Top cyberthreats targeting accounting firms

No industry is immune to the harmful effects of cybercrimes, and the financial damage can be devastating.

Cybersecurity breaches are estimated to cost businesses around the world a staggering $1.5 trillion annually, according to a report from the U.K.’s Bromium cybersecurity firm. Additionally, nearly three-quarters of the more than 500 business leaders companies surveyed for Grant Thornton’s 2019 Cyber Security: The Board Report relayed revenue losses of up to 25% following cybersecurity attacks.

Accounting firms — which have access to sensitive financial and other personal client data — are a top target for cybercriminals, according to Vijay Rathour, partner in the Digital Forensic Group at the London office of Grant Thornton. Many small and medium-sized companies and firms might believe themselves to be at a lower risk than the bigger, higher-revenue firms, but this simply isn’t the case, Rathour said.

“It may seem counterintuitive, but the risk of cyberattacks is disproportionally higher for smaller and medium-sized organizations, which tend to be much more reactive than proactive,” said Rathour. “They need to realize that this can happen, and they are a target.”

In fact, small and medium-sized accounting firms are often deliberate and primary targets for data theft. This is because they often host sensitive client data and can act as gateways to larger or more prominent parties. They also often lack the sophisticated defense infrastructure of larger firms. That’s why it’s more important than ever for accounting firms to understand which risks they might be vulnerable to, and to take steps to protect themselves. 

In a recent interview, Rathour outlined three of the top external cyberthreats accounting firms face and provided pointers on how to reduce a firm’s risk of becoming a victim.

Malware and ransomware. Ransomware is a type of malware designed to take computers, networks, files, and sensitive data hostage by encrypting files and blocking owners’ access. Once data is encrypted, the attacker will typically demand payment (often preferring to be paid via anonymous cryptocurrency such as bitcoin) to restore access to files. According to a 2019 Ponemon and Accenture report on cybersecurity, the number of organizations experiencing ransomware attacks had increased by 15% over one year, and attacks had more than tripled in frequency over the previous two years. It’s critical to invest in aggressive prevention strategies, according to Rathour. “Malware can infect your system on Monday, map out every other computer it can reach through the network, and will encrypt every file it can access — every Excel document, health records, everything,” said Rathour. “By the time you come into office on Wednesday, your entire business has been immobilized. And that’s when you get a message demanding the ransom.” Whether a company should entertain paying the ransom will vary based on the situation.

Phishing schemes. Most ransomware is delivered via phishing schemes, which are often deployed via emails that contain malware hidden in seemingly innocent file attachments. More sophisticated phishing schemes include “spear phishing,” which uses personal information to target a specific individual, and “whaling,” which is used to target high-ranking corporate officials — such as a CFO (or the CFO’s secretary). For example, few accountants might think twice about opening an email with a subject line about an invoice for a conference they knew that people in their company would be attending the following week. “Cybercriminals socially engineer emails to make it more likely that someone will open them, and quite often, people do,” said Rathour.

Data theft. Cyberbreaches can have huge financial consequences, with the global average cost of a data breach coming in at $3.92 million between July 2018 to April 2019, (for larger organizations, the average cost was $5.11 million, whereas for smaller organizations with between 500 and 1,000 employees, the average cost was $2.65 million), according to an IBM and Ponemon report.

This total cost includes aspects such as the cost of investigation and forensics to determine the root cause of the data breach, organizing the incident response teams, determining the victims of the breach, legal and consulting services, lost business, to name only a few. For organizations, which can include accounting firms, the average time between when a data breach occurred and when the breach was contained is approximately 279 days, according to the IBM and Ponemon report.

How to protect the firms’ data

The most effective protection strategies begin with prevention, according to Rathour. Employee training regarding the risks of cyberthreats and basic protective measures, such as not opening every email that comes in, are considered the gold standard for cybersecurity hygiene. But training alone is unlikely to reduce a firm’s risk of falling victim to cybersecurity threats, according to Rathour.

“We aren’t saying, ‘Don’t train your people’ but that it’s important to take a multilayered approach,” he said.

There are a number of practices firms can and should put into place to protect themselves from cyberthreats.

For small to medium-sized firms that have limited resources, however, the following practices can make big differences in preventing damage from cyberattacks, according to Rathour.

Have a good backup regime. Most large organizations should have multiple backup strategies, up to and including real-time backups and full-capacity replication, according to Rathour. However, as this is costly, he said smaller organizations should retain different generations of backup — one for each of the last seven days, one for each week of the last month, one for each month of the year, and one for each calendar year. That way, if a problem strikes they can restore to a suitable backup.

The backup should also be physically removed from the network, to ensure that in case of a malware infection, the backup doesn’t also become infected. As an example of good backup hygiene, Rathour suggested that the head of the IT department deliver the backup every Friday to the office manager, who can then store the backup in an off-site safe. It’s also a good idea to periodically test backups for recoverability, he said.

“You want to make sure you have a complete off-site copy,” said Rathour. “It may be redundant for years, but the one day you need it, you’ll be grateful to have a backup that allows you to go back to business as usual as quickly as possible. Business interruption is the major risk.”

Create an environment of “security by design.” Most accountants are familiar with the practice of segregated duties, as a part of standard internal controls. Similarly, Rathour suggested that it’s equally good practice for firms to segregate access to data. Such data segregation is both virtual and physical.

“Make sure the majority of your people only have access to the data they actually need to do their jobs,” Rathour said. “That way, if one person’s computer is breached, all the company data won’t be compromised.”

According to Rathour’s recommendations, an organization should physically segment an environment, virtually segment the computers within it, and then practically segregate the datasets. For example, a personal assistant shouldn’t need access to an executive’s private files, but they should have access to an executive’s calendar. By adopting a “least privileges security” approach, each staff member has the minimum clearance required to do their job, and nothing more.

Delete old, irrelevant data files. Data breaches can be extraordinarily expensive, costing a company an average of approximately $150 per record, according to the IBM and Ponemon report. Given that the average size of a data breach is 25,575 records, according to the same report, that quickly adds up. To minimize loss in case of a breach, Rathour suggested engaging in strategic pruning, which is when firms review their data and delete records they are no longer legally or commercially obligated to keep.

“Many firms have a legal obligation to hold on to records for seven years, but why do we have it for eight years?” said Rathour. “You have to think, why am I holding on to data which, if lost, would create commercial harm?”

Data breaches, malware, and ransomware attacks are not just expensive — leading to potential losses in millions — but they can also mar the reputation of an accountancy firm for years.

By putting in place these simple prevention strategies — a good backup regime, security by design, and periodically deleting old files — firms can mitigate the risks of becoming targets.

— Malia Politzer is a freelance writer based in Spain. To comment on this article or to suggest an idea for another article, contact Drew Adamek, a JofA magazine senior editor, at Andrew.Adamek@aicpa-cima.com.