Embed Size (px)
Citation preview
1
HOW TRENDS IN
WILL IMPACT ACCOUNTANTS
CYBER SECURITY
Table of contents
The changing nature of cybercrime
Cybersecurity for accounting firms
The state of play
A wealth of exposures
Understanding cybersecurity risks for accounting firms
1. Data theft
2. Malware/ransomware
3. Phishing
The fallout
Managing recent trends
What you need to know about recent cybersecurity trends
What firms need to watch out for – this year and beyond
The value of investing in security
The real cost of not investing in cybersecurity
Where you should be investing
How Reckon rode out the COVID disruption
Conclusion
About IPA Books+
Contact us
3
4
4
5
6
6
7
7
8
9
9
10
11
11
12
13
15
16
16
3
The changing nature of cybercrime
Across all industries, the changing scale and nature of cybercrime means every business is now a potential target. From basic phishing scams to identity access theft and everything in between, the lack of concern and investment into organisational cybersecurity is a greater threat than most decision-makers realise.
Even before COVID-19 turned the traditional office model on its head, one estimate on the cost of global cybercrime predicted it would reach US$10.5 trillion annually by 2025.1 Now, with remote-work challenges putting further strain on the IT department – such as ensuring secure off-site access for staff into sensitive systems, training individuals about better password management and access control, and convincing senior leaders or practice owners to boost funds into vital cybersecurity software – decision-makers are starting to realise that their standard protections may not hold up against a significant attack.
According to the Cyber and the CFO2 report, 68% of respondents in the financial services sector rate their cyber risk as ‘very high’ or ‘high’. Perhaps more worryingly, more than half (51%) assessed that their personal knowledge of cyber risks was for the most part average. And at the organisational level, 68% don’t have an absolute up-to-date remediation plan. These figures, when taken individually or on the whole, paint a frightening picture for firms that are more at risk of cyberattack today than ever before.
It’s clear that a portion of the accounting and financial services sector recognises the inherent risks of conducting business in the digital world – particularly in an environment that is shifting more and more towards a hybrid in-office/work-from-home model.3 But there are also too many accountants who simply don’t understand – or refuse to acknowledge – the full business implications of a cyberattack.
This whitepaper will investigate the ever-increasing threats against accounting firms and the new risks that are opening up due to changing work habits. It will also explore your role and how you can help manage these risks by investing in education, the right cybersecurity tools and policies. Armed with this vital knowledge, you will have the capacity to be proactive to cyber threats rather than reactive, and ensure everyone from senior leaders and practice owners to the greenest staff member has a firm understanding of the threat landscape.
1 Cybercrime Magazine, Cybercrime to cost the world $10.5 trillion annually by 2025: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ 2 ACCA Global, Cyber and the CFO: https://www.accaglobal.com/an/en/professional-insights/technology/cyber-and-the-cfo.html 3 Accounting Today, The rise of cybercrime in the accounting profession continues: https://www.accountingtoday.com/opinion/the-rise-of-cybercrime-in-the-accounting-profession-continues
4
There’s a variety of reasons why accounting firms are one of the most targeted type of businesses among small companies.4 Not only do they house a swathe of valuable personally identifiable information (PII) and financial data, but firms with a more traditional organisational structure may be less likely to have adequate cybersecurity defences in place.
The state of playThese vulnerabilities are becoming even more exploitable thanks to the rise in remote work in the wake of the COVID-19 pandemic. Many accounting firms were able to quite easily transition to a remote model, but those increased digital processes create a higher risk of cybercriminals targeting their digital assets – especially if there was no training or onboarding about how to keep sensitive data secure while working from home.5
It’s easy to frame cyberattacks as being purely for financial gain. And while that is the case in many instances, the fallout of a breach or attack can do long-term damage to a firm’s reputation.
