The accountant v the hacker

In days gone by, computers were nothing more than just a glorified ledger-and-calculator tool that helped accountants go on about their business. There was a lot of trust from accountants on just about anything digital, from the accountants actually using the software, down to how the computer applications and protocols were designed. There were rare viruses that threatened to delete hard drives and damage your computer, but as Matthew Broderick can confirm from the critically-acclaimed 1983 movie ‘Wargames’, no one but the Pentagon ever got hacked — until about 2000.

The internet revolution has brought us all together. More information than one could imagine is now available at your fingertips, and, in turn, we are sharing more information than ever over the internet. For many accountants, this means the entire client record, and all the critical, sensitive information that make up your practice’s DNA. It’s almost unavoidable at this point.

The trust inherent in us has made it easy for crooks (sometimes legitimate companies) to exploit our trust for profit and lucre. We’ve begun to see emails that were made to look like legitimate requests from clients that were actually virus-infected PDFs. Companies started to take a user’s aggregated data for advertising and political advantages (Cambridge Analytica, anyone?). Criminals started to exploit bugs in software to steal hundreds and thousands of personally identifiable client records. We then saw incidents that were too big to cover up, and so public investigation followed and the inevitable (and impotent) fines started to be imposed.

Ultimately, it was because of this undeserved trust in technology that led to new legislation and regulations requiring software companies to do their security due-diligence and comply with new security standards.

For accountants, perhaps the biggest development in the cyber space in the last six months has been the introduction of the mandatory data breach reporting law in February 2018. Because accountants hold client TFNs, accountants are required under the new law to report data breaches to the office of the Australian Information Commissioner before notifying customers of the breach. A data breach is when there is unauthorised access to a client’s personal and sensitive data that may cause serious harm to the clients as a result. Heavy fines (up to $1.8 million for companies) may be imposed.

Before these new laws were introduced, accountants were not required to disclose the incidents, and so they were not reported. This is no longer the case, so it will be interesting to see how this pans out with the new laws.

So, what can accountants do to protect client data?

Know your risks

As financial services practitioners and business owners, you should be familiar with the term of risk management. Cyber risk is just one of the risk categories that need to be managed but, unfortunately, one that is not very well understood by accountants. This lack of understanding is partially the reason why most accountants wait until they are bitten before doing something about it, because only then the risk becomes tangible and, frankly, it hurts.

Cyber risk goes much broader than just the internet. It’s more about owning and managing your practice’s information lifecycle. You need to consider where and how you collect the data, where it is stored, and how it is used and, finally, how it is destroyed. In each stage, there are different threats that could expose your client’s data to unauthorised third parties.

It is not until you understand the risks associated with the threats that you will be able to protect yourself against them. For example, what is the risk in allowing clients to send you sensitive information over email? For one, emails are sent in plaintext, meaning that it could be read by third parties on the way to delivery – a man-in-the-middle attack. Now, you wouldn’t ask your clients to send the TFN over on a postcard, would you?

Know your service providers

Outsourcing is becoming a major risk consideration for many SMEs. This is not to say that outsourcing carries an insurmountable risk, but there are certain things that a practice should not take for granted and should carefully consider before proceeding with any service provider.

An SME may be outsourcing data processing and management to a cloud service provider. With larger enterprise service providers such as Office 365, a practice will not have much say in how that service provider manages their security.

However, when shopping around, accountants should look for enterprise grade security features. But remember. You get what you pay for!

Most practices have an external IT service provider (usually known as the ‘IT guy’) to meet your IT needs such as providing you with computers and managing your networks. And that’s good. I don’t want you to change that. They’re good people doing the best they can to get your practice up-and-running.

But there is a difference between your IT guy and an information security professional.

When it comes to information security, you must speak to a qualified, experienced security specialist that does nothing but focus on keeping your practice safe. This is akin to asking an electrician to install your home alarm system; while they may be perfect for the job, you will want a specialised security firm to monitor for intrusions and manage the security system for you. In any case, you should ask an independent firm to assess the overall security of your practice.

Know your opponents

Information security is a fast-growing field, and also one of the fastest-changing. The threat landscape changes every year as the crooks develop new ways to exploit your trust.

Over 300,000 new viruses are introduced every day. Traditional anti-virus programs are having a hard time catching up. About 40 software bugs (vulnerabilities) are discovered every day, and many of these are weaponised within hours. The encouraging news is that the good guys are putting up new defences to address the latest threats.

We are in an escalating arms war between the good guys and the crooks – make no mistake. And you (and your clients) are the prize. This is now organised crime.

As an accounting business, you must ensure your defence is keeping up pace. It doesn’t always equate to buying the latest piece of security technology, but it’s more about knowing what the threat is and how the threat attacks (called the attack-vector) and checking that you have the appropriate countermeasure for it.

Conclusion

The truth is, each practice and its workflow and usage of technology are different, so no, one size doesn’t fit all.

I’m told that the best predictor of success in life is the ability to delay gratification. That’s what makes successful people successful. I’ve no doubt that you’ve worked hard and made a lot of sacrifices in your life and your career to get your practice where it is today. The sad thing is that in today’s digital world, all that can be taken away by changing a few 1s to 0s on a server somewhere.

Only the paranoid survive. Get paranoid. Just because you’re paranoid doesn’t mean they’re not out to get you.

Only the correct methodology and mindset can help manage the risk down to an acceptable level. If you have never done a security assessment of your practice before, now would be the time, and put a cyber security program in place to guard for your future, and the future of your clients.

Julian Plummer, managing director, Midwinter Financial Services