Arming against cyber crime

If you’ve read about someone who’s been targeted by cybercrime and thought that could never happen to me, now would be the time to think again.

Anyone can be a target of cybercrime, including accountants – that’s the very real assessment of a series of reports undertaken by a number of leading organisations. In recent research undertaken by

PwC, respondents of the Global State of Information Security Survey 2016 indicated that exploits of operational, embedded and consumer systems in 2015 had increased by 152 per cent over the previous year.

Another report released by KPMG, entitled Cyber security: Are Australian CEOs sleepwalking or a step ahead?, revealed a frightening statistic: on a global scale, only half of CEOs are fully prepared for a future cyber-security event with their Australian counterparts lagging at 35 per cent.

The report deems cyberattacks as one of the biggest threats to Australian businesses. Malcolm Marshall, global head of cyber security at KPMG summed up the state of affairs rather bluntly, “Collectively we sleepwalked into a position of vulnerability and failed to learn lessons of embedding security into products right out of the gate.”

If the global economic outlook on cyber security continues to remain poor, it is even more vital that accountants act now to implement measures to ensure that they do not become the next example of an information and data breach.

The truth of the matter is that even the smallest suburban accountant has a plethora of confidential financial data relating to all of their clients, often stored on site. In many cases, that data may not be stored with sufficient security, opening the door for potential breaches.

As Boaz Fisher, managing director of cyber consultancy CommsNet Group notes, cyber criminals are

most often financially motivated. “It is not so much about the data; it’s all about how to fleece users and organisations of their hard-earned money.”

Mr Fisher notes that the biggest growth in cybercrime has been the emergence of ransomware. Put simply, ransomware is a type of malicious software which infects a user’s computer, and restricts access to data (usually via an encryption).

In order to access the data again, the user is required to pay some form of ransom to the operators

to remove this restriction. Accountants value their data more than most, making them the perfect target for exploitation. “There has been such a huge return for cyber criminals,” says Mr Fisher. “There have been a number of iterations of ransomware, each one getting more sophisticated and stealthier than the previous edition.”

The global scale of the internet has resulted in a situation in which the next threat could potentially come from anywhere, and is constantly adapting and evolving. “These threats are coming from all over world, and are extremely dynamic in nature. If you are a small business owner, you are a target just like an enterprise. “The challenge for a small business is that they don’t have the resources, capital, expertise and people to properly protect their business effectively.”

Typical targets

There are particular facets of information and data which prove particularly tempting to budding cyber criminals.

Simon Raik-Allen, chief technical officer at MYOB identifies that tax file numbers (TFNs) are particularly sensitive right now, with a significant rise in the number of breaches in recent years. A compromised TFN can subsequently be used to lodge false tax returns, causing significant headaches for all afflicted parties.

“Invoicing is another area to be careful of,” says Mr Raik-Allen, “it’s the start of money changing

hands and you do not want things to be intercepted.” Mr Raik-Allen insists that accountants should not store the credit card data of clients under any circumstances, and to ensure that company data backups are not stored in an online location. “If you are hacked and your backups are also compromised you could be in trouble.”

Making an index of all of the data that is stored by a practice, its location, and arranging it accordingly in order of how sensitive you think it may be is a valuable tool to ensure that adequate measures are taken to protect particular groupings of information, he says.

Mr Raik-Allen also notes that accountants should make their clients well aware of what they will and will not ask them for over email conversation, which will in turn keep them aware of potential phishing attacks (webpages or email links which attempt to coax a user into providing personal information).

Cyberattacks on mobile devices, operational systems and consumer technologies have all doubled during 2014-15 according to PwC, particularly as mobile payment methods and wireless technology continue to establish a foothold in the market, and prove to be an attractive means of assisting cash flow and speeding up the payment process for accountants and their clients.

Combatting cybercrime

Mr Fisher notes that accountants need to demonstrate to their clients that they follow security best practices, which spans far beyond simply installing anti-virus software and maintaining a firewall. “It doesn’t require much financial investment, but requires regular attention,” he claims.

There are several steps which can easily lead to a safer and solidified security system. Ensure:

• your workstation operating system is up to date

• your applications are all up to date

• your anti-virus solution is up to date

• you have a working firewall and it is up to date

• you adopt a strong password/ authentication for your key applications. If you have trouble

remembering what they are, use a password manager program, which collates and stores all of your passwords in the one location

• administration privileges are restricted, as well as logging into a workstation on a separate account.

By utilising these rather simple measures, Mr Fisher believes that an accountant could potentially reduce their risk exposure by up to 80 per cent. The added bonus of such a simple process is that accountants can easily pass on these tips to clients of their own, to ensure that all parties concerned are actively seeking to secure information and data.