Cybersecurity for accounting firms
4 CNBC, Cyberattacks now cost companies $200,000 on average, putting many out of business: https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html 5 Accountants Daily, Accounting firms are ‘prime targets’, says cyber security firm: https://www.accountantsdaily.com.au/technology/14119-accounting-firms-are-prime-targets-says-cybersecurity-firm
1
5
A wealth of exposuresA successful cyberattack could easily destroy a firm financially. But beyond the monetary cost, a breach that collects sensitive client data can destroy the client relationships a firm has spent years building up – all in a matter of seconds. Here are some of the different ways firms are exposed if they don’t have adequate cyber defences:6
• First-party losses: Depending on the extent of a cyberattack, any
compromised information can lead to first-party losses. These may be
in connection to everything from business interruption to reputational
damage, loss of IP, PR costs, technical investigations, ransom payments
and more.
• Malpractice claims: If an accounting firm becomes a victim of cyber fraud
– e.g. sending a client’s money or Personally Identifiable Information to a
fraudster who is impersonating the client – the firm may have a malpractice
claim made against them. Known as ‘Friday afternoon frauds’, they are far
more common than you think.7
• Privacy liability: Whoever owns the data that is stolen, lost or exposed
following a successful cyberattack may be able to sue the firm under data
protection legislation or even breach of contract or breach of confidence.
• Regulatory issues: Firms that fail to protect confidential and sensitive
client information, or fail to notify affected parties in compliance with
relevant laws, can face regulatory action by governing bodies.
6 ACCA Global, Cyber risks: accountancy firms’ exposure: https://www.accaglobal.com/pk/en/technical-activities/technical-resources-search/2019/july/Cyber-risks-accountancy-firms-exposure.html 7 The Guardian, ‘I thought I’d bought my first home’: https://www.theguardian.com/money/2017/jan/14/lost-67000-conveyancing-scam-friday-afternoon-fraud-legal-sector-email-hacker
6
Understanding cybersecurity risks for accounting firms
8 TechRepublic, Data breaches cost US companies more than $1.2 trillion last year: https://www.techrepublic.com/article/data-breaches-cost-us-companies-more-than-1-2-trillion-last-year/ 9 IBM, 2020 Cost of a Data Breach Report: https://www.ibm.com/security/data-breach
You understand that there’s a rising threat against your firm, your staff and your clients – but where are those dangers coming from, and what methods are threat actors deploying to breach your firm’s cyber defences? Here are the three biggest concerns for accounting firms.
1. Data theftData breaches leading to theft of sensitive materials and clients’ Personally Identifiable Information cost businesses trillions of dollars globally every year.8 In fact, IBM’s most recent Cost of a Data Breach Report reveals that the average outlay following a data breach is an eye-watering US$3.86 million.9
That’s a price that would put many Australian accounting firms out of business – not to mention the sustained reputational damage from falling victim to theft of such valuable data.
2
7
2. Malware/ransomwareMalware – or malicious software – is a piece of software that has been deliberately created to damage a victim’s device or take control of a network. It comes in a variety of forms, from general computer viruses through to Trojan attacks and even spyware and adware.
One of the most devastating forms of malware, however, is ransomware – particularly for businesses such as accounting firms that have a wealth of data they need to protect. When deployed successfully, ransomware takes sensitive data hostage by encrypting it and blocking the victim’s access to it. The attacker will demand payment (in whatever form, though Bitcoin is a commonly used currency)10 in exchange for return of the stolen data.
The problem is that in many cases, even victims who pay the ransom never gain access to their data again. And more worryingly for firms, The Cost of Cybercrime report11 reveals that ransomware attacks had more than tripled in frequency over the previous two years.
3. PhishingDue to a lack of education around cybersecurity threats, coupled with its ease-of-deployment, phishing scams are running rampant across all sectors, including accounting. These attacks, which usually come in the form of an email, use freely available information (e.g. a firm’s name, specific individuals and their roles in the company) to impersonate a valid institution, such as a bank. They then get the recipient to click on a link to a malicious site or download a seemingly innocent file that turns out to be malware.
