On ransomware: How to stay safe in the cloud
The recent spate of ransomware attacks against cloud-based accounting platforms has left many firms on edge, wondering about the security of data within their own firms — and rightly so. When a cyberattack strikes a hosted accounting system, it impacts the firm’s data and, more importantly, can expose critical client data.
Ransomware, which is frequently delivered through spear-phishing emails (emails that use social engineering to trick the receiver into giving out private information), is a type of malicious software that blocks users from accessing critical systems and data until a ransom is paid. According to FBI statistics, in 2018 alone U.S. businesses paid more than $3.6 million to hackers in these kinds of attacks. And that number doesn’t even include lost business, time, wages, files, equipment or third-party remediation services.
Law enforcement, government agencies and even leaders within the accounting profession have become more aggressive in the fight against such cybercrimes; however, cybercriminals have also become more sophisticated, more tailored in their attacks and more successful in damaging enterprise networks.
In fact, Cybersecurity Ventures predicts that there will be a ransomware attack on businesses every 14 seconds by the end of 2019 and every 11 seconds by 2021. Cybersecurity Ventures also predicts that global ransomware damage costs will reach $20 billion by 2021 — that’s 57 times more than it was in 2015.
As trusted advisors and keepers of vast amounts of sensitive client data, firms of all sizes can be dealt a devastating blow by ransomware. Falling victim to such attacks could lead to a loss of sensitive information (permanent or temporary), a disruption to regular business operations, financial losses and damage to a firm’s reputation.
Earlier this year, hosting provider Cetrom fell victim to a malicious virus that began encrypting files. Without other recourse, Cetrom took its systems offline to safeguard data as it scrambled to find the source of the breach. Meanwhile, CCH, a suite of accounting products under the Wolters Kluwer Tax & Accounting umbrella, also suffered a recent malware infection, Accounting Today reported.
We at AbacusNext also know how distressing a cyberattack can be. Just months after we acquired the hosting service Cloud9 in 2017, the service experienced a ransomware attack. Per our incident response plan, we immediately shut down the Cloud9 network and deployed engineers to our data centers. Ultimately 100 percent of our clients’ files were recovered successfully, but the incident did leave them without access to their data as our staff worked around the clock to restore files and ensure that the threat was contained.
These examples serve as an important reminder to accounting firms of the cyberthreats facing their business and the importance of taking a proactive approach to mitigate risks.
To help safeguard your clients’ data and your business, consider the following proactive measures.
Review a provider’s security capabilities
To ensure that your clients’ data is safe and secure when in the hands of a cloud-hosting provider, it is important to review the provider’s capability to secure data. Factors to consider include:
- Is the provider a full-spectrum electronic protected health information (ePHI) and HIPAA compliance-ready solution?
- Are its data centers in compliance? Given the current cybersecurity threat landscape and increasingly strict compliance standards, it has become common for organizations of all sizes to require strict assurance of certifications when contracting with third-party professionals. Those without certification are at a disadvantage. Common compliance standards include, but are not limited to, SOC1/SOC2/SOC3/SSAE16.
- Does the provider offer multifactor authentication? If so, ensure universal implementation throughout your firm.
- Do the data centers leverage biometric authentication?
- Does the provider encrypt all data at the database level, both in transit and at rest?
“You can take all the cybersecurity steps in the world, but tax professionals and others in the business world should remember you are only as safe as your least educated employee,” said Chuck Rettig, IRS commissioner, in a recent press statement.
Rettig is right. Do not underestimate the importance of staff education. Take steps to raise staff awareness of cyberthreats and educate them on what to look for to help protect against attacks. As outlined by the IRS, encourage staff to adhere to the following:
- Use separate personal and business email accounts.
- Never open or download email attachments from unknown senders, including potential clients; make contact first by phone.
- Send only password-protected and encrypted documents if files must be shared with clients via email.
- Do not respond to suspicious or unknown emails.
Some additional security measures that firms must consider:
- Patch all operating systems and applications (vulnerability management).
- Make backup copies of important business data and information.
- Secure wireless access points and networks.
- Limit access to data and information by employees, and restrict the authority to install software.
- Install and activate software firewalls on business systems.
- Provide security for internet connections.
- Plan faux-phishing campaigns to educate employees on best practices.
- Conduct quarterly reviews of your security plan.
Have an incident response plan
Securing sensitive client data isn’t just good for your business and reputation. It’s also the law. Under the Federal Trade Commission’s Safeguards Rule, tax preparers must create and enact data security plans.
According to the FTC, the written information security plan, which describes a company’s program to protect customer information, must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles.
Threats evolve as hackers become increasingly savvy and sophisticated, so it’s important to regularly evaluate and test your firm’s security plan and other safeguards you have in place.
And remember: If your firm suffers a breach, how you respond—and how quickly you respond—can significantly impact your firm and its reputation. Therefore, it’s important to create an action plan outlining the steps your firm would take in the event of an attack. This can save your firm time and help mitigate further damage should an attack occur.
Ransomware poses a threat to firms of all sizes. Safeguarding your clients’ sensitive data and protecting your business start with taking proactive measures to mitigate risks. For help, turn to a technology partner that understands your firm’s unique needs and can assist with disaster recovery planning and reliable backup solutions.