A guide to cybersecurity best practices for accounting firms
Reflecting on the past 12 months from a cybersecurity standpoint, it has been marred with data breaches and cyber crime on a global scale, with cybersecurity finding its way into mainstream media on a regular basis.
New threats like Business Email Compromise (BEC) have risen globally, with the US reporting an estimated loss of roughly $2.4 billion USD.
Accountants and bookkeepers—especially those in small and medium size firms—find themselves attractive targets to hackers for two reasons:
You hold a goldmine of information
You don’t draw the same public and police attention as larger firms
Therefore, it’s more important than ever that you understand what cyber threats exist and how you can take action to minimize risk.
Here are best practice guardrails to keep your firm safe from a cybersecurity attack.
Understanding common cybersecurity threats
Bad actors are constantly updating their tactics to try and compromise your system, but there are several archetypes that most cyber attacks fall into. Understanding these approaches is an excellent first line of defense you can implement easily and at no cost.
Below are four of the most common and most devastating types of threats to be aware of.
1. Social engineering
Social engineering is the term used to describe bad actors trying to trick people into giving them sensitive information or access to systems. People often think of hacking in a technology sense, but here the hack can also occur person-to-person.
For example, an attacker might pretend to be a trustworthy person or organization, like a bank or a government agency, and ask for personal information such as login credentials or financial information. There are a lot of applications under that broad definition and so social engineering is considered an umbrella term for some of the other threats unpacked below.
As an accounting professional, it's important to be aware of these tactics and to be cautious about giving out information or access to systems, especially if you’re not sure about the identity of the person or organization requesting it. It’s also important that you know how to recognize and report any suspicious activity or requests (more information on that later).
Like social engineering, phishing involves scammers tricking people into giving away sensitive information. However, unlike social engineering, phishing is strictly via technology.
It’s often done by sending fake emails or messages that look like they're from a legitimate company or organization and asking for your information. Because of this, It's important to be careful when giving out personal information online, and to always double-check that the message is coming from a legitimate source.
As an accounting professional, you often receive emails from financial institutions, banks or other companies that you work with. These kinds of messages can be easy to imitate, so it’s important not to click on any suspicious links or provide any sensitive information. You can always verify the authenticity of the email by directly contacting the institution via phone or a different email address.
The hallmarks of a phishing email
3. Business Email Compromise (BEC)
Business Email Compromise (BEC) is another umbrella term that includes cyber attacks that target businesses, organizations and individuals who regularly conduct financial transactions via email.
In a BEC attack, the attacker impersonates a trusted party, such as a CEO or a vendor, and sends fraudulent emails to trick the recipient into transferring funds or sharing sensitive information.
You can imagine the devastation this could cause if a hacker compromised your email and was able to then email your clients by impersonating you. Attackers can use a variety of tactics, including social engineering or phishing to gain access to email accounts and intercept or manipulate messages. They may also spoof email addresses to make it appear as if the messages are coming from a trusted source.
Again, because you often have access to sensitive financial information and are responsible for transferring funds on behalf of their clients, you are vulnerable to BEC attacks.
In a typical BEC attack impersonating an accountant or bookkeeper, the hacker would request that the client send sensitive information or transfer funds to a fraudulent account.
Ransomware is one of the more well-known types of hacks. It’s a type of malicious software that encrypts a victim's files, making them inaccessible, and then demands payment in exchange for the decryption key.
Ransomware can be delivered through a variety of channels, including email, social media, or infected websites, and can cause significant financial and reputational damage to individuals and organizations.
Ransomware attacks targeting accountants and bookkeepers often use social engineering tactics to gain access to their systems.
For example, an attacker may send an email that appears to be from a legitimate source, such as a client or vendor, with an attachment or link that, when clicked, installs the ransomware on your computer.
Alternatively, the attacker may use a phishing email to trick you into revealing your login credentials, allowing the attacker to gain access to your system and deploy the ransomware.
Recommended reading: The Practice Protect Guide To Understanding Ransomware For Accounting & Bookkeeping Firms
Best practice for protecting your accounting firm
Being aware of the broad cyber threats facing you is an important step, but there are a variety of actions you can take depending on your specific processes and how much you want to reduce the risk.
We often break up cybersecurity into three core areas to address within a firm:
Access and identity management
Employee education and training
1. Access and identity management
One of the biggest ways you can address risk is by implementing technology that adds a layer of essential security over all your digital processes.
Under that umbrella, access and identity management is a set of processes and technologies used to manage and control access to information and resources within an organization.
For accountants and bookkeepers, this involves the management of user accounts, permissions, and roles, as well as enforcing security policies and procedures to ensure that sensitive financial information is only accessible to authorized individuals.
Some of the key features to look out for in a good access and identity management tool include:
Managed multi-factor authentication
Advanced user and team permissions
IP lock, time lock, and location lock for email/application access
Password cloaking and encryption
One-click user lockout
Remote and third-party access controls
2. Employee education and training
While there are many technical measures you can implement to improve your cybersecurity, it’s widely recognized that humans are one of the weakest links in the chain.
Humans are vulnerable to a variety of social engineering tactics (like phishing emails) that are designed to exploit their trust, fear and/or ignorance. This human error is just as dangerous as any other cybersecurity threat.
To reduce the risk of human error or intentional sabotage, it is essential that you invest in awareness, education and training for your employees.
Training programs are designed to raise awareness about the importance of cybersecurity and the types of threats that employees may face. This can include training on how to recognize common attacks like phishing emails and how to report suspicious activity when it’s noticed.
It’s also worth looking at how to mitigate specific types of threats, such as ransomware or social engineering attacks. By providing employees with this knowledge, they are better equipped to protect themselves and your firm from cyber threats.
3. Compliance documentation
Compliance is also a critical piece of holistic cybersecurity. Depending on which country you work in, there are legislated requirements around compliance, such as the Written Information and Security Plan mandated under IRS 4557 in the US. So it’s important to check what’s required in your country to meet the legal standard.
Additionally, there are several internal policies that can help your employees and contractors safely access and handle data, such as:
An internet and data usage policy
A third-party access agreement
You might also consider a Cyber Incident Response Plan, to ensure a well thought out process is in place in the unfortunate event of a breach.
Next steps for your firm
There’s a lot to comprehend in the field of cybersecurity, but it shouldn’t be a scary subject that you aren’t able to understand or protect against.
Taking the time to understand your risks and being pragmatic in putting in place protection is achievable at every firm. If you haven’t already, start with a review of your cybersecurity setup and seek professional help where relevant.
CEO, Practice Protect
As CEO of the world’s most widely used cybersecurity platform for accountants, Jamie Beresford has decades of experience in the IT, cybersecurity, and data security sectors. With a holistic view of digital security, few are as experienced and knowledgeable on accounting firm-specific security needs than Jamie.
Having spoken at conferences around the world, Jamie continues to dedicate his professional life to teaching and training accountants on avoiding cyber breaches (externally and internally) and leveraging the future of work.