An Awareness and Action Plan to Combat Security Threats of Social Engineeringby
In order to dedicate a sustained effort to ensuring clients’ information is safely used by the firm, accountants need to be vigilantly aware of, and trained to identify and mitigate, the risk of security breaches.
For accounting firms and its professionals who directly access, use, and transmit extremely sensitive data for their clients, the fallout from a data breach or cyberattack can be enormous given the high value of the information that is compromised. Bank accounts, Social Security numbers, financial history, employment information, and more – that is personally identifiable to an individual or company staff at large – is a very high-risk type of data to access, transmit, store, and retain over the long term.
One dangerous, yet unfortunately common, risk comes by way of “social engineering,” which is a tactic hackers use to trick victims with psychologically manipulative tricks. Accounting firms can risk their clients’ data without knowing and unwittingly be handing over data when their employees are tricked with social engineering tactics into downloading malware or entering data into fake sites. The prime vector for such attacks is phishing.
In short, you need to provide employees with security awareness training and have an action plan in place to contain any damage.
Here are some strategic tips on how to combat social engineering tactics to protect your brand as a trustworthy accounting firm and to ensure your clients’ data is safely used within your firm:
Policies, Education, and Awareness Training
The standard operating procedure of most accounting firms includes IT protocols that safeguard data. However, such policies are only helpful if they’re actually followed. And, in times of extremely busy seasons – from holidays to tax season – rushing to meet a deadline can often cause even the most well-intentioned professional to take a shortcut outside of the IT policy to be efficient.
The basics of IT protocols that safeguard need to include employee education and daily commitment on how to properly transfer data, what data needs to be encrypted, a list of allowed applications at work, appropriate websites, etc. For example, it may seem obvious, but Skype, as one example, isn’t the best way to transfer sensitive data within an accounting firm, and employees need to be aware of it.
Protect the Important Information – Ensure Staff are Educated on its Street Value
Accounting firms are a major target for social engineering hackers because there are two types of information hackers can access: company data and other people’s personal data. Both should be on your list of priorities of data to protect.
Usually, hackers are looking for information they can sell or monetize in some fashion. Keep in mind while your company’s IP is expensive, so are all the credit card or bank account numbers of your clients.
Employees’ diligence toward controlling their own actions that could put such information at risk can be strengthened when they’re educated on the “street value” of the information by hackers if it is stolen, in addition to the high cost to the company if the worst were to occur.
Setting Automated Rules and Blocking
Automated rules that automatically block activities can reduce risk significantly. My experience with insider threat software has shown that it can be extremely helpful for companies that need to mitigate social engineering threats.
For example, with the right IT methodology and supportive tools, administrators can set rules to not accept USB drives that aren’t allocated by the company as one method of automatic prevention. Additionally, alerts can be set up where administrators are alerted if someone receives an email that looks as if it is coming from the network, but actually came from an outside network.
Furthermore, accounting firms should have rules set to not transfer data via bodies of emails. Attachments can be OK if they have a password on them. Software can also detect if the body of an email has account numbers, Social Security numbers, etc., and can block the sending of such data outside of the organizations.
Preying on Weaknesses: Curiosity, Greed, and Respect for Authority
Hackers time attacks to events and prey on people’s curiosity, greed, and their tendency to jump when they get an email from someone in authority, like their boss or a regulator, to lure them in.
The No. 1 way that hackers target companies is phishing. This is because it is very difficult to attack companies head on.
Perimeter defenses (i.e., firewalls) stop most direct attacks, but when an employee clicks on a phishing link, they opt into the hacker’s trick and give hackers access to go right around the firewall. Educating your staff that these types of attacks exist should be a No. 1 priority.
A broadcast email does not work so well in tricking employees to click on infected links or enter data into made-up sites, as most of those will get blocked. Instead, hackers tend to look for items that draw a person into their traps by making their information timely and sending those one at a time to high-profile targets.
For example, emails can be made to look like they’ve been sent from a sports club, school, or any other organization that someone may have a personal tie to.
While you cannot entirely control your staff’s social media use, educating them about social engineering tactics hackers use is a good idea.
For example, if employees allow their photos to be public or check-in, a hacker targeting a specific company can look when an employee clicks that check-in feature on Facebook that shows what hotel they’re staying at. Then they can send them an email that looks like it came from the hotel, and if the employee is traveling with their work computer, the employee can click on a link that can expose data stored on their computer.
Having a best practices checklist on the security vulnerabilities that can result from social media use can help to mitigate these risks through employee education.
Take Action Before an Incident Occurs
In my experience working with numerous companies over the years, evidence indicates time and time again that the best approach is prevention-minded. And the same applies to successfully deterring the security threats of social engineering.
The costs associated with compliance and state security breach notification laws are quite high, and breaches bring significant reputation ramifications. Make sure your staff double-check anything that looks suspicious and create a culture that allows employees to check with one another.
If an email or other method of social engineering is discovered, make sure employees automatically report the incident to an employer. They may not be the only one that received the email – and make sure to check if it was clicked on.
With the kickoff to a busy tax season just around the corner, now is the ideal time to educate the accounting professionals in your firm on best practices. Remind them that in today’s digitally connected world, an essential element to their everyday jobs has to be safeguarding the very information they access if they are to help their clients financially thrive.