INTRODUCTION
We live in a
world that is networked together; and network protection is no longer an option
but a prime necessity for small and mid-sized accounting firms that deal with
sensitive client data. It should be seamless and thorough, regardless of
business or organisational standing. We have our own set of measures in terms
of practices and policies (that we have enlisted here) which are essential for
the right amount of preparation vital for optimised security, damage control
and recovery from the consequences of any possible cyber breach episodes.
IMPORTANCE OF CYBER
SECURITY FOR SMALL AND MID-SIZED ACCOUNTING FIRMS
Cyber
security is among the top issues currently on the minds of managements and
boards in just about every company, large or small, public or private,
including the small and mid-sized accounting firms. It becomes especially
challenging because while dealing with clients’ sensitive data, there is no
scope for taking things leniently.
Cyber
attacks may result in:
(i) regulatory actions;
(ii) negligence claims;
(iii) inability to meet contractual obligations; and
(iv) a damaging loss of trust among clients and
stakeholders.
Consequently,
it may bring commercial losses, as also loss of reputation, disruption of
operations and sometimes even business closures. Small breaches, if not
addressed adequately, could lead to insurmountable problems. Therefore, it is
better to take preventive measures at the organisational level.
By
definition, accounting firms are trusted with some of the most intimate
personal and financial information of their clients. And hackers are
continually trying to get their hands on such critical, private information.
This is a challenge for them but not really too difficult; in fact, it is
extremely simple for them to hack into firms that don’t have appropriate cyber
security measures at the core level. This is the reason that accountants need
to be motivated even more and to be cautious about protecting their client
data.
Understanding
the basics of cyber security ensures not only the safety of client information,
but also the longevity of the firm. Accounting companies thrive on their
reputation for privacy, just as much as their ability to crunch numbers, and
cyber security is a vital part of this reputation.
As the owner
/ manager of a small accounting, bookkeeping or finance firm, you’ve probably
faced questions about your cyber security and whether your firm could get
hacked in the same way that any larger financial institution might have been
hacked. The short answer is, yes!
THE CHALLENGE FOR ACCOUNTING FIRMS
Cyber-criminals
usually target small and medium-sized accounting firms because such
organisations place relatively less emphasis on data security, controls and
risk evaluations; they are, therefore, more vulnerable than the big firms. In
many cases, such firms don’t have sufficient staff in the IT function and not
all staff has the ability to spot these issues, which can prompt further risks.
The senior partners are especially at risk since they are both effortlessly
identifiable on the web and are most likely to conduct online banking
transactions for their practices. Any savvy cyber-criminal knows the steps for
hijacking access to accounts, as well as the security features associated with
online banking.
WHY ACCOUNTING FIRMS ARE AT HIGH RISK FOR
CYBER ATTACKS
(a) They hold massive private data
Cyber
attackers understand that accounting firms have total information as privileged
data from HNI clients or organisations. In addition to tax documents, financial
records, PAN and direct-store data, accountants may also serve as sources for
years of private data. Actually, some accounting firms hold virtually the
complete individual accounts of their customers, transforming these practices
into important targets.
(b) They have productive corporate information
While
numerous accounting firms deal exclusively with tax documents and related
personal and business documents, different practices handle high-stake
corporate issues. Accounting firms that frequently deal with mergers,
acquisitions and corporate rebuilding hold data that might be of considerable
‘interest’ to cyber-criminals.
(c) Firms do not assess security risk
Unlike large
accounting businesses, small and medium accounting firms often do not implement
robust security measures. However, they are all vulnerable to a variety of
targeted security attacks regardless of size and location. Many cyber-criminals
today execute malware attacks by targeting small and medium accounting firms by
taking advantage of inadequate data security.
No
accounting firm can combat and prevent emerging security threats without
assessing its security risk on a regular basis. The security risk assessment in
the accounting firms will help them to check the nature of client data being
accessed by each employee and assess the effectiveness of the employee’s device
to prevent targeted security attacks. Besides, the risk assessment will help
the firm to evaluate and improve its security strategy according to the
security vulnerabilities.
