The Woodard Report

6 Common Mistakes Accounting Firms Make Leaving Them Open to Hackers

Written by Jamie Beresford | Jul 19, 2022 4:19:39 PM

Cloud-based accounting and administrative systems can boost your efficiency and significantly reduce operating costs. But unless you ensure maximum security, they can also do a lot of harm.

In the online business world, security should be your top priority. Malicious actors are getting increasingly good at attacking cloud-based systems. For this reason, having cutting-edge security measures in place is more important than ever.

Data breaches are all too common, and not every company manages to survive them. As the Journal of Accountancy says, "No industry is immune to the harmful effects of cybercrime."

While big corporations might bounce back from an attack, the same may not apply to the majority of small accounting or bookkeeping firms. They can’t risk having their data stolen, which can affect client trust and drive business away.

It may only take one breach to ruin an accounting firm. Recovering from data theft can require more time and money than you can afford.

There is some good news, though. Most attacks are the result of a handful of mistakes that are relatively easy to minimize in today’s accounting firms. If you’re able to identify and fix them, you can bring the chances of an attack down to a minimum. Let’s take a look at the most common mistakes that you need to avoid.

Common Mistakes That Leave Accounting Firms Vulnerable to Cybercrime

Here are six of the most common mistakes.

1. Giving Too Much Access to Remote Employees Without the Proper Security Measures

When working with remote teams, there’s always a risk of them not protecting your data well enough. The more data you share with them, the higher the stakes become and the higher the risk of a breach.

In most cases, breaches happen because remote employees use insecure connections. Despite this, statistics show that about a third of all workers use insecure public connections such as those in bars and hotels.

There are two things you can do to protect yourself in this situation. First, you should keep the amount of sensitive information you share with your remote workers down to a minimum. This way, even if there’s a breach, you might be able to control the damage.

Unfortunately, this isn’t always possible. Depending on the scope of your outsourced work, you may have to provide your remote teams with private data. In this case, you need to educate them on the dangers of using insecure connections. You must make sure that everyone knows the risks, as well as the best security measures.

2. Failing to Train Your In-House Team

Remote work isn’t the most common source of cyberattacks. In fact, 77% of all attacks happen because of mistakes that in-house teams make. By focusing too much on protecting data transfers and securing remote teams, an accounting firm might forget to focus inward.

There was a particularly costly case involving an accounting firm where one of their partner’s passwords needed a reset and their IT department was reckless and set an overly simple password.

As a result, their system got hacked, resulting in $780,000 worth of damage. To make it worse, the insurance provider denied the claim, citing that the victimized company didn’t do enough to prevent breaches. They ended up having to foot the whole cost.

You need to remember that cybersecurity education should be a company-wide effort. Everyone who has access to your cloud system needs to know how vital it is to use it with caution. Make sure to hold meetings and seminars devoted to this issue on a regular basis so that people can stay up-to-date with the latest best practices.

3. Using Simple Passwords

This is a mistake that is so easy to prevent, and yet most cyberattacks happen because of it. According to research, about 81% of data breaches could be traced to a weak or reused password (Verizon’s Data Breach Investigation Report).

We saw this happen to an accounting firm not that long ago. The attackers managed to hack the firm’s MailChimp account using brute-force bots. As you might know, these bots try thousands of passwords a minute, usually with a simple count-up or algorithm, until they break in.

The simpler and shorter your password, the less time it takes for brute-force bots to get into your system. With each additional character, this time increases dramatically. For example, having a 16-character password means that it would take about 74 million years for a bot to get in.

Unfortunately, the firm did not have a secure, 16-character password, so the attackers managed to get into their MailChimp account. They went on to send 5,000 phishing emails, and five of the company’s clients ended up getting infected with ransomware as their clients did not think anything would be amiss with an email that came from their trusted accountant.

They could have avoided this with ease. Just a few more characters and their system would have stayed safe. Always use complex passwords to avoid making this mistake, or, even better, enforce employees to have strong, secure passwords for their emails and company apps.

4. Lack of Proper Procedures Before and After an Attack

When it comes to cybersecurity, it is always better to be safe than sorry. You need to make sure that you have the systems in place to mitigate the risk of an attack. It is necessary that you find any vulnerabilities your firm might have and do everything you can to reinforce security measures in those areas.

However, despite your best efforts, an attack might happen anyway. That’s why it’s crucial that you have a contingency plan in place just in case.

One way to do this is to have an incident response team. The team should have specialists that can react as soon as an attack happens. Even when you think that the danger has passed, hackers might be able to lie dormant in your system. If you don’t notice this, you expose your firm to all kinds of dangers.

Another thing that you need to do is control the narrative. Don’t let your client learn about a breach from someone else. Volunteer the information and let them know that they’re safe and everything is under control.

Lastly, you should keep a log of all breaches. You need to keep track of the type of attack, the damage it did, and the countermeasures taken.

5. Not Investing in New Technology and Software That Could Increase Security

As mentioned, hacking strategies are constantly evolving. They’re much more elaborate and subtle than they used to be, not to mention the increasing number of malware types.

For this reason, you need state-of-the-art security measures that can fight off various types of attacks. Of course, it all starts with the right antivirus and firewall software. Going cheap when it comes to these programs never pays off in the long run.

Cheap solutions are cheap for a reason. For a start, they may not have the budget to keep up with malware development. The result would be infrequent database updates.

When your security systems become outdated, the risk of losing sensitive data skyrockets. You need to secure every single device that has an Internet connection, from your computer to printers and scanners. Any device that processes data is at risk of an attack, so you need to cover all the ground.

Aside from this, make sure to notify both your in-house and remote teams of all major security updates. They must learn how to use them properly so that you’re always one step ahead of the attackers.

6. Absence of Proper Risk Management

Before you can implement any security measures, you need to know exactly how exposed you are to potential attacks. There are many factors that you need to consider before you find the best security options. Here are a few things that you need to consider:

  • At-risk data – Even though financial motivation is behind 73% of all attacks, hackers aren’t only targeting bank accounts anymore. Instead, they might want to damage your infrastructure or steal intellectual property. You need to find your most sensitive data and put special focus on it.
  • Breach method – More than half of all attacks use malware as the primary weapon. Aside from this, you need to beware of phishing emails, insider threats, and many other tools and strategies.
  • Attack surface – The average financial services employee has access to about 11 million files. With that fact in mind, you need to know exactly who can access what in your firm. This way, you can identify the most vulnerable areas and ensure their protection. Moreover, it will be easier to identify the culprit of the attack if it happens.

Understanding your exposure is critical so you can manage risk. Practice Protect’s Access Hub lets firm owners and practice managers manage access for employees, reducing risk.

Prevention Is Better Than Cure

The six mistakes listed above are only some of the common mistakes that make accounting firms vulnerable to cybercriminals. If you found yourself making any of them, you need to do everything in your power to apply the proper fixes and measures.

There isn’t a one-size-fits-all solution for protecting your company’s system. This is why it all starts by performing a risk assessment and scrutinizing every single detail. After that, you’re in a position to put the right systems in place and make sure to protect both your firm and your clients’ data.

However, you’ve got to be able to identify the risks and implement the proper solutions that would mitigate them. This may not be within most companies’ capabilities, unless maybe if they have a cybersecurity division. Unfortunately, it might be too costly to have your own cybersecurity team.

You can do that more affordably and effectively by engaging external experts. To understand your cybersecurity risk and find out what other firms are doing to protect themselves, please book a free security consultation with our cybersecurity experts. In addition to the 45-minute consultation, you will receive a complimentary cybersecurity training pack.