A Guide to Optimal Cybersecurity Protocols in the Accounting Sector [2023]
Looking back at the previous 12 months from a cybersecurity perspective, it is apparent that there has been an alarming surge in global data breaches and cybercriminal activities. Consequently, cybersecurity concerns have permeated mainstream media with increasing frequency.
A notable instance of such threats is the rise of Business Email Compromise (BEC) which has led to significant financial losses for companies as reported by the United States and Australian federal authorities.
Small and medium-sized businesses, particularly accountants and bookkeepers, have become an attractive target for hackers due to the wealth of valuable information they possess, coupled with the relatively lower risk of attracting public and police attention.
Thus, it has become imperative for accountants and bookkeepers to be knowledgeable about the various cyber threats that exist and take proactive measures to mitigate the risks posed by such attacks.
Gaining Insight into Common Cyber Threats
In an ever-evolving digital landscape, malicious actors are constantly adapting their tactics to infiltrate computer systems. Nonetheless, there are several archetypal approaches that are characteristic of most cyber attacks. Acquiring knowledge about these techniques can serve as an effective primary defense mechanism that a company can readily implement at no cost. Presented below are four of the most common and potentially harmful forms of cyber threats that should be on every organization’s radar.
Social Engineering
Social engineering is a tactic employed by malicious actors to deceive individuals into divulging confidential information or granting unauthorized access to computer systems. While hacking is often associated with technological breaches, social engineering hinges on exploiting interpersonal vulnerabilities.
For instance, an attacker may impersonate a trusted entity, such as a government agency or a bank, and coerce unsuspecting individuals into providing sensitive details like login credentials or financial information. Given the expansive scope of this category of attacks, social engineering serves as an umbrella term for several other forms of cyber threats, which are further expounded upon below.
Accountants should remain vigilant against such tactics and exercise caution while sharing information or granting access to systems, particularly in cases where they are uncertain about the legitimacy of the requestor’s identity. Furthermore, it is crucial for accountants to be able to identify and report any suspicious activity or requests promptly.
Phishing
Phishing is a fraudulent scheme employed by scammers to elicit sensitive details such as passwords or credit card numbers from unsuspecting individuals. Typically, these fraudsters will employ fake emails or messages that closely resemble those of authentic organizations, with the aim of tricking people into providing their personal information. It is crucial to exercise caution while sharing personal information online and to verify the legitimacy of the source before responding to such messages.
As an accountant or bookkeeper, you are likely to receive emails from financial institutions, banks, or other companies with whom you work. These emails are often easy to replicate, making it imperative not to click on any suspicious links or divulge sensitive information. It is advisable to authenticate the legitimacy of such emails by directly contacting the institution through phone or a different email address.
See our graphic on the hallmarks of a phishing email here.
Business Email Compromise
Business Email Compromise (BEC) is a type of cyber attack that specifically targets businesses, organizations, and individuals who frequently engage in financial transactions through email. The attack involves an attacker masquerading as a trustworthy individual, such as a CEO or vendor, and sending false emails to deceive the recipient into sharing confidential information or transferring funds.
The potential consequences of a BEC attack are substantial, particularly if a hacker were to gain access to an accountant’s email account and assume their identity to communicate with their clients. Accountants and bookkeepers are especially vulnerable to BEC attacks due to their access to sensitive financial data and responsibility for handling fund transfers on behalf of clients. In a typical BEC attack, the hacker impersonates an accountant or bookkeeper and requests that the client provide sensitive information or transfer funds to a fictitious account.
View a real-life example of an email hack here.
Ransomware
Ransomware is a type of harmful software that encrypts an individual’s files, rendering them inaccessible, and demands a ransom payment in exchange for the decryption key. It is a widely known type of hack that can result in significant financial and reputational harm to both individuals and businesses.
