Cyber attacks are on the rise with accounting firms at serious risk

Like it or not, cyber attacks on accounting firms are on the rise. Recent data from the OAIC’s Notifiable Data Breach Report found that within the finance industry, 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications from January to June 2021.

Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71%), with human error the leading source of breaches in the finance sector (48%).

Add to this the fact that during the 2020–21 financial year, the ACSC received an increase of cybercrime reports of nearly 13 per cent from the previous year, and we’ve got a situation ripe for disaster.

The reputational impact of a security breach on an accounting firm cannot be underestimated. Failure to appropriately communicate security breaches can open accountants up to fines and prolonged negative impacts such as reputational damage and financial losses.

With such sensitive data under their protection, it’s vital that firms put every possible protection in place before the worst happens. Prevention is always the best cure, which is why we recommend that accounting firms get on the front foot before an attack occurs.

An incident response (IR) plan will help identify, contain and eliminate cyber attacks. IR plans outline what constitutes an attack and provide a clear guide on what steps should be taken if an incident were to occur.

Design an incident response plan that takes into account the unique security needs of your firm, or enlist a cyber security consultant who will be able to design one for you. Although IR plans should be comprehensive and detailed, they still need to remain clear and simple for employees to understand. A complex plan can prove to be counterproductive when it comes to managing incident responses effectively.

Then there are the basic protections that a surprising number of businesses fail to put in place. Passwords, for example, should be rotated at the very least every 60 days, although every 30 days is even better. To make them even harder to guess, passwords should be at least eight to 10 characters long, have at least one number, one capital letter, and one special character, such as one of the following: ‘!@#$)’.

Any shared accounts should be removed and replaced with individual accounts, and each individual account should have its password updated regularly. Every staff member should have their own accounts with their own unique user ID and password so that there is no need to share passwords between staff members.

Cyber security is far more than installing a firewall, and you owe it to your clients to get it right before anything goes wrong. Do your research, educate your team, and always be on the lookout for any suspicious activity. After all, prevention is better than cure.