Batten down the hatches

Take the example of spear phishing, which like its fishing namesake, is a single kill shot targeted at a specific target and dragging them in before they know it.

Professor Matthew Warren, deputy director at the Deakin University Centre for Cyber Security Research, said the ultimate aim of spear phishing was to, “Harvest the data and capture passwords and account codes (on a person’s machine).”

“Organisational systems are becoming more complex. You now have organisations using cloud deployments, using mobile technologies as part of their corporate systems,” said Mr Warren.

“Organisational systems use a number of technologies across a number of platforms and what that does is introduce that many more potential threats and attacks on organisations.

“What that complexity means is that organisations are finding it harder to adapt to that new security situation and also the fact that threats are occurring continuously from different threat sources.”

Yet despite the evolving routes of attack, Mr Warren believes there is still hope for accountants and small businesses as long as they maintain situational awareness.

Citing an example of his research on Indonesian hacking groups, Mr Warren traced an attack back to a small business in Australia and promptly contacted them to inform them that they had been a victim of cyber crime but they blindly refused to believe him.

“Many small businesses do not have the situational awareness... They may not have that initial level of awareness of cyber security or that initial awareness of what the threats and risks are,” said Mr Warren.

To prepare for cyber attacks, accountants need to be able to identify the common routes of attack to protect both their practices and their clients.

Types of attacks

The spear phishing phenomenon is a great example of the lengths cyber criminals will take to penetrate even the most cyber savvy users.

Mr Warren describes the military-like operation, where perpetrators conduct reconnaissance on an executive level member, before sending an email pretending to know them from a recent event or activity, or by pretending to be a large corporation or company that the unsuspecting victim is familiar with.

The trustworthy appeal often results in victims unwittingly clicking on links and attachments that lead to a flood of malware infecting their machine, and the rest is history.

Worryingly, spear phishing is often targeted at executives such as the chief financial officer, and socially engineers them by including personal information such as the target’s first name or title to enhance its trustworthy appeal.

Conversely, the Global Information Security Survey by EY revealed that 87 per cent of board members and C-level executives lacked confidence in their organisation’s level of cyber security.

Boaz Fischer, cyber security expert and chief executive of CommsNet Group, said ransomware was another attack that restricted access to a victim’s computer, data or files before demanding a ransom to be paid to the perpetrator in order for the files to be unlocked

Indeed, the Trend Micro 2016 Security Roundup report noted a 752 per cent increase in ransomware usage, resulting in $1 billion in losses for enterprises worldwide.

The number of new malware threats discovered has also increased from 300 a month a decade ago, to a worrying 350,000 a month in 2017.

“The single greatest motivator for cyber attacks is arguably money. It comes as no surprise that cybercrime is estimated to become a $2.1 trillion problem by 2019, and there’s no shortage of attackers who want a share of the pie,” said Mr Fischer.

“By encrypting your data and holding you to ransom, there is a possibility that you will pay.”

Lasting consequences

Once cyber criminals gain access to confidential information and data, accountants and their clients face a tricky minefield.

Mr Fischer believes most companies and individual victims are willing to pay to recover encrypted data, “as the risk of losing important data and information could be catastrophic”.

However, experts are unified in advising against doing so, as it ultimately “feeds the beast” and lists you as a paying client that criminals can continue to exploit by restricting what data is returned to you.

According to a Small Business Trends report, 43 per cent of all cyber attacks were targeted at small businesses, with up to 60 per cent of those businesses unable to recover from an attack.

“Many small businesses could be very sensitive if tens of thousands of dollars were stolen from accounts. They may not readily have that cash to replace it and it impacts the survivability of the organisation,” said Mr Warren.

The breach of trust between a client and a practice is also highly concerning, he added, with many customers taking their business elsewhere once learning of a cyber attack.

“From a security governance perspective, every organisation has a duty of care to protect their customers in a cyber context,” said Mr Warren.

But how far can an accountant go in protecting clients?

