Are you an accounting professional? If so, there are lot of cyber attackers who would like to meet you. Just ask the security professionals at Deloitte Touche Tohmatsu Ltd., which is reeling from a late September attack, the scope of which is still unknown.
Accountants hold a special place of honor in the hacker community. They’re privy to the kind of information that commands some of the highest premiums on the dark web of stolen data. That makes them prime targets for all manner of cyber thieves. They are are also especially vulnerable to damage from attacks. Clients trust their accountants as stewards of highly sensitive information. A breach can be devastating to an accounting firm’s reputation.
Accounting computer systems are brimming with information that attackers covet:
Client Social Security numbers – Cyber criminals can use this information to unlock a wealth of fraud and identity theft opportunities. This includes signing up for credit cards under stolen identities and compromising bank and healthcare accounts through social engineering. Once attackers have a Social Security number, they’re halfway to their goal of disrupting clients’ lives.
Address, phone number and date of birth – All standard fields on a 1040 form, this is the rest of the information attackers need to create fictitious credit accounts and hijack existing ones.
Names of spouses, children, places of employment and annual income - Also useful in identity fraud, spouse and street address names can be used to get past security barriers such as challenge questions. Together with the other private information noted above, attackers may be able to successfully talk their way past customer representatives to gain access to financial accounts.
Health records – 1099-HC forms and medical receipts reveal a bounty of information that hackers can use for insurance or prescription fraud. In fact, health records currently fetch the highest price on stolen information exchanges.
Employer information – Criminals who can access Employee Identification Numbers, payroll information and contact names in an organization’s accounting department can file fraudulent expense reports, invoices and insurance claims.
Financial records - Year-end tax financial documents that clients give their accountants usually include account numbers. Taxpayers also routinely share receipts that include credit card information. These can be used for check and credit card fraud, or to access accounts through social engineering.
Email addresses - Armed with a bank account and email address, a hacker may be able to hijack online banking and stock accounts through a simple “forgot password” process. Email addresses can also be spoofed, enabling the criminal to send realistic-looking messages to others that appear to come from a legitimate sender.
Fortunately, the vast majority of attacks can be prevented with a few simple measures such as using strong passwords, encrypting files, guarding account access and being cautious with email. Accountants should take some additional steps as well:
1. Client information
Start with the information you keep about your clients. Paper records are less convenient but more secure than electronic ones, since they can be kept under lock and key. It’s tempting to scan and convert paper documents to images, but if you do, be careful where you store those electronic files. An encrypted local hard drive or USB drive protected by two-factor authentication (2FA) is best. If you prefer to store in the cloud, use a service provider that offers 2FA at a minimum. An even better option is a secure online vault that encrypts stored documents.
Accounting software can be expensive, so it’s tempting to want to share accounts among multiple users. Please don’t do this. The more people who know the logon credentials, the greater the chance of disclosure. Even if you trust everyone in your firm implicitly, that doesn’t mean they’re exercising the same good security practices that you are. Look into multi-user licenses, which can often be purchased at a significant discount.
2. Document security
While most commercial accounting software products are pretty secure, be cautious about downloading records or reports to a local computer. Microsoft Excel security is limited to a single password, which is not sufficient for accounting use. You need 2FA at the machine level as well. For the same reason, you should avoid emailing spreadsheets containing sensitive information to clients or colleagues unless done on an internal, secure email system.
Sending documents as PDF files isn’t much safer, although PDF does offer an additional layer of protection through encrypted copy protection. This ensures, at least, that only one copy of the document exists. When providing passwords to recipients, don’t opt for a simple approach like the last four digits of a Social Security number. It’s better to call your clients and read passwords to them over the phone, or to agree to a password during one of your planning meetings. Never send passwords by email.
3. Email safety
Email is a major vulnerability point. When exchanging emails with clients, make sure their email providers support Transport Layer Security (TLS), a stronger successor to Secure Sockets Layer (SSL). Most commercial email services now offer one or both of these protocols, but it may be up to the user to activate them. If you’re going to communicate with clients by email, be sure they have done so.
Also take steps to ensure that your office staff is on high alert for phishing attacks, in particular spear phishing, which targets specific individuals. Accountants are primary targets because of the value of information they hold. Savvy spear phishers are so good at trickery that their emails may be almost impossible to detect. Teach colleagues to look closely at originating email addresses and never click on a link unless they are certain where it takes them.
4. Public safety
Accountants should never use public Wi-Fi services to access or exchange sensitive information. Hackers can easily tap into public data streams and intercept data in plain text format. If you’re planning to use a public computer, invest in VPN software for-end-to-end encryption.
Never put sensitive information on your smart phone unless you’re willing to protect it with 2FA. For the sake of convenience, many people use a simple PIN, pattern match or biometric protection. Research has shown that PINs and patterns can be guessed by human or video observation, and that even face and fingerprint recognition systems don’t provide absolute protection. At a minimum, you need a combination of the two. You should also take advantage of features for remote phone locking and wiping.
It’s never been truer than in accounting security that an ounce of protection is worth a pound of cure. Follow these guidelines and your chances of being compromised are minimal. Your clients will appreciate you for it.