How CPAs can protect their practice from cyber crime.
CPAs and other professionals are at risk as cyber crime skyrockets. Here some tips on how to protect your practice.
Shazia Sharp, CPA, CA (name changed to protect privacy) had just settled into her office for the day and fired up the computer. Tax season was underway and Shazia’s independent firm was busier than expected. At the top of her inbox was an email Shazia had been waiting for from a client with some important invoices. She immediately clicked on one of the attachments.
Shazia’s whole world went black. At least, her computer screen did. It locked up and an ominous and intimidating message popped up in front of her.
“All files on your computer have been encrypted. You must pay a $60,000 ransom within 72 hours to regain access to your data”
This is the fear of every accountant. Their clients’ sensitive personal and financial data in the hands of a cyber criminal. Shazia had been hit with a “ransomware” attack.
“It was an absolute nightmare,” said Shazia. “I couldn’t work, and my reputation was on the line. If there’s anything my clients trust me with—if there’s anything I value the most—it’s their financial records.”
And therein lies the problem. Your clients’ sensitive data is not only of great value to you, but it’s of eminent value to hackers as well.
Why are CPAs are a prime target for cyber criminals?
When you are in possession of your clients’ PII and financial records, and providing a service for them, that data is generating income for you. It stands to reason, then, that the same PII and financial documents can generate money for hackers. Only via much more numerous, and nefarious methods.
There are several means by which a cyber criminal can profit off your clients’ data, for example:
Ransom demand, offering decryption keys to the encrypted files on the CPA’s computer
Blackmail demand, threatening to publish sensitive and confidential data
“I really didn’t think I needed a big cyber security set-up,” said Shazia. “I thought that was for the big corporations.” This, however, is definitely not the case.
“The cyber security industry is mostly geared towards large enterprise companies, not at SMBs”, says Ron Neve-Bar, founder and CEO of CyberGood Security. “Because of that, the proper messaging and awareness doesn’t reach the small to mid-sized businesses. This leads them to believe that they’re safe from hackers; this is a big mistake.”
‘But I have antivirus software installed. Isn’t that enough protection?’
Another ‘false sense of security’ for smaller to medium-sized CPA firms is that an antivirus software installed on their computers is enough to ward off the threat actors.
However, antivirus alone is nowhere near enough cyber security for your business. Among the reasons why:
Antivirus software only protects one cyber entry point to your business.
The antivirus program on your desktop computer isn’t protecting your smartphone, iPad, or other access points to your business. In the new pandemic era, so much of our work is being done, or at least being accessed, via mobile devices. Cyber attacks against smartphones and other mobile entry points have soared in recent years.
There are now many technical means for hackers to avoid detection by antivirus software.
Targeted phishing attacks encourage users to install or click on malicious software that is designed to bypass antivirus detection.
USB keys with ransomware are left outside organizations, with the hopes that someone will plug it into a vulnerable computer.
Being protected against “known viruses” only is an easy hack for cyber crooks. They are always attempting to stay one step ahead of the game, and new virus codes and methods are constantly being developed.
And that brings us to the methods they are using.
What are the most common cyber attacks my CPA business faces?
The main threats that CPAs face in Canada are ransomware and phishing.
At the outset, we illustrated the ransomware attack that David suffered. This type of cyber crime has been growing at an alarming rate. It’s estimated that businesses fell victim to ransomware every 11 seconds in 2021. Once your computer or network is infected, files and data are encrypted or blocked, and the digital kidnapper demands a hefty ransom for its return, and/or a threat to release the sensitive data online if the fee is not paid.
But the bad news of a ransomware attack doesn’t end there.
According to a Global Threat Report, even after the ransom is paid, there are many cases in which the rightful owner is often still not able to regain access to their files. And payment doesn’t guarantee that the hackers won’t still sell the data on the dark web.
“But I back up my data regularly. I can always restore it if I get hacked.”
How does ransomware make it into your network in the first place?
Hackers often use social engineering techniques—using seemingly human interactions to entrap the victim into divulging sensitive information such as passwords or financial account data, or to click on a malicious link or attachment. The latter can result in ransomware or other malware being downloaded onto your device.
These unsuspecting attacks can come in the form of an email, a text, a phone call or even on social media. In each case, the message seems like it’s coming from a familiar and trusted source. Until it’s not.
In fact, compromised credentials—obtained through social engineering—accounted for the largest percentage of data breaches in 2021.
How can I protect my CPA firm from a cyber attack?
There are a number of precautions every chartered professional accounting firm should have in place to protect themselves from cyber criminals.
Email/Text Awareness:Always inspect emails and texts to ensure they are coming from an authentic or trusted sender: Check the reply email address—does it match the sender’s name?; Does the context of the message make sense?; Look at the spelling, the grammar, even the logos: Ensure they are all correct.
Attachments & Links: Never blindly click on an attachment or link without first performing all the checks above.
Contact an IT security professional or company such as Tapin2it to train yourself and your staff.
2. Change passwords often
Always use strong passwords.
Passwords should have a minimum of 12+ characters and include uppercase and lowercase characters as well as digits and special characters
Consider using a password management application to help generate and securely store passwords
Don’t reuse the same password across multiple sites
If you use the same password on multiple systems, a security breach at one system could lead to your account being compromised at other systems
Change passwords often (experts recommend every three months)
3. Use multifactor authentication (MFA)
MFA requires the user to not only input a password, but then enter a second set of information. This could be a number sent via text to your mobile phone, a code from an app on your mobile phone or use of your fingerprint. This greatly improves password protection.
This ensures that even if hackers get their hands on your data, it won’t be of any use to them. Consult a security professional to assist you with the right solution for this.
5. Ensure operating systems & antivirus software are up to date
The latest OS often contains security updates; and while it’s important to keep antivirus software updated, it’s nowhere near enough protection. Contact your IT or Security professional for this. You may even want to ask about a patch management solution.
6. Create a budget for security and implement solutions
A Managed Detection & Response (MDR Solution) is your best protection. These services combine technology along with human expertise to provide a proactive strategy to protect your business around the clock—searching for threats, detecting them and managing a response before they do damage. Contact a security professional to help you find a solution that’s right for you.
Truly, the costs of a cyber attack to your firm are incalculable. On top of a possible ransom you are forced to pay, there can be added costs to recover and repair your systems, PIPEDA fines and of course the completely intangible cost of loss to reputation and loss of clients.
“So many of my clients have taken their business elsewhere,” Shazia lamented. “I’m not sure how I’ll be able to recover.”
The urgency to protect your chartered professional accountancy business from cyber attack cannot be understated. Protect yourself and your livelihood. Take action now. Don’t end up like Shazia Sharp.
Ron Bar is the Founder and IT/Cyber Security Expert at Tapin2it. Tapin2it protects small to medium-sized businesses with enterprise-level cybersecurity solutions at an affordable price. With over 20 years’ experience in technology and security, Tapin2it keeps your business cyber aware, safe and protected.