While the increase in cyber attacks over the last two years has affected businesses across all industries, accountancy firms have been at particular risk of falling victim to a cyber-attack. According to Accounting Today, since the start of the covid-19 pandemic, accounting firms have seen a 300% increase in cyber attacks as an industry that is already vulnerable to cybercrime also deals with the challenges of remote working.
This blog post will explore why accountants make prime targets for cybercriminals, break down the top cyber security threats accountancy firms face today, and what steps they can take to mitigate these risks.
There are several reasons accountants make such attractive targets for cybercriminals. Firstly, accountancy firms hold a lot of sensitive information on their clients, including names, addresses, identification documents and bank account information, all of which could be used to commit further fraud.
For most accountancy and payroll firms, their clients will also be other businesses, allowing cybercriminals to access a vast amount of sensitive information across several companies through one single attack. While larger firms may present as an ideal target due to the number of clients they manage, smaller firms usually don't have the resources to invest in security systems, leaving them vulnerable to some of the most common cyber attacks.
Additionally, the sudden move to remote working has resulted in businesses implementing software, systems, and services that have yet to be secured even two years on. According to PwC, finance and accounting firms are already at a 30% higher risk of becoming victims of a cyber-attack, highlighting the need for firms to improve their cyber resilience. Combined with the rise of cloud accounting services, this move to remote working presents even more opportunities for attackers to exploit software vulnerabilities and insecure systems.
Earlier this year, contractor-focused firms SJD Accountancy, Parasol and Nixon Williams all became the victims of suspected ransomware attacks, affecting their ability to pay thousands of contractors and forcing some of their customer-facing systems offline. Optionis group - the parent company of all three firms, later confirmed that a data breach had also taken place, with sources estimating that over 400,000 of the company's files were leaked online.
Ransomware is malware that encrypts files on a user's computer, preventing them from being accessed until a ransom is paid to the attacker. Often, the attacker will also threaten to publish the victim's files online if a ransom is not paid by a specific deadline. Sadly, there's no guarantee that paying the ransom will ensure that the files are decrypted and often only results in additional costs.
This type of attack can be incredibly damaging for businesses, particularly if the attack prevents them from accessing critical data or essential systems needed to operate. For Parasol, thousands of contractors were left without payment well after the incident. In addition to business downtime and reputational damage, firms could also face an average fine of £15,000 if they have not taken the necessary measures to protect their client's sensitive data. Payroll firms must also report significant data breaches to the ICO within 72 hours of becoming aware of the breach.
Phishing is a scam where an attacker sends an email or message purporting to be from a trusted source to trick the recipient into revealing sensitive information such as passwords or account numbers.
Serious phishing attempts go further than the standard "Click Here To Access Your Winnings!" and will use social engineering techniques to get recipients to open emails, using terms like "Outstanding Invoice" in the subject line or even mentioning colleagues' names or well-known conferences within the industry. Once a person clicks on a phishing email, the attacker can easily install malware on their computer or gain access to sensitive data.
One of the most impactful ways to combat phishing attempts is through comprehensive staff training and phishing tests. While email filters will go a long way to detect and block malicious emails, it's also essential for firms and their staff to be aware of phishers' common tricks. This includes avoiding sharing any sensitive information via email and constantly questioning any unexpected or unsolicited requests for information.
Naq provides businesses with all the tools to secure their valuable business data, including full staff cyber security training and regular phishing tests from just £189 per month. Click here to view our packages.
The COVID-19 pandemic has resulted in many accountancy firms adopting new ways of working, with staff now working from home on a more permanent basis. While this offers many benefits, such as increased flexibility, it also creates new cybersecurity risks that need to be considered.
One of the main risks of remote working is using personal devices for work purposes. While this may seem like a minor issue, it can lead to serious data breaches if not managed correctly. According to a recent study, 43% of employees use their personal devices for work without permission from their IT department, and a further 20% have no idea if they're allowed to or not. This can pose a serious security risk as personal devices are often unsecured and more likely to be lost or stolen.
Another risk of remote working is employees using insecure Wi-Fi networks to connect to work systems and access sensitive data. Public Wi-Fi is notoriously insecure, meaning that any data being sent or received on these networks is vulnerable to interception by cybercriminals.
Accountancy firms need to be aware of the risks associated with working from home and take steps to mitigate them. These include using a VPN when connecting to work systems, only accessing work data on secure, password-protected devices and never sharing passwords or sensitive information over email. For more guidance on working from home securely, click here to look at Naq's in-depth guide to secure remote working.
When securing your accountancy firm's data, prevention is always better than cure. While implementing a robust cyber security strategy may seem overwhelming, complicated and expensive, taking care of this now will protect your client's data, your company's reputation and save you thousands in potential downtime and data compliance fines.
Naq provides accountancy firms with everything they need to secure their client's sensitive data, business, and hard-earned reputation. Get world-class cyber security, staff security training, and achieve GDPR compliance in minutes from £189 per month.