Accounting firms at high risk of cyber attack
Accounting firms in Australia are prime targets for cyber criminals wanting to steal highly confidential client data that can be sold online to other criminals. Due to the sheer amount of valuable financial data accounting firms hold, they are prime targets for cyber-attacks. Unsurprisingly, small and medium-sized accounting firms, are often less likely to have proper defences against cyberattacks in place.
Ever since the “notifiable data breaches” provisions of the Privacy Act came into effect in 2018, the accounting industry has continued to be the top target for cybercriminals in Australia. Accountants, finance professionals and business owners who have access to sensitive financial and other personal client data are at the front line of cybercrime.
Recent data from the OAIC’s Notifiable Data Breach Report found that within the finance industry, 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications from January to June 2021.
Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71%), with human error the leading source of breaches in the finance sector (48%).
To deter from the rising threats against your accounting firm, your staff and your clients, it is important to know those dangers coming from, and what methods are cybercriminals deploying to breach your firm’s cyber defences.
If you’ve heard of phrases like data theft, malware, ransomware and phishing before, but don’t know what they meant, then this article is for you.
A cyber attack costs small accounting practices an average of $39,555 medium-sized practices approximately $88,406 and large practices $62,233
2021-22 ACSC Annual Cyber Threat Report
What is a cybersecurity threat?
A cybersecurity threat is a malicious act that disrupts one’s digital life by damaging or stealing private data. These threats might occur through data security breaches, denial of service attacks, or computer viruses.
Cyber attackers use a wide variety of tactics to gain access to a target’s data, from “traditional” email phishing — which can download viruses or ransomware into the system — to “malware-free” attacks which do not install any software on the victim’s machine. Attackers who deploy malware-free methods can compromise an organisation in several ways — using stolen credentials, an unsecured device connected to the internet or a system misconfiguration. They can then ‘live off the land’ and steal data from within the organisation’s systems as they blend in with the normal flow of business.
The newest tactics in use today are email thread hijacking and spam campaigns, which steal content from the user’s email address and can use subject lines to recognise a thread; a reply is then formulated to the thread which drastically increases the likelihood of the recipient opening a malicious attachment or link.
Cybersecurity threats faced by financial institutions
Cybercrimes have been the most significant hazards facing accounting firms and the financial sector recently. The incidences have increased significantly in the past few years as hackers improve their technology and expertise. This makes it difficult for businesses to curtail their attacks consistently. The following are some of the dangers that face accountants and finance companies.
Phishing attacks are one of the most frequent cybersecurity threats to accounting firms. These days many online scammers are using phishing emails to convince accountants to hand over sensitive financial data willingly -with often disastrous results.
Classified as Advanced Persistent Threats (APT), they have disastrous effects through reputation, data, and financial losses. With an APT, a non-permitted user accesses the system and uses it without getting noticed for a long time.
Here are some examples of phishing scams affecting accountants:
1. Copyright Infringement Claim
The Scam: An email is sent claiming that you are using copyright protected images on your website without permission. To prove their claim, all you have to do is click on a link to download the evidence.
The solution: Don’t click on a link in an email from anyone you don’t know. If you receive an email like this and you want to make sure there’s no real issue, check with your website developer or marketing team, you would normally have purchased your website images through a licensing agreement with a stock photography agency like Getty Images.
2. Fake Domain Invoice
The Scam: Many accountants don’t remember where they bought their domain or who is responsible for renewing it. Online scammers take advantage of this and use it as bait to scare people into paying fake domain renewal invoices. If you get an email threatening that your domain will “terminate in 24 hours”, don’t panic and don’t pay.
The solution: To put your mind at ease, contact your website hosting provider or look yourself by clicking https://who.is/ and type your domain in the field provided at the top. The information returned will include the “registrar” or company where your domain was purchased like GoDaddy, Google Domains, Network Solutions, etc. It will also clearly tell you what date your domain expires.
3. Email Upgrade
The scam: An email to make you believe that your email account is somehow about to “expire” and all you have to do is enter your password in order to login and fix the problem.
The solution: If you receive an email asking for a password, don’t send it! Your Managed Service Provider will never request this info in an email.
One of the most popular ways cybercriminals (or hackers) attack users is by delivering ransomware on their devices. The definition of ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. When your data is held hostage like this, the consequences can be costly.
Not only can a ransomware attack lead to huge financial losses, but this can lead to a severely damaged reputation. Your clients count on you to protect their information, so if they find themselves as a victim of a cyberattack, they will quickly lose their trust in you and take their business elsewhere.
To prevent your business from falling victim to a Ransomware attack take the following steps:
One of the most effective approaches to protect your business from a ransomware attack is to consider a cyber security strategy and proper education:
- Ensure staff only open emails from a trusted sender; don’t click on non verified links and scan attachments for viruses before downloading.
- Implementing security training with frequent sessions and simulated cyberattacks.