(d) Small firms tend to have insufficient security
While one
may expect that big accounting firms have far more resources and also face the
maximum risk of cyber attacks, small and mid-sized firms are far more
vulnerable to cyber threats. Indeed, a few criminals target small accounting
firms since they would have installed far fewer security systems than needed.
Some hackers launch strong, sustained attacks on small, poorly secured firms to
the point that they breach the company’s restricted protections. When they get
access to an organisation’s system, cyber-criminals can regularly steal
virtually any type of documents, from financial records to emails.
(e) Small accounting firms may not recover from hacks
For small
accounting practices, recovery may prove fairly tough if not impossible to
achieve. Clients pay accountants for their skills; however, in return they
expect trust and tact. Once a firm has demonstrated that it can’t give
satisfactory information data security or guarantee customers’ protection, the
organisation may never have the capacity to return to its earlier level of
business.
ACTION PLAN TO PROTECT YOUR FIRM FROM CYBER
ATTACKS
1. Know The
Applicable Laws
Any effort
to strengthen cyber security for accounting firms starts with an understanding
of the applicable laws. Every accounting firm is expected to protect its
clients’ Personally Identifiable Information (PII) or details which, if
disclosed, ‘could result in harm to the individual whose name or identity is
linked with this information.’ In such a case, the data can be stolen for
financial fraud and in some cases can cost you three times the damages.
The following is a list of your
clients’ PII that your firm could be in custody of: PAN; Aadhaar number / data;
digital signatures; bank account numbers; residential address; residential or
mobile phone numbers; date of birth; place of birth; mother’s maiden name;
financial records; and so on.
2. Perform
Regular Risk Assessments
Prevention
is indeed better than cure. New threats emerge every day and you need to
re-adjust your safeguards to adapt to these new threats. For your firm an
annual risk assessment should be sufficient.
And at the
minimum your risk assessment should include the following:
(a) A review of the client information your firm
is currently collecting, categorising which are regulated PII and sensitive
data;
(b) Identification of new laws and the applicable
commitments and requirements that your firm needs to fulfil for compliance;
(c) Partner with a Managed Services Provider to
make sure your risk is limited and make sure your systems are protected and
secure;
(d) Any change in your firm’s practices concerning
the acquisition, storage and sharing of client data that could open new
loopholes for financial identity theft;
(e) New developments in the regulatory and
business environment; and
(f) New technologies that your firm could be
maximising.
3. Create A Written Financial
Identity Protection Policy
It’s easier for your accountants
to follow cyber security protocols if it’s a formal memo, part of your
employees’ handbook, or clearly outlined in your standard operating procedures.
A written cyber security policy can also serve as your springboard in training
employees to be more cyber security savvy.
4. Update The
Operating System
Whether you
run on Microsoft Windows or Apple Mac OS, the operating system requires
frequent or continuous updates for strengthened security. System updates are
especially significant for server operating systems where all patches and
updates require to be looked at and refreshed repeatedly. Regular updates of
OS, upgraded firewalls and anti-virus in your workstations can provide for more
reliable protection against threats.
5. Email
Security
Many
accounting firms rely on email to communicate with clients, even to send tax
documents or personal data. As email hacks have become increasingly common, it
is crucial to secure professional email accounts, especially when transmitting
important documents. This has also raised the requirement for efficient
encryption software, which is hard to decrypt by an untrusted third party.
More than
90% of cyber attacks begin with a phishing email. A vast majority of people
open an email from an unknown individual’s name without browsing or verifying
the actual sender’s email address. Having your email shielded from unauthorised
access is of prime importance.
6. Anti-Virus
Updates
Accounting
firms need to ensure that anti-malware applications are set to check for
updates frequently, scan the devices on a set schedule in a mechanised manner,
along with any media that is inserted
into any user computing terminal. In bigger firms, workstations must be
designed for reporting the status of the anti-virus updates to a unified
server, which can push out updates when released subsequently.
7. Internet
Security
Browser downloads are another
leading method of cyber attacks. Internet searches can lead you to compromised
websites which infect your network with viruses and malware. To prevent this
type of attack, install all the latest security patches into your computers and
servers. Install a hardware firewall router with gateway anti-virus, gateway
anti-malware and intrusion protection system to stop the virus before it gets
into your private network. Routers provided by your Internet Service Provider
do not have this type of security. While these might be adequate for your home,
they are not designed for installation and application in any business
organisation.
