Every industry is a target for cyber criminals, but some make better targets than others simply because they work with vast amounts of valuable data. The accounting industry is one such industry. As guardians of financial and other sensitive records, the databases of accounting firms are the mother lode of valuable information. The April 2020 cyber attack on CPA Canada that compromised the information of over 329,000 individuals is just one example of an attack that demonstrates this fact, but there have been many others.
Attacks on Accounting Firms Exacerbated by COVID-19
Exacerbating the problem is the current pandemic. After COVID-19 hit, accounting firms experienced a dramatic increase in cyberattacks primarily because they rushed to provide their employees with remote work access without fully understanding or implementing important cybersecurity measures. According to accountingtoday.com, large scale data breaches increased by nearly 300 percent since the onset of COVID-19. Cyber criminals are not only using the public’s desire to stay informed about the pandemic to lure them into downloading, clicking on or visiting malicious links and attachments, but they’re also exploiting the increase in the use of popular communication technologies such as Zoom or Google Hangouts to spy on and listen to private meetings and conversations. In this environment, accounting firms, which pass tremendous amounts of sensitive information through different teleworking channels, are the perfect target.
A taxing problem
And once an accounting firm experiences a data breach, the consequences can be quite taxing. They can suffer damage to their client relationships, legal repercussions, regulatory actions, financial losses, risks to their clients, and reputational damage. That’s precisely what happened to New Jersey-based accounting firm, BST & Co, which is now facing a class-action lawsuit due to a data breach that compromised 1000s of personal records. The class action lawsuit alleges that inadequate cybersecurity measures on the part of BST resulted in the ransomware attack that had caused the breach. If only BST had adequately protected its business and data.
7 ways to protect your business
On the positive side, however, it’s not too late for your accounting firm; you can protect it from cyber attacks.
All you need is a comprehensive security plan that implements and enforces the following:
1. Proper password hygiene – Your accounting firm should impose strict password hygiene to ensure that all passwords are strong and secure. Passwords should be at least 10 characters long and use a combination of numbers, capital letters, lower-case letters, and symbols. In addition, they should never be used for multiple logins or shared, or be based on birthdates, names, or initials.
2. A cybersecurity policy – Every accounting firm should have a cybersecurity policy that protects its valuable assets. At a minimum the policy should specify the procedures for securing personal and company devices, ensuring email safety, managing passwords, and transferring data safely.
3. Awareness training – There are so many different attack vectors cyber criminals can use to get to your data, but company employees are a favorite. In fact, insider threats are one of the most common attack vectors. Businesses in the US experience approximately 2,500 internal breaches daily and 34% of businesses around the globe experience insider threats every year. Eliminating those threats requires cybersecurity awareness training that teaches employees about the security measures and policies in place at your business as well as how to recognize common cyber threats such as phishing, spoof websites, and malicious links.
4. A work-from-home policy – Now more than ever, you need a remote-work security policy that requires employees to use a secure network, data encryption, and antivirus software.
5. An advanced endpoint security solution – An endpoint security solution is a vital component of your accounting firm’s defense. The best business antivirus will protect all your business devices from viruses and malware, as well as provide camera and microphone protection, protection from phishing, tracking, and ransomware, and secure browsing.
6. User permissions and restrictions – Unrestricted access to data can cause intentional or accidental data exposure. Assigning access levels according to the access your employees need to perform their duties can go a long way toward mitigating cyber risks.
7. Secure physical devices and paper records – With all the focus on cyber attacks, it’s easy to forget that physical theft is still a threat too. When devices such as USBs, laptops and printers or paper records are stolen, all the data they contain can be used and leveraged. Thus, it’s critical to your business’ privacy that all physical devices and records be securely stored.
Risk management isn’t just for your clients
Every accounting firm must protect its data and its clients’ data by adopting strict security measures that encompass policy, training and technology. In short, accounting firms also need to practice risk management. After all, if accounting businesses can’t keep their own data safe, why should they be trusted with their clients’ sensitive data?