Vicki Stylianou, IPA’s executive general manager for advocacy and technical, believes it is a grey area because of the evolving nature of technology and puts accountants in a precarious position.

“You can only do so much for your clients or your customers but at the end of the day they have to take responsibility,” she said.

“An accountant might say to their client, ‘Do the simple backups- Do A, B, C, and it will give you a lot more protection than you’ve currently got’ but if the client doesn’t do it, then you can’t be responsible for that.”

The government established mandatory Notifiable Data Breaches (NDB) scheme set to commence early 2018 will also pose a potential trap, with individuals or corporations liable to be fined up to $360,000 and $1.8 million respectively, if they do not comply with the notification rules.

Staying on top of the game

The constantly evolving nature of attacks makes bracing for new threats a complicated affair.

Mr Warren described how criminals are now developing malware for mobile devices and point of sales systems, areas where organisations rarely have strategies in place to deal with.

“Organisations historically know what the threats are and have dealt with it. The problem with the new threats is you have to think with the issue of a smart city and smart buildings where the technology and infrastructure that supports that could be used in an attack in theory,” he said.

“Some accountants are probably way ahead of the curve but like anything, some will be lagging,” said Ms Stylianou.

“The IPA has been putting emphasis on being cyber security for some time now but I think for a lot of them, it is still getting on their radar.”

The problem with these attacks, is that they are getting more sophisticated over time and accountants might find it too much of a hassle to constantly update their security systems to repel these attacks.

However, the simple tips are often the most effective, and require individuals to treat them as second nature, says Sean Duca, vice president and regional chief security officer, Asia Pacific at Palo Alto Networks.

“We need to ingrain in ourselves that when we are conducting ourselves online, we need to be a bit more mindful about what’s going on out there. People are looking to try and work out how to get on to your machine, how to get access to your data, and ultimately how they’re going to monetise that,” said Mr Duca.

“It’s the same process as when we jump in a car- it is naturally ingrained to put a seatbelt on. I go outside on a sunny day; I put some sunscreen lotion on. That same mentality needs to be applied especially when you’re managing your own data.”

Tips and tricks

According to the experts, even the most time cash strapped practices can take simple steps to improve their cyber security.

Mr Warren suggests two measures to boost security, namely having an effective patch strategy, and having a cyber security governance strategy in place.

“Many accounting firms have a variety of technologies which constantly need to be updated with patches and in many cases, organisations don’t have a way of patching and updating their systems which means that they are leaving technologies with security gaps in them which attackers would know and then exploit to gain access,” Mr Warren explained.

“I would also have an understanding of the operations of their accounting systems in terms of restricting privileges and password access. As soon as someone leaves the organisation, their passwords are revoked.

“You might think that is a normal thing to do but many organisations don’t do that especially when it comes to contractors or consultants because the organisation doesn’t have the governance in place, the strategies to follow are not implemented even though they are quite simple.”

Likewise, Mr Fischer believes regular system updates are fundamental, as well as the longstanding “do not click on unsolicited links and attachments” mantra.

He also suggests taking backups seriously, and advises backing up on a different form of media away from the digital and cloud-based backups that have also started to see malware attacks.

A comprehensive plan

New research from the Deloitte Center for Financial Services found that despite organisations investing in cyber security plans, a mere 29 per cent of US businesses had purchased cyber insurance. It’s likely these patterns are being replicated in Australia.

Ms Stylianou believes the reluctance towards cyber insurance stems from a high premium being placed on such products, as well as the evolving nature of attacks that restrict the comprehensiveness of coverage from insurers.

“Sometimes the premiums are so high that people takes the risks anyway,” she said.

“Others might have really good business continuity plans and business contingency plans, which is part of being cyber aware and being ready for it so they might feel like they have got enough protection in place and they’ve got really good risk management that they don’t think need insurance.

“If you get hacked and something goes wrong, insurance is not going to solve your immediate problems so you still need to do your backups and have some security measures in place... Insurance is just part of the whole plan.”