Hackers are always on the hunt for valuable, easily accessible data, and accountancies are some of the best places to get that sort of data. Every accountant’s email represents a potential threat, as links and attachments can lead to phishing or ransomware attacks which can damage valuable data and hurt a financial company’s reputation. InfoSecurity found in 2015 that financial services firms were 300 times more likely to be hit by security incidents than other businesses. Consider the recent hacking of credit company Equifax, and the resulting costs for the company and consumers.
But accounting professionals can protect themselves, and at minimum make it more likely that a hacker will give up and search for a less protected accounting firm. Here are certain types of attacks to consider as well as basic steps to preserve your business’s data and reputation.
- Ignorance is no Excuse
Small accountancies may look at the Equifax hacking and conclude that hackers will target financial companies with data worth stealing and will thus leave them alone.
But an ordinary person’s cell phone gets stolen far more often than the Mona Lisa. Even though the Mona Lisa is more valuable than a phone, the phone gets stolen more often because it is easier to grab. The same principle holds for small financial companies and accountancies. Smaller companies are at just as much risk, precisely because their carelessness makes them tempting targets.
Never assume your company is not at risk. Knowledge and preparation are the most important steps to keeping data safe.
- The threat of phishing
Media and society popularize hackers as tech geniuses using elite tech skills to break into firms like something out of “Ocean’s Eleven.” But one of the hacker’s main weapon, phishing, relies not so much on tech skills as much as the carelessness of their victims.
Content seriesView full content series
Accountants can be victims of spear phishing, which Kaspersky describes as an email “apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware.” Phishing emails can be made to look quite realistic, without spelling mistakes and warning of something believable such as your bank warning about problems with your account. And it only takes one mistake.
But there are certain clues which businesses should talk to their employees about. For example, phishing links will often use a tiny or Bitly URL shortener to mask their true destination, or will have links that are slightly off the original name. Businesses must remind employees of the dangers of phishing and caution against quickly clicking links without checking it twice.
- Ransomware and Attachments
If clicking on links in a phishing website is bad, opening an attachment can be even worse. By opening up malicious programs on a computer, accountants can open themselves up to even worse attacks such as ransomware.
Ransomware attacks have been on the rise, where hackers use malware to encrypt your computer or critical files and then demand a ransom in exchange for unlocking them. And as the FBI notes about ransomware in its recommendation against paying criminals, there is no guarantee that the hacker will unlock anything when the ransom is actually paid.
There are ways to protect against ransomware such as backing up your data to the cloud beforehand and disconnecting operations in the middle of an attack to keep it from spreading. This is the method used by many credit repair companies. But above all else, accountancy employees must be reminded against the dangers of opening up random attachments, even if it may seem urgent.
- Gather Information
Spear phishing results from identity theft, as the scammer uses information taken from other sources in an attempt to impersonate a trusted contact. Consequently, accountants need to gather more information about their clients so that they can figure out any differences between the fake impersonation and the real contact.
Important information includes details such as a Social Security number, an EIN, or information about the parent company which cannot be gleaned through a Google search. This creates a challenge in a company’s responsibility to protect said data, which is why it is important to create backups and know instantly if said data gets taken.
- Dealing with a Breach
Preparations for how to protect your data is important. But mistakes or security vulnerabilities can happen, and sometimes a data breach will occur despite your company’s best efforts.
Because of that, companies need to worry about what to do in case of a breach as much as how to prevent one. Businesses need to know immediately what exactly was stolen, limit the damage as much as possible, and promptly inform consumers about the extent of the breach. In fact, the Houston Chronicle points out that certain states set forth requirements on who and when companies need to inform important parties.
Be honest as possible and take ownership of the problem. Customers are going to blame you regardless, and attempting to dodge responsibility will just anger them further.
Cost accountant with major focus in SAP/General Fund Enterprise Business System (GFEBS). Also, main functional inspector for accounting/finance audits for internal reviews as well as the Statement of Budgetary Resources audit initiative.