Earlier this year, we met with two members of the IRS Criminal Investigations unit who shared that between three and five accounting practitioners are getting hacked every single day. With all the awareness of data breaches, security threats, and ransomware, one would think accountants would make security a priority, but many believe their firm is either not interesting enough to be a target or they assume that they are not at risk because their IT personnel are “taking care of it.”
The latest Verizon Data Breach Investigations Report (DBIR) and Identity Theft Resource Center findings clearly point out that both of those assumptions are wrong. Accounting entities are increasingly being targeted specifically for their access to tax applications and data which can be quickly converted for financial gain and because many accountants have a somewhat lackadaisical attitude towards data security, making them easier targets for hackers. We have found that firms can hire IT resources to successfully secure their networks, maintain system/workstation patches, and provide antivirus updates, but most neglect their greatest exposure, which is the exposure caused by untrained firm personnel.
Most firms will introduce a new hire to the firm’s security policies outlined in the employee handbook, but more often than not, those policies have not been updated in many years and staff have not been reminded about security since their initial onboarding. For this reason, we feel it’s important that firms mandate annual IT security briefings for all personnel to educate them on the latest cyber security threats, the warning signs of being hacked, and how to respond if they suspect a breach.
Current Threats
The 2017 DBIR found that compromised passwords were utilized in 81% of all hacks, which points out the importance of requiring difficult-to-guess passwords and changing them frequently (most providers recommend every 90 days). It’s also important to educate users to not use the same password or similar variations for multiple accounts. Oftentimes, a hacker will break into one website or vendor system and then use each individual’s login/email name and password on similar types of accounts to take control. One solution to minimize the single password risk is to utilize multi-factor authentication, which requires that anyone logging into a website prove they are the intended user by either having the website send a passcode text to their smartphone for them to enter in and verify, or having users also authenticate their identities with biometric information such as facial, fingerprint, or iris recognition. Biometric verification has been slow to roll out on a firmwide level, so dual factor authentication tools such as DUO, RSA Security, and Symantec VIP currently tend to be more viable and cost-effective solutions for accounting firms.
Employees also should be trained to be skeptical of suspicious emails that may have malware attached, which are referred to as phishing emails and are the most common entry point into the majority of firms that have been compromised. Those emails can appear to come from a client, vendor, or even from someone inside the firm and make an “unexpected and urgent” request for your personnel to review an email attachment or click on a link in the email. Cyber criminals have been known to hack travel websites and personal calendars, and even observe social media to know when employees are traveling to send requests to send information or wire funds. Employees should be regularly reminded of such phishing email threats. Services such as KnowBe4, PhishMe, and Wombat Security can be used to test and train personnel to be skeptical and respond more appropriately. Firms would do well to remind employees of phishing emails, particularly around the holidays when fake package deliveries, gift cards, and unrealistic discount scams reach their peak, and during tax season when the tax scams take off.
Personnel should also be made aware of how hackers use social engineering skills to get firm members to divulge information which can be used to compromise the network or create more convincing phishing emails. Staff need to be reminded that Microsoft and the IRS will never call/email your personnel and ask them to login/update their accounts, download a file, make a payment, send W2 information, etc., and personnel should be reminded to be skeptical of any unfamiliar person who asks them to do so. Firm members should also be trained to greet unknown personnel roaming the office and accompanying them to their intended destination to verify they are authorized to be in your office.
Something Phishy?
Unfortunately, the reality is that employees are human and will inadvertently make mistakes and click on links without realizing they have caused a breach. While some warning signs, such as a ransomware notification that locks the user out, are obvious, other signs are subtle, so it is also important to educate users on the warning signs that their workstation may have been compromised. Since tax application access is a primary financial target, firms should review the status of filed returns daily to see if any were processed without their knowledge or if any bank account changes occurred just prior to electronic filing. Other warning signs can come from changes in their workstation behavior. If firm personnel notice degradation in their computer’s performance or their computer is connecting to the Internet when idle, they should ask their IT personnel to investigate. If they see new tool bars appear in their browser, jump to unexpected website links when on the Internet, or see their cursor move unexpectedly, they should ask their IT person to check it out. Other signs of a workstation breach include passwords that stop working, getting notification of a security/virus warning, or peers contacting them about receiving odd emails. Public websites such as StaySafeOnline.org update listings of current threats and can be utilized by the firm to develop an annual security briefing.
Get Into Action
The final component of an employee security briefing is to make sure firm personnel understand what to do if they suspect a breach. The first step should be to disconnect the workstation from the Internet by unplugging the Ethernet/network patch cable from the computer. If the user is connected to the Internet wirelessly, he or she should be shown how to turn WiFi/Bluetooth connections off. The user should next contact their IT person and write down the series of events that caused concern. It’s also important that users leave their workstation on so that IT personnel can run diagnostics, evaluate the workstation, and back up any files that may possibly be needed at a later time.
Summary
While there is no 100% effective way to protect a firm from a cyber-breach, having a proactive IT team managing system security updates and requiring that all personnel be trained on current cyber security threats will go a long way in reducing the odds of that firm becoming an unfortunate statistic.
This article was originally published in Thomson Reuters Checkpoint: The PPC Accounting and Auditing Update. Copying or distribution without the publisher’s permission is prohibited.