Prevent Your Accountancy Firm from Getting Hacked
- Avoid loss of customer data
- Avoid financial loss due to invoice fraud
- Avoid reputational damage
Since the pandemic, the median cost of a cyber-attack for Irish SMEs has risen from €8,900 to €50,732 *Hiscox Insurance, 2020
Picture the scene: an ordinary Tuesday afternoon. Being hacked was the last thing you expected.
“No cyber-criminal would want to target an Irish accountancy firm”
It’s fully understandable why you might think this: the national and international media tend to report cybersecurity events only when a well-known organisation is involved. Thus, when people think of incidents of hacking or data breach, they typically associate them with large, prominent organisations. Psychologists refer to this as the “availability bias,” and it can lead many small-to-medium sized business operators to develop a skewed perception of cyber-risk.
“We already have a firewall, email gateway and anti-virus software to prevent such attacks”
Great! However, you need to realise that technical defences such as firewalls, email gateways, and antivirus are not a catch-all. Most organisations that fall victim to cyberattacks also have sophisticated security controls in place. Cybercriminals are not stupid! They design their malicious software to evade these controls, encrypting or obfuscating their payloads so that they fly under the radar.
These attacks also rely heavily on duping the user into installing the malware onto their own computers. For example, a classic trick that continues to work is for a cybercriminal to hide a malicious file inside an Excel file. Once the file is clicked on, the malicious software gets installed onto the user’s system. For example, this could be data-stealing malware that sends back Office 365 password or banking logins to the threat actor.
“This is something we’re really careful about. Our staff have been warned not to click on any suspicious attachments.”
Good cybersecurity habits are more than just not clicking on suspicious attachments—good safety hygiene is also about understanding the basic tenets of how cybersecurity criminals operate. It’s also about reflecting on how you would react when faced with certain cyber or information security threats. Our training provides exactly these kinds of benefits, allowing your employees to think about how they would react when faced with certain threats.
A common theme we see on our feedback forms is how participants see IT security and cyber risk in a totally different way. And that is exactly the goal: attitudinal change is strongly correlated to behaviour change. Having cyber-resilient employees is one of the best investments you can make to reduce the probability of a cyber incident or data breach happening in your accountancy firm.
It’s the little things that can lead to a cyberattack or data breach.
It’s Thursday night at 10:30pm. One of your employees is relaxing on their sofa watching Netflix and chilling. Their smartphone pings. A new email has arrived. The email is from a sender they’ve never heard of before. Attached is a remittance advice file. Curiosity gets the better of them. They click on it. It just seems as though it was meant for another company. However, when they click on it, data-stealing malware is surreptitiously installed on their phone. Their Outlook 365 email password gets sent back to the threat actor’s C2 server. The cyber-criminal now has access to their email account.
The computer of one of your employees has been running very slow of late. Even opening up Excel files and checking email becomes a laborious task. So, he finds a free “tune-up” program on the internet which claims to speed it up. However, unbeknownst to him, the tune-up program actually contains data-stealing malware. The malware steals the VPN details of the employee, which gives the cyber-criminal access to your network. They can now exfiltrate your client’s data and steal more login credentials—all thanks to a seemingly harmless tune-up program.
One of your employees is a big karate fan. He attends karate classes, watches karate clips on YouTube, and listens to podcasts about karate. He has also subscribed to a karate fansite in the USA. For this, he uses the same email address and password as he does for Microsoft OneDrive. Unfortunately, the karate website gets hacked by a cybercriminal group. They steal the membership database along with all the website login passwords. Using a technique known as credential stuffing, the cybercriminal group now gains access your firm’s OneDrive account, which holds some very confidential client information. The employee never knew that registering on a karate website could result in his accountancy firm getting hacked!
“So, they get into your email system or cloud storage service—so what?”
If a cyber-criminal gets into your email system or cloud storage provider, they can do a lot of damage.