While Mr Fisher notes that there is no such thing as a “silver bullet” when it comes to security, it is of vital importance that an accountant demonstrates their ability to act in the best interest of their client. “Accountants have a duty and responsibility; they need to lead and show an example of governance, accountability and demonstrate their duty of care to their clients and prospects.”

Accountants have been entrusted with sensitive information; it is only fair that they repay this trust with adequate protective measures.

Is the cloud cause for concern?

Some accountants may be concerned by the rapid rise of the cloud in terms of data storage, particularly with high-profile leaks grabbing the mainstream media’s attention over the past few years. In reality, cloud computing has emerged as a sophisticated tool for cyber-security safeguards, and has strengthened the foundations of many firms, with PwC reporting a 69 per cent increase in cloud-based security services, and the adoption of advanced authentication, alongside identity and access management.

The firm notes that many of these tools have integrated capabilities which improve intelligence gathering, enhance collection learning and accelerate incident response times.

“Does the cloud change things?” poses David Martin, director of IPA Insure, the institute’s in-house insurance solution. “Absolutely. To be perfectly frank I think the cloud makes it more secure because the data centres, eg those who are supporting and looking after cloud-based infrastructure are far more secure than the suburban accountant sitting in their lounge room with a PC under their desk.”

The cloud can however cause much confusion as to where data is stored, and who is ultimately responsible if a breach does occur, alongside a potential ownership debate. Nitin Comar, also of IPA Insure, claims that while many accountants are seeking to outsource their data storage, they

may be putting their clients at risk.

“These days the bottom line is important to all businesses, so wherever they can find the cheapest solution is what they may choose to go with, regardless of whether it’s the most secure solution or not.” Mr Comar notes that even with outsourced operations to a third party, the legal costs associated with passing on claims to a cloud provider can be catastrophic. “I think a lot of people don’t understand that a claim will come against them and they will have to spend the legal costs to dispute that claim. That’s where cyber-insurance comes to rescue them.”

“What can’t be protected can be insured” is the message from PwC’s Global State of Information Security Survey 2016. The big four firm indicates that cybersecurity insurance is one of the fastest-growing sectors in the insurance market, with recent forecasts indicating that the cyber-insurance market will reach $7.5 billion in annual sales by 2020. Mr Martin notes that more and more accountants are waking up to the idea of cyber-insurance, and the added protection it can provide for even the smallest firm.

“They’ve started to realise that in the event that there is a breach of some description, it’s prohibitively expensive and prohibitively dangerous to shut it down and resolve your client-related issues.” Mr Martin believes that accountants grossly underestimate the costs of recovery when dealing with potential breaches. “The cost of actually reporting and securing the environment moving forward is far, far more than anyone would expect,” he says. Potential costs can run into thousands of dollars per record compromised.

Alongside the economic impact, Mr Martin adds that, understandably, an instance of compromised data will result in the loss of clients, and the trust and rapport garnered by the accountant can be instantly shattered, with little chance of reparation. While there is an upsurge in the recognition of cybercrime, Mr Martin suggests that there is still reluctance for some accountants to believe that a data breach could occur within their firm, with complacency posing a real barrier to protection.

“Historically the exposure of the issue has related to the internal, ie. a staff member has stolen data, or someone has lost a laptop or left it lying around in an airport lounge,” Mr Martin adds. “Historically that’s where the problems have arisen but with the advent of everyone being online all the time, the dynamic is changing.

“Most cyber criminals are looking for a soft target; they don’t spend a lot of time and effort trying to hack into someone who’s got a reasonably well-maintained firewall. Why? Because they can get 16 other people who haven’t.

“There will always be an element of ‘well that’s not going to happen to me’,” says Mr Martin, while adding that IPA Insure has elevated cyberinsurance as a policy, and increased its communication regarding the subject matter across the board in an attempt to combat the digital threat.

“In terms of being a real risk, we believe it is, the IPA believes it is and as a consequence we’ve got to make it a high priority to ensure that accountants are being made aware of it and what their options are.”

Mr Fisher agrees, acknowledging that with cyber breaches on the rise and the added cost of dealing with mandatory notifications, cyberinsurance will become a more attractive option in the near future, deeming its most successful use as a “risk transfer option”. It is clear that the cybercrime epidemic will continue to make its presence known, particularly if businesses are not taking the adequate steps to ensure that their data and sensitive information is protected.

Accountants have been deemed a soft target, and it is now increasingly important that firms big and small are vigilant in combatting their cyber threats.