There are some staggering figures floating around the internet about cyber-security – for example the claim by Forbes magazine that cyber-crimes will cost the global economy £147 trillion by next year, an astonishing sum.
For some Irish accountancy firms, the updating of standards of accounting practice has led to a degree of unfamiliarity with new procedures and the requirement to learn and implement new systems can create a lack of confidence in performance.
2018 sees a further three standards coming into effect: IFRS 9 (Financial Instruments), IFRS 15 (Revenue from Customer Contracts) and IFRS 16 (Leases). This is an important point, because while standards convergence can be a pain, and upgrading and learning new standards can cut into productive hours, this can also be an opportunity to engage your staff with cybersecurity issues.
Rather than treating the two as separate training schemes, consider combining them and using ongoing harmonisation of international accounting standards as a way to reiterate guidance on cyber-attacks.
So what are cyber attacks, why should Irish accountants be aware of the risks and what can you do to protect your accountancy firm from these risks?
Cyber-crime in a nutshell
Any computer related threat can be classed as cybercrime, whether or not it’s successful, so for example:
- Digital theft of personal information
- Cyber theft from your bank account
- Exposure to viruses and ransomware, malware and adware (adware often contains spyware code, which can be used to record personal information such as passwords)
- Bot-netting – when malware or some other crime allows the criminals to take control of your computers, they may use them as botnets, undertaking criminal activity which, when detected, will lead back to you, not the hidden controller of your systems
- Email phishing
- Password phishing – which can then be used to gather information from you or from third parties electronically
- Vishing – a phone call, apparently from your tech support team, bank or a police officer can be a voice phishing (vishing) attempt to obtain passwords, dates of birth and other details that can then be used to access your computer systems.
Why do all these count as crimes, whether or not they are successful? Because recovery from even an unsuccessful cyber attack can cause the organisation time, money and reputation … exposure to threat as a result of weak cybersecurity is just as disabling, regardless of whether the attack succeeds or fails.
In addition, cybercrime is evolving with exponential rapidity. A single example from February 2018 shows the almost instantaneous proliferation of new waves of cyber attack. Something called a Memcached-based DDoS attack (where hundreds of thousands of requests and contacts swamp a website, shutting it down) was first spotted on 24 February 2018. By 28 February this had become an average of 372 attacks daily, and on 8 March, when the first patch to protect against Memcached DDoS attacks was launched, the average had risen to 1,628 DDoS attack events daily.
Don’t think it could happen to you? Well the targets of this wave of attacks included:
Amazon, Avast, Google, Kaspersky, Minecraft, Pinterest, Playstation and Rockstar Games.
But this list of international giants is just the public tip of a vast iceberg that included thousands of small businesses: accountants and doctor surgeries, estate agents and law firms amongst them. And these smaller, less public businesses were focused on because they could be emptied of data that could then be used to launch ‘primed’ attacks on the bigger businesses.
How cyber-crime works
Let’s imagine you want to break into Allied Irish Banks. You probably won’t succeed without valid usernames and passwords but a big bank will be well protected. So if you’re a cyber-criminal you’ll attempt to get data from lower down the chain, from a bank manager’s accountant or a loan supervisor’s doctor, that might give you their passwords. Then, once inside the system, you can launch malware that sits and gathers up all the other passwords used by people logging onto the main computer. Within 24 hours you could have everything you need to hack the bank and transfer funds to your account in the Cayman Islands.
This isn’t a far-fetched example. Back in 2013, a small accounting firm in Connecticut was the victim of such a hacker attack. The criminal accessed the computer mainframe, identified all the annual returns that had been completed but not yet filed, and altered details to pay more tax than required. He or she then sent the returns to the IRS and immediately filed refund requests in the hope of collecting the ‘refunds’ into a false account before the accountancy firm realised what had happened. 900 individuals and businesses were targeted and although the refunds were not paid, the hacker was never caught.
Protecting your accountancy practice from cyber attack
There’s good news and bad news. While there is no one way to protect your business from cyber attacks, most of what you need to do to ensure your accountancy business is cyber-secure is simple, practical and cost-effective.
The human component of cybersecurity
The beginning and end of all security is awareness. Technology, although vital, can’t guarantee safety, but awareness, education and diligence can. Any security system will be a combination of human diligence and technical expertise and delivering cybersecurity in accountancy means finding the right combination of personal vigilance and technical support to stay ahead of the threats without finding your business handicapped by too much red tape and complexity.
The problems that most Irish accountants are likely to experience in trying to create cybercrime savviness in their teams are threefold:
- Senior team members who think that security is unimportant
- Staff confusion about which applications and services require vigilance
- Complacency about required security measures such as strong, regularly changed passwords.
This claim is supported by some evidence from a 2014 survey by Accounting Web, which found that while nearly 70% of accountants agreed that cyberattacks were at a high level, only 14% were actively protecting their businesses from cyberthreat.
As a result, many businesses will require the help of a consultant or at least need to ensure a senior team member is fully skilled in cybersecurity to educate, inform and deliver human skills that will keep the organisation safe. Technology is only as good as the people who use, misuse or fail to use it!