8. Protection
For Mobile Devices
As commerce
moves into the mobile space, so do hackers. Make sure that any employee that
uses mobile devices is encrypting data, password protecting the device (with a password
that is different from any other being used) and using the latest security apps
on the phone to ward off malicious third-party users.
9. Protection
For Usb Devices
USB drives,
also known as pen drives, have become a popular form for storing and transporting
files from one computer to another. Their appeal lies in the fact that they are
small, readily available, inexpensive and extremely portable. However, these
same characteristics also make them attractive to attackers. And it’s not just
pen drives that are the culprits, any device that plugs into a USB port,
including electronic picture frames, iPods and cameras, can be used to spread
malware.
There are
numerous ways for attackers to use USB drives to infect computers. The most
common method is to install malicious code, or malware, on the device that can
detect when it is plugged into a computer. When the USB drive is plugged into a
computer, the malware infects that computer. Often, an organisation’s biggest
weakness might not be a malicious insider but rather an employee who simply
doesn’t understand the potential security risks of his / her actions.
There are
steps you can take to protect the data on your USB drive and on any computer
into which you might plug the drive:
(i) Take advantage of security
features
Use
passwords and encryption on your USB drive to protect your data and make sure
that you have the information backed up in case your drive is lost.
(ii) Keep personal and business
USB drives separate
Do not use
personal USB drives on company computers and do not plug USB drives containing
corporate information into your personal computer.
(iii) Use security software and
keep all software up to date
Use a
firewall, anti-virus software and anti-spyware software to make your computer less
vulnerable to attacks and make sure to keep the virus definitions current. It’s
also important to keep both the operating system and other software on your
computer up to date by applying any necessary patches.
(iv) Do not plug an unknown USB
drive into your computer
If you find
a USB drive, do not plug it into your computer to view the contents or to try
to identify the owner.
(v) Disable Autorun
The Autorun
feature in Windows causes removable media such as CDs, DVDs and USB drives to
open automatically when they are inserted into a drive. By disabling Autorun,
you can prevent malicious code on an infected USB drive from opening
automatically.
(vi) Develop and enforce USB
drive-related policies
Make sure
employees are aware of the inherent dangers associated with USB drives and what
is your organisation policy on their proper use.
10. Backing Up
Data Religiously
If all your
data is in one place, it is nowhere. Back up all of your most important data on
a regular basis. This may seem counter-intuitive to the concept of security as
you’re creating another copy of data that could be hacked. However, if the
backup is also stored securely over a proprietary or public network to an
off-site server, it drastically minimises chances of a breach or data loss.
There are additional fees associated with this type of backing up, but it’s
currently one of the best methods of security.
11. Encrypt
Backup Data
Firms should
encrypt any backup media that leaves the workplace and also validate that the
backup is complete and usable. They should frequently review backup logs for
completion and restore files randomly to ensure that they will actually work
when required. Hiring an IT specialist is advisable to set up your firm’s
network and ensure your data is encrypted and secured. As a professional, your
responsibility is to ensure that data is secure when it’s in your custody.
Moreover, a backup is a definite must for any business.
12. Educate
Employees
Most
breaches into accounting companies occur because of a backdoor innocuously left
open by an employee. Although hacking systems are becoming more sophisticated,
the majority of these systems are not able to force their way into a properly
managed security perimeter.
Security
education is a must and should be conducted once a year. In addition to looking
into the firm’s approaches, employees should be regularly instructed on current
cyber security attack techniques such as phishing and dangerous threats
including ransomware and social engineering used by hackers to gain access to a
user’s PC. Note: NEVER share your login, password or confidential
information over the phone with people whom you don’t know. Firms should review
IT / computer usage policies and provide reminder training to employees at
least once a year for all the new and updated policies.
13. Wireless
Security
Secured
remote / wireless access into your network system should be planned, tested and
then implemented. Obviously, deploy a strong password policy, along with having
a guest network which should be set up for visitors (to your office network)
that need internet access via your wireless network system. This prevents any
guest user access to the system and resources on your network. This is
particularly required (to protect) in case one of the workstations or gadgets
used by the visitor is infected.