In 2018 alone, 5,800 phishing scams on Australian businesses resulted in more than $7.2 million in losses – up 53% from the previous year.12 And thanks to the disruption of COVID-19, the Australian Cyber Security Centre has warned of a major increase in phishing scams on accounting firms and their clients.13
Once such scam came in the form of a tax-refund email masquerading as official documentation from the Australian Taxation Office (ATO). The email led to a fake myGov phishing page to steal sensitive information from end users.14 Tax scams have been a staple for years – most commonly as robocalls15 – but the shift to digital means even more people, including businesses, are at risk.
10 Coin Telegraph, Bitcoin accounts for 98% of crypto-denominated ransomware payments, study: https://cointelegraph.com/news/bitcoin-accounts-for-98-of-crypto-denominated-ransomware-payments-study 11 Accenture Security, The Cost of Cybercrime: https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf 12 ACCC, Australian businesses hit hard by email scams: https://www.scamwatch.gov.au/news-alerts/australian-businesses-hit-hard-by-email-scams 13 Accountants Daily, Coronavirus scams on the rise, says ACSC: https://www.accountantsdaily.com.au/technology/14215-coronavirus-scams-on-the-rise-says-acsc 14 MailGuard, ‘Tax refund’ email supposedly from ATO leads to fake myGov-branded phishing page: https://www.mailguard.com.au/blog/think-before-you-click-tax-refund-email-supposedly-from-ato-leads-to-fake-mygov-branded-phishing-page 15 Accountants Daily, ATO warns of new TFN robocall scam: https://www.accountantsdaily.com.au/business/14505-ato-warns-of-new-tfn-robocall-scam
8
The falloutAs we explored in Chapter 1, the risks and associated exposures of a cyberattack can be devastating. Not only can a breach lead to reputational damage and costly first-party and third-party losses, but there’s also the fallout that the public eye rarely sees – the damage it wreaks inside the firm:
• Direct loss of turnover.
• Increased staff churn.
• Customers fleeing to more secure competitors.
• Management spending their time on tasks that aren’t profit-generating.
• Clean-up costs.
• Change in customer perception.
• Reduced competitiveness.
Accounting firms that attempt to manage their internal security needs without sourcing expert advice or integrating strong cybersecurity tools into their systems are putting themselves in danger.
9
Managing recent trends
16 RiskBased Security, 2020 Q3 Report: Data Breach QuickView: https://pages.riskbasedsecurity.com/hubfs/Reports/2020/2020%20Q3%20Data%20Breach%20QuickView%20Report.pdf 17 Varonis, 2019 Data Risk Report: https://www.varonis.com/2019-data-risk-report/ 18 Accenture, What will cybercrime cost your financial firm? https://www.accenture.com/us-en/insights/financial-services/cost-cybercrime-study-financial-services
Much like malicious parties use new resources and attack vectors to penetrate accounting firms’ defences, so too do cybersecurity strategies need to evolve to stay on top of potential new threats.
What you need to know about recent cybersecurity trendsCyberattacks are on the rise, and the pandemic has only made matters worse. Remote-working solutions, combined with organisations quickly trying to set up their employees with remote access to sensitive company data, has created a dearth of new problems – and malicious actors are taking advantage.
In the first half of 2020 alone, 36 billion records were exposed in data breaches. 16 Moreover, only 5% of companies’ folders, on average, are adequately protected.17 For accounting firms and financial organisations, the news only gets worse – the financial services industry endures the highest cost from cybercrime, with an average of $18.5 million per company surveyed.18
In order to mitigate these figures, decision-makers need to bolster their cybersecurity strategies by staying on top of recent trends and investing the necessary resources to thwart potential attacks.