- Backing up your data frequently and in various secure locations so that, in the event of an attack, you can recover your data as quickly as possible.
- Developing processes and educating your team on how to properly send and receive sensitive and confidential documents to one another and to your clients.
- Restricting access to sensitive data and documenting who has permission to view confidential information.
- Using a password manager to securely store your existing passwords and generate secure passwords for various websites and accounts.
- Applying multi-factor authentication where possible.
Human error is the leading cause of cyber security threats in accounting firms, in fact 90% of data breaches are caused by humans, according to Kaspersky. If your people aren’t trained in how to manage sensitive data while accessing their work remotely, it can open you up to significant vulnerabilities to the firm and its clients.
Employees are focused on the job they have been hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, mistakes can happen. Stepping users through security awareness training is a must that you simply cannot afford not to do.
Welcome to the Cyber Security Best Practice Learning Centre
The Cyber Insurance + Cyber Security in 2023 edition.
Enjoy on-demand content, including our Best Practices Guide to help your Accounting Firm improve its cyber security posture.
Importance of cybersecurity to Accounting Firms
The risks and associated exposures of a cyberattack on an accounting firm can be devastating.
Not only can an accounting firm data breach may lead to reputational damage and costly first-party and third-party losses, but there’s also the fallout that the public eye rarely sees, the damage it wreaks inside the firm.
Below are a few examples of cybersecurity fallout:
- Direct loss of turnover.
- Legal ramifications for directors and the business itself
- Financial Loss
- Data Loss
- Increased staff churn.
- Customers fleeing to more secure competitors.
- Management spending their time on tasks that aren’t profit-generating.
- Clean-up costs.
- Change in customer perception.
- Reduced competitiveness.
EXCERPT ON DIRECTORS DUTIES
Cyber security, privacy and data protection - implications for Directors Duties all Accounting firms need to know
Australian company directors are facing an increase in responsibilities as enterprise transitions further into the digital economy.
The Australian government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.
The bottom line
Your enterprise management must include regular and ongoing consideration of cyber security. Including risk-assessment and investment in the development and implementation of a resilient digital strategy.
Directors Duties Include:
- Addressing cyber security and managing risk: A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation.
- Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
- In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Report 429 Cyber Resilience: Health Check 2015.
- Boards overseeing critical infrastructure corporations will oversee the introduction of baseline cyber security, the implementation of enhanced cyber risk management programs for assets of national significance, and mandatory cyber incident reporting. The government recently introduced the (Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth) and if passed, it will affect above.
And there is more to come. A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
- Consumer and data protection laws
- Duties for company directors
A recent example
The Australian Securities and Investments Commission (ASIC) has shown us its willingness to prosecute companies that fail to implement cyber security measures.
The recent RI Advice Group Pty Ltd, where ASIC alleged that RI Advice Group failed to implement adequate policies, systems and resource which were reasonably appropriate to manage risk in respect of cyber resilience.
On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496 confirming that management of cyber security risk and cyber resilience is critical. Australian corporates should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre.
Directors’ duties and cyber security – where to start
Now is the time to take action and invest in resources to protect the digital integrity of your company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.
Request and oversee the following:
Invest in strengthening security, software and hardware fundamentals
- A policy of strong and regular password changes
- Enforce multi-factor authentication
- Ensure operating systems and software is genuine and up to date
- Use only the applications and software necessary to reduce risk
- Prioritise best-of-suite tools to optimise your risk coverage
Invest in a cyber security team or MSSP
- Develop a cyber security strategy including an Incident Response plan that includes directors, customers, stakeholders and staff
- Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
- Create a program for regular checks and updates
- Report all cyber incidents via the protocol regardless of severity or perceived significance
- Meet the ACSC Essential Eight Maturity Level 2.
Effectively Directors are responsible for creating and maintaining cyber resilient organisations and failing to do so will attract hefty personal liability.
We are following the updates closely and if you have any further questions on your obligations, please don’t hesitate to reach out.
Cyber threats are not going away, on the contrary, their frequency is growing and they are targeting industries that handle sensitive data like accountants, legal firms, and financial institutions.
As can be seen, using cybersecurity in the accounting field has numerous benefits. Online cyber security training is a fantastic way to educate users on the benefits of using it. To protect their critical data, accounting firms should hire cyber security experts such as a good quality MSSP.
Related: What Is An MSSP? An Expert Guide
The ACSC reported that cyber attacks cost medium sized companies $88K on average and 60% of the businesses attacked go out of business within 6 months. With Accounting firms are the most targeted by cyber criminals in 2023 can your business afford to take unnecessary risks?
Using an experienced outsourcing provider with strong systems and strict security policies can help Australian accounting firms response to a new level of cybersecurity risk. They will help you adopt an Australian Standard cyber strategy and continuity plan to limit the impact of cyber attacks to your business. KMT recommends that as a minimum you meet the ACSC Essential Eight Maturity level 2. If you’d like to talk more about how KMT can assist your firm without compromising security, drop us a line.