Cyber security is probably not your favorite topic if you’re an accountant. But the fact is, accounting businesses are becoming increasingly popular targets for cybercriminals. And if you’re not careful, you could be the next business to fall victim to a data breach. So what can you do to protect yourself and your clients? Read on to find out!
Why is an accounting firm an attractive target for cyber attacks?
An accounting firm is an attractive target for cyber attacks for several reasons. First and foremost, accounting firms handle enormous amounts of sensitive financial data. This data can be used to commit identity theft, fraud, or other crimes.
In the context of a cyber attack, sensitive data is any information used to access someone’s accounts or personal information fraudulently. This includes things like Social Security numbers, birthdates, addresses, and financial information.
While it’s essential to protect this data, it’s necessary for accountants and other financial professionals to be extra vigilant. After all, if a client’s sensitive data falls into the wrong hands, it could lead to serious financial problems.
Accounting Firm Hacks
Deloitte: Back in 2016, one of the “Big 4” got hit with a cyberattack, resulting in a data breach and leaking of clients’ secret emails.
MNP LLP: In 2020, one of the biggest accounting firms in Canada was hit by a ransomware attack. The attack was remediated, and it’s unclear if any data was lost, but the company did suffer from downtime due to the attack.
Remote working and its impact on Data Security
CPA firms, tax firms & accounting firms often have some infrastructure dedicated to protecting confidential data in their own office. Still, the COVID-19 pandemic added a new layer of risk to working from home. Deloitte & PwC wrote cyber security bulletins aimed at accounting professionals on keeping your valuable data safe in the new remote work environment.
If you haven’t implemented remote work security measures, now is the time. Your accounting firm’s critical data is potentially threatened by routing through insecure home networks, and you may no longer qualify for cyber insurance under the new underwriter requirements in 2022.
Proactive Steps You Can Take
Multi-Factor Authentication (MFA)
This is one of the most critical cybersecurity practices you can implement, and the best thing, it’s free!
Multi-Factor Authentication is the process of using a mobile app (read: authenticator) like Google Authenticator, Microsoft Authenticator, or LastPass authenticator that generates unique 6-digit codes every 30 seconds.
When you try to log in to a website, app, or service with MFA enabled, it will request your code; you then open the app, type in the six-digit code, and will then be able to log in.
As the code is only local to your mobile device and is only valid for 30 seconds, your account can’t be hacked with credentials alone.
MFA is Not 2 Factor Authentication (2FA)
2FA is an authentication method that uses two factors to verify your identity: something you know (like a password) and something you have (like a code sent to your phone).
MFA is different because it’s three-factor authentication: something you know, have, and something you are. The third factor is usually your fingerprint or Face ID.
If a cybercriminal has your credentials, they also have access to your email. Having 2FA with a code to your email in this situation is not secure.
It’s also possible the cybercriminal may have your personal information, so text authentication is not secure either. Socially engineering mobile telecom providers to sim switch is a common practice that allows cybercriminals to take over your text-based 2FA.
If you’re unfamiliar with authenticators, download one today and learn how to use it. Having authentication enabled on your banking, bookkeeping, email & anything containing sensitive information is required.
Use a Password Manager
Cybersecurity best practices state that every password should be unique, with letters, numbers & special characters, and over 12 characters long.
If you do not have a password manager, successfully implementing these practices is virtually nil. These passwords are not to be recorded on paper or a digital device to stay secure, meaning you must remember all of these passwords.
A password manager is an application that stores all of your website logins and passwords in an encrypted “vault.” The best ones also have a password generator so that you can create unique, complex passwords for each site.
LastPass and 1Password are two of the most popular password managers.
Cybersecurity Policies & Procedures (P&P)
Your accounting business should have a written cybersecurity policy and procedure in place. This document should outline your business’s steps to protect its data and systems from cyberattacks.
These can include:
- A data breach response plan.
- Device policies.
- Computer use policies.
- Password policies.
- Physical security policies.
- Software updates and patch management procedures.
- Data management & backup policies.
Cyber Security Assessment
A cyber security assessment is integral to protecting your accounting business from cyberattacks. This process involves identifying your business’s vulnerabilities and risks and developing solutions to address them.
Some factors that should be considered during a cyber security assessment include:
- The type of data your accounting business stores and processes.
- The number and types of devices your employees use.
- The way your employees access company data.
- Your business’ compliance requirements.
- The steps you’ve already taken to protect your data.
Once the assessment is complete, you’ll better understand the threats your business faces and can put the necessary measures to mitigate those risks.
Invest in Cyber Insurance
Cyber insurance covers your business in the event of a data breach. It can help you with the costs of notifying customers, providing credit monitoring, and hiring a public relations firm to help with damage control.
It’s important to note that cyber insurance is not a replacement for good cybersecurity practices. Underwriters will look at your security posture when determining your premiums and may not cover you if they feel you’re not taking proper precautions.
In 2022, the Insurance Services Office (ISO) released new underwriting standards for cyber insurance. These standards will require businesses to have certain cybersecurity practices, or they will not qualify for coverage.
Contact Nerds On Site
We have a long history of working with CPAs & accounting firms in the USA & Canada. Clients that have implemented our security practices have had zero instances of ransomware, and we currently protect over two million devices globally.
We can help you:
- Secure your network with Zero Trust
- Remove ransomware & phishing risk
- Implement robust cyber security policies & procedures
- Secure remote workers through Zero Trust VPN
- Fully secure mobile devices
- Train your team with Security Awareness Training
- Be your technology partner, 24/7/365
Nerds On Site has been working with SMEs since 1995, and while we know how to talk nerdy, we pride ourselves on being able to communicate in plain business English when it comes to our Clients. Please get in touch to find out how we could help your accounting business. We offer a free initial consultation to assess your specific needs.