3
10
What firms need to watch out for – this year and beyond
19 In the Black, Cybersecurity evolves in response to digital transformation: https://www.intheblack.com/articles/2020/12/01/cybersecurity-evolves-digital-transformation 20 ZDNet, Vast majority of cyberattacks on cloud servers aim to mine cryptocurrency: https://www.zdnet.com/article/vast-majority-of-cyber-attacks-on-cloud-servers-aim-to-mine-cryptocurrency/ 21 Security Magazine, 95% of successful security attacks are the result of human error: https://www.securitymagazine.com/articles/85601-of-successful-security-attacks-are-the-result-of-human-error 22 KPMG, How secure are your remote working arrangements? https://home.kpmg/content/dam/kpmg/sa/pdf/2020/how-secure-are-your-remote-working-arrangements.pdf
There’s no denying that the pandemic helped accounting firms – and businesses across most sectors – realise the ease with which they can transition their day-to-day processes to a digital-only framework. We saw huge uptake in digital transformation services, as well as an exodus from traditional and analogue systems to moving into the cloud.19
But while the cloud has the capacity to streamline a firm’s operations and boost productivity, it’s popularity has also made it a much larger target. Firms must be aware that direct attacks against cloud services are on the rise,20 and it’s critical that decision-makers do their due diligence on their chosen provider, where the servers are located, and how their data will be managed in the event of a breach.
Accounting firms also have to concern themselves with the biggest cybersecurity risk to their practice: staff. Human error accounts for 95% of all cyber breaches,21 and if your people aren’t trained in how to manage sensitive data while accessing their work remotely, it can open up significant vulnerabilities to the firm and its clients.22
11
23 Accounting Today, Cybersecurity: Staying vigilant and safe: https://www.accountingtoday.com/news/cybersecurity-staying-vigilant-and-safe 24 The Tax Adviser, Cybersecurity: An urgent priority for CPA firms: https://www.thetaxadviser.com/issues/2020/apr/cybersecurity-urgent-priority-cpa-firms.html
Once you’re aware of the threat landscape for accounting firms, you can start to form a strategy about how to protect your interests, your clients and your staff. Investing in cybersecurity often needs to occur both internally and externally.
Internally, you’ll want to ensure you have sufficient IT controls, strong access controls, all the critical paperwork (e.g. incident response plans) and relevant insurance such as business or cybersecurity insurance.
Externally, especially for small firms without the internal IT resources, enlisting outside help can illuminate your practice’s specific cybersecurity needs. A provider can then deploy the necessary resources (cybersecurity software, hardware, critical
infrastructure, etc.) to keep your clients’ data secure.
The real cost of not investing in cybersecurityDid you know that experts predict ransomware attacks will occur at a rate of 5.5 every minute in 2021?23 That’s 8,000 attacks per day. Consider if just one of those slipped through your firm’s defences.
The Tax Adviser reports24 that the cost of cleaning up after a cyberattack for accounting firms ranges between $70,000 and $300,000. That’s not inclusive of reporting and credit monitoring expenses (a further $100,000 to $300,000), plus the cost if you were to pay the ransom – with the usual range being between $100,000 for a small firm and $2.6 million for a large practice.
The value of investing in security4
12
Where you should be investing• Deep security expertise: Not all accounting firms have the staff skill set or the
financial resources to maintain all their cybersecurity needs in-house. Outsourcing those requirements to a professional IT team or utilising an accounting practice solution can reduce the strain on your own firm.
• Governance and ongoing cybersecurity training: There must be robust governance in place at all times to ensure your firm’s defences never drop. Focus on consistent information training sessions about best practice and the most recent threats. Nominate cybersecurity ‘leaders’ to provide guidance to other staff. And ensure hiring policies align with your overall cybersecurity strategy.
• Recovery plan: What would happen if the worst occurred today? How would your firm react to a cyber breach? Recovery can be slow, expensive and detrimental to your reputation without the proper policies in place, such as an incident response plan and a detailed map that outlines your firm’s road to recovery.
• Remote solutions: Working from home will be the new norm for many firms as we move into the future. That means you need to start investing in best-in-class solutions that not only streamline day-to-day activities for both your remote and on-site staff, but also bolster your firm’s security – especially for those working from home and remote-accessing into your systems. If you haven’t already looked to the cloud, now is the time to start planning your move.