Here are some examples:
Attack Scenario: Phishing
One of your employee’s gets “phished.” Phishing occurs when threat actors disguise malicious content as something seemingly innocuous. Your employee divulges confidential information such as bank account details, Office 365, or SharePoint credentials to a threat actor. It is estimated that phishing is the initial breach vector in 81% of all cyberattacks.
Attack Scenario: Malware Propagation using your Firm’s Email Account
A trusted email account is of significant value to a cyber-criminal group. It’s a lot easier to propagate malware (such as ransomware) using an established and trusted email account. Often, hackers phish an employee of a business, gain access to their account, and use it to propagate malware. For the business concerned, it can result in their email accounts being eventually blocked by spam servers. Moreover, having one of your email addresses connected with a malware propagation campaign can result in reputational damage to your firm.
Attack Scenario: Business Email Compromise
A hacker obtains the email account credentials of a user usually via a phishing attack. They observe the activity in their email account. When a substantial invoice is due to be paid, they intercept it, change the bank account details on it, and send it to one of your clients with the bank account details changed. A business email compromise attack can also happen in reverse: you or one of your employees could end up inadvertently paying an invoice sent by a cybercriminal. Although many users are confident that they would never fall for a ruse like this, the pretexts used by some cybercriminal groups can be very convincing, resulting in even the post prudent employees paying.
Attack Scenario: The Fake Invoice
A fake invoice with your firm’s name on it gets sent to your clients. They can copy your business's invoice, change the bank details, and then send out a bogus invoice (requesting a sum of money) to all your clients. (They will of course use a very clever pretext as to why your bank account details have changed.) Unfortunately, some of your clients will fall for this ruse and will pay the invoice, putting your accountancy firm in a very difficult position.
Attack Scenario: Ransomware
Ransomware attacks cripple your computers and backups, and cyberattackers demand financial requital for the return of their systems.
Your accountancy firm could be targeted with a crypto-ransomware attack. This usually occurs after a malicious email attachment or URL (weblink) is inadvertently opened, causing your computers and servers to become encrypted. In many cases, because modern strains of ransomware are so successful at propagation across a network, your on-site backup will also become encrypted. In order to “decrypt” your data, the hacker will usually demand a ransom payment in a crypto-currency such as BitCoin. However, even if this is paid in full, it does not guarantee that your data will be decrypted. In an estimated 27% of cases, even after the ransom has been paid, cybercriminals will simply take the money and run.
We don't have anything valuable here for cyber-criminals to steal
As an accountancy firm, your business holds a treasure trove of useful information for cybercriminals.
For example:
- PPS numbers
- Bank account details
- Email addresses of business operators
- Dates of birth of business operators
All this information can be invaluable in carrying out fraudulent activity such as invoice fraud, ransomware attacks, spear-phishing attacks, and identity theft.
Moreover, a cybercriminal group can exploit your IT infrastructure—such as Office 365, email accounts, and IP address—to use as a launchpad to attack other entities.
What is the best way to prevent a cyberattack on my accountancy firm?
The American Institute of Certified Public Accountants wrote an article entitled “A cyber-attack could spell disaster for your CPA firm.” Of course, they advised putting technical controls in place, but one of their strongest recommendations is to “Conduct regular security awareness training for all employees.”
What will you and your employees learn during our cybersecurity awareness training for accountants?
- An overview of current cyber threats in circulation, with real-life examples.
- How to detect phishing, smishing, and spear-phishing attacks.
- How to detect and mitigate ransomware attacks.
- How to prevent polymorphic viruses, data-stealing malware, rootkits, and remote access trojans.
- How to detect and prevent invoice fraud.
- How to prevent the accidental disclosure of data.
- How to keep your passwords and devices secure.
- How to prevent social media use leading to a hack or data breach.
- How to prevent your organisation’s email system being compromised and used to propagate malware or bogus invoices to your customers.
Call us on +353 1 254 9702 and learn how your accountancy firm can lower its cyber-risk. Or, fill out our contact form and we'll get back to you shortly.