Delivery of ransomware may be accomplished through various means, including email, social media, or infected websites. However, when targeting accountants and bookkeepers, perpetrators commonly utilize social engineering tactics. For instance, an attacker might send an email posing as a legitimate source, such as a vendor or client, which contains an attachment or link. Once accessed, the ransomware installs on the accountant or bookkeeper’s computer. Alternatively, a phishing email could be used to acquire login credentials, enabling access to the victim’s system and the ability to install the ransomware.
Read the Practice Protect Guide To Understanding Ransomware For Accounting & Bookkeeping Firms here.
Best practice for protecting your business
Developing an understanding of the wide-ranging cybersecurity threats that can affect an organization is a crucial initial step. The measures that a company may then undertake to mitigate its risk can vary depending on its procedures and the degree to which it desires to lower that risk.
It is typical to segment cybersecurity into three primary categories when assessing a company’s defenses.
Access and Identity Management
Firms can significantly mitigate risk by incorporating technology that provides an essential security layer to all digital processes. Access and identity management encompasses a suite of processes and technologies used to regulate and manage access to information and resources within an organization.
For accountants and bookkeepers, this entails managing user accounts, permissions, and roles, as well as implementing and enforcing security policies and procedures to ensure that confidential financial data is solely accessible to authorized personnel.
The proper implementation of access and identity technology is vital for accountants and bookkeepers to uphold the confidentiality, integrity, and accessibility of financial data. This serves to instill confidence in their clients and stakeholders while maintaining their trust.
Some of the key features to look out for with a good access and identity management tool include:
- Managed Multi-Factor Authentication
- Advanced User & Team Permissions
- IP Lock, Time Lock, and Location Lock for email/application access
- Password Cloaking & Encryption
- One-Click User Lockout
- Remote & Third-Party Access Controls
Employee education and training
Despite the various technical measures that organizations may implement to improve their cybersecurity posture, it is widely acknowledged that humans constitute one of the weakest links in the chain.
Humans are susceptible to numerous social engineering tactics that exploit their trust, fear, or ignorance to gain unauthorized access to sensitive information or systems. Examples of such tactics include the previously mentioned phishing emails. To mitigate the risk of human error or intentional sabotage, it is crucial for organizations to invest in employee awareness, education, and training.
Training programs are designed to promote awareness of cybersecurity’s significance and the types of threats that employees may encounter. This can involve instruction on identifying common attacks, such as phishing emails, and reporting any suspicious activity. Additionally, it is advisable to assess how to reduce types of risks, such as social engineering attacks or ransomware. Equipping employees with this knowledge empowers them to better safeguard themselves and their organization from cyber threats.
Human error, such as failing to recognize a phishing email or unintentionally transmitting an email containing sensitive client data to the incorrect recipient, is equally perilous as any other cybersecurity threat.
Read our article on the 3 tips for training your team members here.
Compliance documentation
Compliance is an integral aspect of a comprehensive cybersecurity approach. Depending on the country of operation, there may be statutory requirements for compliance, such as the Written Information and Security Plan mandated by IRS 4557 in the United States. It is crucial to be aware of the legal standards and comply with them accordingly.
In addition, internal policies can provide guidance to employees and contractors for safe access and handling of data. Policies such as Internet and Data Usage Policy, as well as Third-Party Access Agreement, can prove to be helpful in this regard. Consideration of a Cyber Incident Response Plan can ensure a well-defined process in the event of a breach.
The significance of compliance documentation for accounting or bookkeeping firms cannot be overstated, as governments are cracking down on breaches involving compromised customer data. Non-compliance can result in penalties and litigation.
Next Steps for your firm
In the realm of cybersecurity, there is a considerable amount of information to grasp, but it need not be an intimidating subject that is beyond comprehension or safeguarding. Examining your vulnerabilities and pragmatically instituting measures to safeguard against them can be accomplished by any organization. It is advisable to initiate this process by conducting a comprehensive evaluation of your current cybersecurity infrastructure, and enlisting the aid of professionals where necessary.