Both practice owners and employees have a pivotal role to play in the day-to-day protection of their firm.
13
When COVID-19 shutdowns forced Reckon and accounting software solution IPA Books+ out of the office, they were able to rely on a backbone of security and management systems that were already in place. This, in turn, helped streamline the transition from in-office to remote work across their entire team – a rarity for such a large-scale operation.
“We were fortunate in that we had already implemented an information security management system based on the ISO 27001 standard, which meant we had a lot of policies, systems and processes in place to allow us to transition quickly and securely,” says Ed Blackman, Chief Technology Officer at Reckon Group. “Without knowing exactly what we were preparing for, we’d done what was necessary to the standard, and we essentially had everything already written down.”
The ability to transition to remote work so quickly allowed Reckon to spend more time on training, particularly around device management, access controls and cybersecurity best practice.
“We focused on providing support, training and getting people up to speed on how to connect to everything from their home office – that was very topical, especially in the first two-to-three-week period. We put together an enormous amount of extra training material, and spent a lot of time on the phone with our IT team and directly with staff doing one-on-ones.”
Despite starting their fully remote operation on the front foot, Ed and his team still had many challenges to attend to – particularly around bring your own device (BYOD).
How Reckon rode out the COVID disruption
5
14
“We already had a strict BYOD policy in place, with requirements and rules specifying which versions of operating systems were allowed, what software was mandatory. We needed people to use separate accounts away from any other family accounts they might have had on their machine, as well as considerations around antivirus and many other requirements.
“So while we were prepared and we had the policy in place, the hard part was making sure everybody was complying with it. That led to us essentially having to do one-on-ones with all of our staff using BYODs to ensure that they were at the security standard we’d set.”
Ed advises that accounting firms looking to allow their staff to continue working from home should consider the heightened cybersecurity implications of doing so.
“When using a BYOD or a computer that’s already at home for work, it’s likely to be a lot less secure than the one you have at work that’s been set up properly. There should also be more stringent considerations like internet filtering and malware protection of all internet traffic – that might already be active in an office environment but it probably won’t be at home. Offices are going to have much stricter firewall rules, and again that won’t be at home. All of these things are an example of a reduction in security, which means staff are wide open to being targeted.”
Looking to the future, Ed acknowledges that threats to an organisation’s cybersecurity will continue to rise. But despite the new and complex types of attacks, he says that accounting firms should be most wary of what’s come before.
“It all comes back to the usual suspects. The biggest threats are probably phishing and malware getting onto the systems inside accounting firms, or getting at staff’s credentials so they can be fraudulently used. They’re the biggest risks for all accounting firms, small and large.”
The solution? A multi-pronged defence.
“Education is very key, so make sure you’re regularly educating staff, which can be done easily with online courses. You also need the right antivirus and web-filtering systems in place to guard against known malicious links, which are updated in real-time. You’ll want to use a cloud system that offer real-time protection and updates, so links are challenged in real-time to make sure people aren’t going to any malicious locations up to the last second. All these things in unison can protect a firm against cyberattacks.”
15
ConclusionIt’s clear that cyber threats aren’t going away – on the contrary, their frequency is growing and they are targeting susceptible industries such as accounting and financial services. With the cost of not investing in cybersecurity a potential practice-killer, today is the day to start formulating a plan for the future; a future that embraces cybersecurity tools to protect your firm and your clients from external attacks.
If you’re ready to experience accounting software that has been build and implemented for accountants with security in mind, contact the experts at IPA Books+ today.
16
About IPA Books+IPA Books+ is online accounting software designed by the Institute of Public Accountants (IPA), Australia’s leading accounting body representing more than 36,000 members and students in over 80 countries. With IPA Books+ the IPA has created affordable, accessible and reliable accounting software that help members manage everyday finances and run their business more efficiently.
Contact us
Customer Service
1300 681 489
Mon – Fri: 9am – 5pm
