Cyber security for Accounting + Financial Services: Why is it important?

Accounting firms in Australia are prime targets for cyber criminals wanting to steal highly confidential client data that can be sold online to other criminals.  Due to the sheer amount of valuable financial data accounting firms hold, they are prime targets for cyber-attacks.  Unsurprisingly, small and medium-sized accounting firms, are often less likely to have proper defences against cyberattacks in place.

Ever since the “notifiable data breaches” provisions of the Privacy Act came into effect in 2018, the accounting industry has continued to be the top target for cybercriminals in Australia. Accountants, finance professionals and business owners who have access to sensitive financial and other personal client data are at the front line of cybercrime.

Recent data from the OAIC’s Notifiable Data Breach Report found that within the finance industry, 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications from January to June 2021.

Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71%), with human error the leading source of breaches in the finance sector (48%).

To deter from the rising threats against your accounting firm, your staff and your clients, it is important to know those dangers coming from, and what methods are cybercriminals deploying to breach your firm’s cyber defences.

If you’ve heard of phrases like data theft, malware, ransomware and phishing before, but don’t know what they meant, then this article is for you.

A cybersecurity threat is a malicious act that disrupts one’s digital life by damaging or stealing private data. These threats might occur through data security breaches, denial of service attacks, or computer viruses.

Cyber attackers use a wide variety of tactics to gain access to a target’s data, from “traditional” email phishing — which can download viruses or ransomware into the system — to “malware-free” attacks which do not install any software on the victim’s machine.  Attackers who deploy malware-free methods can compromise an organisation in several ways — using stolen credentials, an unsecured device connected to the internet or a system misconfiguration.   They can then ‘live off the land’ and steal data from within the organisation’s systems as they blend in with the normal flow of business.

The newest tactics in use today are email thread hijacking and spam campaigns, which steal content from the user’s email address and can use subject lines to recognise a thread; a reply is then formulated to the thread which drastically increases the likelihood of the recipient opening a malicious attachment or link.

Cybercrimes have been the most significant hazards facing accounting firms and the financial sector recently. The incidences have increased significantly in the past few years as hackers improve their technology and expertise. This makes it difficult for businesses to curtail their attacks consistently. The following are some of the dangers that face accountants and finance companies.

Phishing attacks

Phishing attacks are one of the most frequent cybersecurity threats to accounting firms.  These days many online scammers are using phishing emails to convince accountants to hand over sensitive financial data willingly -with often disastrous results.

Classified as Advanced Persistent Threats (APT), they have disastrous effects through reputation, data, and financial losses. With an APT, a non-permitted user accesses the system and uses it without getting noticed for a long time.

Here are some examples of phishing scams affecting accountants:

1. Copyright Infringement Claim

The Scam: An email is sent claiming that you are using copyright protected images on your website without permission. To prove their claim, all you have to do is click on a link to download the evidence.

The solution: Don’t click on a link in an email from anyone you don’t know. If you receive an email like this and you want to make sure there’s no real issue, check with your website developer or marketing team, you would normally have purchased your website images through a licensing agreement with a stock photography agency like Getty Images.

2. Fake Domain Invoice

The Scam: Many accountants don’t remember where they bought their domain or who is responsible for renewing it. Online scammers take advantage of this and use it as bait to scare people into paying fake domain renewal invoices. If you get an email threatening that your domain will “terminate in 24 hours”, don’t panic and don’t pay.

The solution: To put your mind at ease, contact your website hosting provider or look yourself by clicking https://who.is/ and type your domain in the field provided at the top. The information returned will include the “registrar” or company where your domain was purchased like GoDaddy, Google Domains, Network Solutions, etc. It will also clearly tell you what date your domain expires.

3. Email Upgrade

The scam:  An email to make you believe that your email account is somehow about to “expire” and all you have to do is enter your password in order to login and fix the problem.

The solution: If you receive an email asking for a password, don’t send it! Your Managed Service Provider will never request this info in an email.

Ransomware

One of the most popular ways cybercriminals (or hackers) attack users is by delivering ransomware on their devices. The definition of ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. When your data is held hostage like this, the consequences can be costly.

Not only can a ransomware attack lead to huge financial losses, but this can lead to a severely damaged reputation. Your clients count on you to protect their information, so if they find themselves as a victim of a cyberattack, they will quickly lose their trust in you and take their business elsewhere.

To prevent your business from falling victim to a Ransomware attack take the following steps:

One of the most effective approaches to protect your business from a ransomware attack is to consider a cyber security strategy and proper education:

• Ensure staff only open emails from a trusted sender; don’t click on non verified links and scan attachments for viruses before downloading.
• Implementing security training with frequent sessions and simulated cyberattacks.
• Backing up your data frequently and in various secure locations so that, in the event of an attack, you can recover your data as quickly as possible.
• Developing processes and educating your team on how to properly send and receive sensitive and confidential documents to one another and to your clients.
• Restricting access to sensitive data and documenting who has permission to view confidential information.
• Using a password manager to securely store your existing passwords and generate secure passwords for various websites and accounts.
• Applying multi-factor authentication where possible.

Human Error

Human error is the leading cause of cyber security threats in accounting firms, in fact 90% of data breaches are caused by humans, according to Kaspersky. If your people aren’t trained in how to manage sensitive data while accessing their work remotely, it can open you up to significant vulnerabilities to the firm and its clients.

Employees are focused on the job they have been hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, mistakes can happen.  Stepping users through security awareness training is a must that you simply cannot afford not to do.

The risks and associated exposures of a cyberattack on an accounting firm can be devastating.

Not only can an accounting firm data breach may lead to reputational damage and costly first-party and third-party losses, but there’s also the fallout that the public eye rarely sees, the damage it wreaks inside the firm.

Below are a few examples of cybersecurity fallout:

• Direct loss of turnover.
• Legal ramifications for directors and the business itself
• Financial Loss
• Data Loss
• Increased staff churn.
• Customers fleeing to more secure competitors.
• Management spending their time on tasks that aren’t profit-generating.
• Clean-up costs.
• Change in customer perception.
• Reduced competitiveness.

Related:  15 Tips For Selecting The Right Cyber Security Provider

Cyber threats are not going away, on the contrary, their frequency is growing and they are targeting industries that handle sensitive data like accountants, legal firms, and financial institutions.

As can be seen, using cybersecurity in the accounting field has numerous benefits. Online cyber security training is a fantastic way to educate users on the benefits of using it. To protect their critical data, accounting firms should hire cyber security experts such as a good quality MSSP.

Related: What Is An MSSP? An Expert Guide

The ACSC reported that cyber attacks cost medium sized companies $88K on average and 60% of the businesses attacked go out of business within 6 months.  With Accounting firms are the most targeted by cyber criminals in 2023 can your business afford to take unnecessary risks?

Using an experienced outsourcing provider with strong systems and strict security policies can help Australian accounting firms response to a new level of cybersecurity risk.  They will help you adopt an Australian Standard cyber strategy and continuity plan to limit the impact of cyber attacks to your business.  KMT recommends that as a minimum you meet the ACSC Essential Eight Maturity level 2. If you’d like to talk more about how KMT can assist your firm without compromising security, drop us a line.