14. Move Your
Data To The Cloud
Transporting
data using a USB drive is not secure. Data stored on the cloud has greater
protection than data stored on company servers. The move to such cloud services
can change business habits that help ensure a more secure accounting firm. For
example, if all company data is stored on the cloud, then there’s less need for
workers to email attachments to one another. When team members become less
reliant on email, it helps minimise the risk of falling victim to phishing
emails. Cloud accounting can make your business more efficient. It lets you
provide basic accounting services more easily – and in a cost-effective manner.
If you
haven’t moved your accounting practice to the cloud, you most likely believe it
is a complicated thing to do. But it’s not that hard to migrate your practice
to the cloud; it will improve your efficiency, save money and make your clients
feel safer than what they are feeling right now.
15. Test
Security Measures
Hire security specialists for
proper configuration when implementing firewalls and security-related features
such as remote access and wireless routers. Chances are, your internal IT
people have not been exposed to ideal security training, or have no experience
with setting up a new device. External resources can likewise be called upon to
do penetration testing to recognise and lock down any system vulnerabilities.
16. Byod Policies
The bring
your own device (BYOD) trend has seen rapid growth in offices throughout the
country. Since many accountants do get to access company and client data on
their personal devices, it is essential for firms to have policies with regard to
cyber security for such individual devices. Some accounting firms have decided
to completely prohibit the use of personal gadgets for organisation matters,
while others have imposed limitations to the data that can be accessed on them.
Furthermore, such devices can be easily targeted or exposed to cyber attacks by
hackers seeking confidential client data. Thus, it is in the best interest of
the accounting firms not to allow BYOD so that the data never leaves the
office.
17. Remote
Working And Cyber Security
Large accounting firms deploy
resources for management of threats related to cyber security. They are well
equipped with infrastructure as well as manpower to keep such threats at bay.
But small and mid-sized firms may not enjoy similar privileges and could be
relatively more vulnerable to cyber threats.
Many firms
leverage cloud-based computing to enable employees to access accounting
software and client data remotely over the internet. The cloud-based services
and solutions even help accounting businesses to operate in distributed
environments. However, remote data access makes it easier for hackers to steal
and misuse sensitive financial data of clients.
Firms must
require employees to access the computers and business solutions over a secure
Virtual Private Network (VPN). A secure VPN will help the business to protect
data by avoiding the security risks.
Along with
that, it is recommended to use genuine and trusted software solutions, such as
Microsoft Remote Desktop, remote access. Apart from this, the firm must
implement multi-factor authentication to ensure that any unauthorised user does
not access the data stored in the cloud.
Recently, a
huge number of accounting firms have turned to remote staffing and hired such
staff to work for them. This could increase their anxiety about client data
even more as they won’t be able to monitor all the setups personally. In such
cases, the role of the remote staffing agency becomes all the more important.
Since the remote staff is actually working from their remote offices, these
need to be secured in terms of both policies as well as practices.
CONCLUSION
Isn’t
technology a crucial factor in cyber security for accounting firms? Some may
even go so far as to say that technology is at fault for all the modern-day
data espionage. However, you need to understand that it’s not technology per
se, but the poor implementation of the technology that is responsible.
One way that
accounting firms are jeopardising their own cyber security is by burdening
their employees with overseeing the implementation, management and maintenance
of these technologies. Between servicing your clients and fulfilling internal
administrative tasks, adding cyber security to your accountants’ long to-do
list is hitting a nail into your data-protection coffin. Something is bound to
fall through the cracks. It would be best to partner with a managed services
provider to take care of your cyber security and tech management needs.
All
professionals owe a duty to their clients, managers and other employees to
address digital security. Active contribution is the key to addressing the
risks of illegal cyber activities. Understand your data and focus efforts on
the most critical information, implement encryption, become compliant with
cyber security regulations, educate employees about mobile devices and devise a
basic set of desktop security policies. These steps are a good initial move,
but they do not completely cover the gamut of standards and protocols seen in a
high-quality Cyber Security Risk Management System.
Accounting firms
that also have teams working from remote locations need to select their vendors
after due research and assurance that the data shared would be as secure as
demanded by their clients.