty that’s become an industry unto itself. Driven by the popularity of ransomware, the volume of phishing attacks grew 65% in 2016 over the previous year, according to the Anti-Phishing Working Group. Despite the effectiveness of phishing attacks, Verizon reported last year that up to 30% of phishing emails are opened.
Yet few businesses take basic preventive measures. In my Accountex presentation I asked how many of the attendees’ companies perform routine phishing tests. Only two hands went up. My recommendation: Run phishing test software. There’s a litany of them out there.
The irony is that many of the most serious attacks can be prevented with basic defenses: Educate employees, pay attention to setting permissions, and use a password manager. Most people have all the tools they need if they would only use them. Implement antivirus, anti-malware, and password management and you’re well on your way.
Simple Measures Accountants Should Take
Fortunately, the vast majority of attacks can be prevented with a few simple measures such as using strong passwords, encrypting files, guarding account access, and being cautious with email. Accountants should take some additional steps as well.
Start with the information you keep about your clients. Paper records are less convenient but more secure than electronic ones, since they can be kept under lock and key. It’s tempting to scan and convert paper documents to images, but if you do, be careful where you store those electronic files. An encrypted local hard drive or USB drive protected by two-factor authentication (2FA) is best. If you prefer to store in the cloud, use a service provider that offers 2FA at a minimum. An even better option is a secure online vault that encrypts stored documents.
Accounting software can be expensive, so it’s tempting to want to share accounts among multiple users. Please don’t do this. The larger the number of individuals who know the logon credentials, the greater the chance of disclosure. Even if you trust everyone in your firm implicitly, that doesn’t mean they’re exercising the same good security practices that you are. Look into multi-user licenses, which can often be purchased at a significant discount.
While most commercial accounting software products are pretty secure, be cautious about downloading records or reports to a local computer. Microsoft Excel security is limited to a single password, which is not sufficient for accounting use. You need 2FA at the machine level as well. For the same reason, you should avoid emailing spreadsheets containing sensitive information to clients or colleagues unless you do so on an internal, secure email system.
Sending documents as PDF files isn’t much safer, although PDF does offer an additional layer of protection through encrypted copy protection. This ensures, at least, that only one copy of the document exists. When providing passwords to recipients, don’t opt for a simple approach like the last four digits of a Social Security Number. It’s better to call your clients and read passwords to them over the phone, or to agree to a password during one of your planning meetings. Never send passwords by email.
Email is a major vulnerability point. When exchanging emails with clients, make sure their email providers support Transport Layer Security (TLS), a stronger successor to Secure Sockets Layer (SSL). Most commercial email services now offer one or both of these protocols, but it may be up to the user to activate them. If you’re going to communicate with clients by email, be sure they have done so.
Also take steps to ensure that your office staff is on high alert for phishing attacks, in particular spear phishing, which targets specific individuals. Accountants are primary targets because of the value of information they hold. Savvy spear phishers are so good at trickery that their emails may be almost impossible to detect. Teach colleagues to look closely at originating email addresses and never click on a link unless they are certain where it takes them.
Out in Public
Accountants should never use public Wi-Fi services to access or exchange sensitive information. Hackers can easily tap into public data streams and intercept data in plain text format. If you’re planning to use a public computer, invest in VPN software for-end-to-end encryption.
Never put sensitive information on your smart phone unless you’re willing to protect it with 2FA. For the sake of convenience, many people use a simple PIN, pattern match, or biometric protection. Research has shown that PINs and patterns can be guessed by human or video observation, and that even face and fingerprint recognition systems don’t provide absolute protection. At a minimum, you need a combination of the two. You should also take advantage of features for remote phone locking and wiping.
When it comes to accounting security today, it’s never been truer that an ounce of protection is worth a pound of cure. Follow these guidelines and your chances of being compromised are minimal. Your clients will appreciate you for it.