The Woodard Report

Cybersecurity Best Practices in the Accounting Industry

Written by Jamie Beresford | Mar 6, 2023 10:45:00 PM

Over the past year, the realm of cybersecurity has been plagued by data breaches and cybercrime incidents on a global scale, garnering widespread attention in mainstream media. With new threats such as Business Email Compromise (BEC) emerging worldwide, both the United States and Australian federal agencies have reported significant financial losses incurred by companies due to these types of hacks. 

In particular, accountants and bookkeepers operating within the small and medium-sized business sector are particularly vulnerable targets for hackers, as they possess a wealth of valuable information without attracting the same level of public and law enforcement scrutiny.

Thus, it is now more critical than ever for accountants and bookkeepers to remain vigilant and well-informed regarding the current cyber threats that exist and to take proactive measures to mitigate risks. 

Comprehending common cyber threats: a vital step towards system security 

The proliferation of sophisticated cyber-attacks perpetrated by malicious actors underscores the need for organizations to stay ahead of the curve by enhancing their security posture. While cybercriminals are continually devising new tactics to breach security systems, most attacks can be categorized into several archetypes. Acquiring an understanding of these approaches represents an effective first line of defense that businesses can implement with ease and at no cost. Presented below are four of the most pervasive and damaging cyber threats. 

Social engineering 

Social engineering constitutes a technique used by cybercriminals to manipulate individuals into divulging sensitive information or granting access to systems. Unlike traditional hacking that occurs through technological means, social engineering exploits interpersonal vulnerabilities. For instance, an attacker could pose as a trustworthy entity, such as a bank or a government agency, and solicit personal data, including login credentials and financial information. As social engineering embodies a broad range of applications, it is considered an umbrella term for some of the other threats discussed below. 

Given the prevalence of social engineering attacks, it is crucial for accountants to be mindful of these tactics and exercise caution when divulging information or access to systems, particularly if they are unsure of the requester's identity. 

Phishing 

Phishing represents a fraudulent technique that scammers use to deceive individuals into divulging sensitive information, such as passwords or credit card numbers. Often, perpetrators send phony emails or messages that appear to be from a legitimate entity, seeking the recipient's information. As such, it is critical to exercise caution when providing personal data online and to verify the authenticity of the message's source. 

As an accountant or bookkeeper, you frequently receive emails from financial institutions, banks, or other companies with whom you work. Such messages are easy to imitate, and it is vital not to click on any dubious links or disclose any sensitive information. One can always confirm the message's validity by contacting the organization directly via phone or an alternative email address. 

See our graphic on the hallmarks of a phishing email here

Business email compromise 

Business Email Compromise (BEC) is a variant of cyberattack that targets businesses, organizations, and individuals who engage in financial transactions through email. In a BEC attack, the perpetrator impersonates a trusted individual, such as a CEO or vendor, and dispatches phony emails to trick the recipient into transferring funds or divulging sensitive information. 

Accountants and bookkeepers are particularly susceptible to BEC attacks, given their access to sensitive financial information and responsibility for transferring funds on behalf of clients. In a typical BEC attack involving impersonation of an accountant or bookkeeper, the hacker requests that the client transfer funds to a fraudulent account or disclose sensitive information. Attackers employ various tactics, including social engineering or phishing, to gain access to email accounts and manipulate or intercept messages. Additionally, they may spoof email addresses to make it appear as if the messages are from a trusted source, thereby amplifying the impact of their attack. 

View a real-life example of an email hack here. 

Ransomware 

Ransomware is a type of malicious software that is designed to encrypt a victim's files, rendering them inaccessible until a ransom is paid in exchange for a decryption key. It can be delivered through various channels, including email, social media, and infected websites, and can cause significant financial and reputational harm to individuals and organizations. 

Accountants and bookkeepers are particularly vulnerable to ransomware attacks, which often employ social engineering tactics to gain access to their systems. For example, attackers may send fraudulent emails to accountants and bookkeepers, appearing to be from a legitimate source such as a client or vendor, containing an attachment or link that installs the ransomware when opened. Additionally, attackers may use phishing emails to acquire the accountant or bookkeeper's login credentials, thus allowing the attacker to gain access to their system and deploy the ransomware. 

Read the Practice Protect Guide To Understanding Ransomware For Accounting & Bookkeeping Firms here. 

Best practice for protecting your business 

It is crucial for businesses to be proactive in protecting themselves against cyber threats. This involves implementing specific measures that address the unique needs and processes of their organization. We find that cybersecurity can be divided into three key areas that need to be addressed: access and identity management, team and training, and compliance. 

Access and identity management 

Access and identity management is a critical component of cybersecurity that enables firms to strengthen their defenses against unauthorized access to sensitive information. This involves implementing technologies and processes to manage user accounts, permissions, and roles, as well as enforcing security policies and procedures. 

For accountants and bookkeepers, effective access and identity management is essential to ensure the confidentiality, integrity, and availability of financial data. It is also vital to maintaining the trust of clients and stakeholders. By implementing access and identity management technology, businesses can establish a robust security framework that provides a vital layer of protection against cyber threats. 

Some of the key features to look out for with a good access and identity management tool include: 

● Managed Multi-Factor Authentication 

● Advanced User & Team Permissions 

● IP Lock, Time Lock, and Location Lock for email/application access 

● Password Cloaking & Encryption 

● One-Click User Lockout 

● Remote & Third-Party Access Controls 

Employee education and training 

Employee education and training is an essential component of any comprehensive cybersecurity strategy. Although organizations can employ a variety of technical measures to improve their security posture, the reality is that humans can be a weak link in the chain. Social 

engineering tactics can exploit human trust, fear, or ignorance to gain access to sensitive information or systems, making it crucial for organizations to invest in employee awareness, education, and training. 

Effective training programs are designed to raise awareness about the importance of cybersecurity and the types of threats that employees may encounter. For example, employees can be trained on how to identify common attacks like phishing emails and how to report suspicious activity. Specific threats, such as ransomware and social engineering attacks, can also be targeted through tailored training programs. By equipping employees with the knowledge and skills to recognize and respond to cyber threats, organizations can reduce the risk of human error or intentional sabotage, which can be just as damaging as any other cybersecurity threat.  

Read our article on the 3 tips for training your team members here. 

Compliance documentation 

Compliance documentation is an essential aspect of comprehensive cybersecurity. Depending on your country of operation, there may be legislative requirements for compliance, such as the Written Information and Security Plan mandated under IRS 4557. Therefore, it is crucial to verify the necessary standards to meet legal requirements in your jurisdiction. 

In addition, there are several internal policies that can provide guidance to employees and contractors on the safe accessing and handling of data. Policies such as Internet and Data Usage Policy and Third-Party Access Agreement can be helpful in this regard. A Cyber Incident Response Plan may also be worth considering to ensure a well-defined process is in place in the event of a breach. 

Governments are taking a strict stance on cyber breaches that involve customer data compromise, and compliance documentation for accounting or bookkeeping practices is becoming increasingly necessary to avoid penalties or litigation. 

Next steps for your firm 

Moving forward, it is imperative for your firm to take proactive steps towards ensuring comprehensive cybersecurity measures are in place. While the subject matter may appear intimidating, it is important to recognize that implementing effective cybersecurity protection need not be an insurmountable challenge. 

Begin by conducting a thorough assessment of your current cybersecurity protocols and identify potential areas of vulnerability. Seek the assistance of qualified professionals where necessary to ensure that all appropriate measures are being taken to safeguard sensitive data. 

By taking the necessary precautions to mitigate potential risks and vulnerabilities, your firm can better position itself to withstand and recover from any potential cyber threats.