Let’s start at the sticky end of cybersecurity – assuming something has gone wrong, badly wrong. What do you need to have in place to recover from a disaster? First and foremost, a good back-up system is essential, and in many cases that back-up system needs a back-up too. Why? Because many of us naturally choose to back up to a cloud based data storage but as the recent Memcached-based DDoS attacks showed, the most likely targets for concerted attack are the very companies that we’re likely to be using to back up and store our data.
A secondary, local, backup system to some kind of removable device is vital if your back up partner experiences DDoS. A disaster recovery system can then utilise the back-up to restore information and allow work to continue while the threat is isolated. In addition, an effective disaster recovery plan should mean that you discover the problem or breach more quickly and allow you to adapt your disaster recovery systems to ensure that you’ve learned from the problem and created structures that prevent it happening again.
Cybersecurity threats in detail
Many people, watching malware attacks like the one which paralysed the Maersk shipping line in 2017, believe that this is the greatest threat to a business. But they’re wrong. Analysis by a major threat analysis firm reveals that over 905 of cyber-attacks begin with a phishing email. For accountants, this email will usually look legitimate, appearing to come from a known, expected contact (such as Revenue IE), and ask for apparently logical information – a technique called spear phishing. Many people open such emails, and click on the links contained within them, without a second thought – sadly, they are much more likely to do so at work than at home because the risk isn’t theirs, it’s their employers.
Two part authentication can help protect your organisation from exposure to unauthorised access. Encryption of outgoing emails also protects you from being hacked and information you send out being used against you in a spear phishing attack. Finally, regular education about not clicking email links at work is also vital.
Hardware firewalls and antivirus gateways
The UK’s National Cyber Security Centre* held a conference in Spring 2018 in which it called for every item that is part of the Internet of Things to have a ‘best before’ date. Why? Because the national body, which is part of GCHQ, believes that such items as routers and wireless hubs are the greatest threat to business security. This is because many organisations are relying on routers which can be well out of date, and can compromise all the data held in the business’s data base.
‘Gateway’ anti-virus and anti-malware are often provided for the first couple of years, but then there are no more patches and the original provider may be bought out, merged or go out of business and then there’s no support at all. Because it’s not software, many firms, especially smaller ones, don’t realise that hardware can also be compromised and expose them to cyber attack. Installing and updating gateways is important. Checking their continuing viability should be part of your ongoing cybersecurity review processes.
Pop-ups and Vishing attacks
An incredibly common and highly successful attack system is the browser popup that claims to be a warning from a reputable organisation such as Apple or Microsoft, claiming the personal computer has been infected, attacked or hacked and asking the reader to call a number to talk to an expert.
Unaware users make that call and soon find themselves talking to a personable and competent individual who, under the guise of ‘removing’ the malware, actually infects the computer often by installing ransomware. Alternatively they may download vast amounts of supposedly secure data and use it to launch further attacks. Staff education is essential to protect from such attacks.
‘Sandbox’ applications give computers the ability to access the internet without allowing reciprocal access from the internet to your computer. In other words, if somebody accidentally, or deliberately, downloads malware, any attempts to change the main computer system will be held in the sandbox rather than being allowed to alter the mainframe.
If there’s one rule that needs to be understood by everybody in your organisation – it’s that transporting data is a high risk operation. Whether it’s data held on a USB drive or on a laptop, the physical movement of data has inherent problems for an accountancy firm.
First, because data can simply be lost: an M16 agent left his laptop in a tapas bar in 2000! Secondly, data gets corrupted – it’s not unheard of for data-sticks to be dunked in cups of tea, trodden on or eaten by puppies. Thirdly, and most worryingly data theft is often straightforward. For example – many an accounting firm allows transport of software files like QuickBooks, because they are confident that the files are password protected. But unencrypted files aren’t secure – many accounting software packages are easily hacked by commonly available utilities … which means that once a laptop is taken off a secured network and used domestically, the data it contains may be wide open to unscrupulous hackers.
Transported data has to be encrypted – nothing should be allowed to leave your office without encryption – it’s a simple as that.
Wireless, cloud and remote access security
Many Irish accountants now use cloud based systems because they deliver more flexible working hours and more opportunity to communicate with clients about queries or issues at times that are good for them. It’s a boost to productivity for sure, but it can also create risks. Ensure any cloud based files or SAAS systems you use offer two stage authentication. In addition, remote access to your own files or computers requires either a virtual private network or a two level authentication system – the bad habit of saving a direct shortcut to the system on a home computer puts all your data at risk.
Finally, you need to protect your network from wireless attack: guests may need to use your system for any number of reasons, but ensure that any visitors are given a guest network rather than direct access to your entire system – not because there are any doubts about the honesty and probity of your visitors but because you simply can’t be sure that their own laptops or other devices aren’t already infected or compromised.
In conclusion – although cybersecurity is a genuine threat to the Irish accountancy sector, simple, cost-effective and easily applicable solutions exist to protect you from risk and ensure your clients can have confidence in your data security.