4 minute read
ACCOUNTING FIRMS FACE GROWING CYBER THREAT
TECHNOLOGY
Accounting Firms Face Growing Cyber Threat
BY JAKE KOUNS
Bad news about data security is everywhere you look these days. With major breaches at Target and Neiman Marcus grabbing headlines, it might seem like data security is a problem for only the largest organizations handling millions of credit card transactions a year. Unfortunately, no business is immune from a security breach.
TECHNOLOGY
All organizations that gather or hold information such as Social Security numbers (SSN), account numbers or other sensitive financial data are prime targets for identity thieves. In fact, the number of data breaches in 2012 hit a record high with more than 3,100 publicly disclosed incidents, exposing more than 264 million records.
According to the National Cyber Security Alliance, an astonishing one in five small businesses falls victim to cybercrime each year. Even more frightening: According to an August 2013 story in PCWorld, of those small businesses whose systems are breached, roughly 60 percent go out of business within six months after the attack — and it’s understandable why. The costs of notifying affected individuals, credit monitoring, responding to lawsuits or regulatory investigations and system recovery add up quickly.
For professional service providers such as accounting firms, there are many causes of a data breach. Stolen laptops, improper equipment disposal and accidental disclosure via emails or websites are common causes of small scale breaches. But the more significant risk lies with hacking and social engineering attacks. A review of reported breaches in the United States shows that accounting firms are being specifically targeted for tax fraud schemes and identity theft. According to Cyber Risk Analytics, hacking and fraud accounted for nearly 70 percent of the total records lost at professional service firms since June 2007. To make matters worse, especially sensitive data such as Social Security Numbers and dates of birth make up the majority of records lost in these types of attacks.
Small and mid-sized firms are an especially attractive target for hackers and other cyber criminals. Recognizing that most smaller organizations lack a full-time security administrator or the budget for frequent system updates, criminals are able to easily take advantage of weaknesses in computing environments. The use of automated programs and hacking kits require little effort to implement and can be difficult to trace, making cyber crime an easy and low risk endeavor. But even the most secure systems can fall prey to a well-orchestrated phishing scheme. It only takes one person clicking on a suspicious link or inadvertently giving up their password to result in a serious data breach.
In some cases, it’s not the data criminals are after. Small firms can also be a valuable target for the access they provide to larger organizations. Hackers seek out financial service providers with established and trusted connections to banks and other financial institutions. Criminals know if they gain access to one link in the chain, they may have an opportunity to compromise a much larger target.
Principals may wonder why hackers and cyber thieves would be interested in breaking into their systems. After all, the amount of data available to steal can be limited and accounting firms don’t necessarily have regular access to client funds. Whether real or perceived, hackers view accountants as a portal to large sums of money, and at the end of the day, most criminals are simply looking for the easiest way to steal it.
Firms of all sizes need to recognize they are a likely target for malicious activity. By doing so, principals can focus on the necessary processes to reduce their firm’s exposure to a data breach and put in place a plan to respond should the worst case scenario happen. Furthermore, a well-documented information security program can go a long way in proving to clients and regulators that the firm took action to protect sensitive data.
Recommendations to help reduce your exposure include:
>> Determine where your most important information assets are located and work to implement security controls.
>> Don’t send sensitive information via email. Any information you send in an email can potentially be read by others on the
Internet. Think of sending an email as a postcard.
>> Don’t click on unknown or untrusted links and don’t respond to unsolicited emails. Most cyber criminals will start their attack with what is called a phishing attack, trying to trick you into clicking on a malicious link or providing sensitive information.
>> Keep your anti-virus, firewalls and spam filters up to date.
>> Be careful what you share on social networks. Check out www.staysafeonline.org for more tips.
>> When receiving various communications, ask yourself “Is this likely?” and think before you act. Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal information.
With tax season upon us we can expect cyber crime to increase, as it does every year around this time. Not only do firms need to be mindful of protecting their own organization, it’s a good reminder to help clients understand the need to protect one of their most valuable assets: their identity. n
JAKE KOUNS is the chief information security officer for Risk Based Security and co-authored the books “Information Technology Risk Management in Enterprise Environments” and “The Chief Information Security Officer.” * jake@riskbasedsecurity.com
