Why and how do hackers target accountants?

We caught up with Mitigo co-founder David Fleming to grab some insight and to ask why and how cyber criminals target accountants. We hope it provokes some thoughts and actions for you.

Share this post

David is a Partner at Mitigo, and he leads the cyber and forensics team. David spent a decade in one of the largest banking groups transforming their digital proposition and its associated cybersecurity.

Why would cyber criminals attack accountants?

Well, cyber criminals are simply after 3 things. They’re trying to find people who are making payments so they can divert those payments. They’re trying to find financial details of bank accounts and credit cards so they can compromise them. Thirdly, they’re trying to find sensitive client data. These are the 3 areas where criminals can make money.

The reality is, is that no accountant is the initial target. Cyberattacks are mostly indiscriminate and aimed at as wide an audience as possible. The hackers are looking for vulnerabilities, for example in your firewall. They automatically scan the internet for poorly configured, or out of date firewalls. Their favourite method is sending mass emails, but they’re not just sending it to your accountant firm, they’re sending it to every email address they can get their hands on. If your firm has these vulnerabilities, or an employee falls for a malicious email trick, then they come after you, and you become the target, whatever your size.

Ok. What can be the consequences of a cyberattack on accountants?

The most painful types of cyberattack on accountants are ransomware and email account takeover. If you experience either of these, the consequences for you as a business can be catastrophic. A huge one is the amount of downtime you can experience. From my standpoint, I have seen organisations who are down for weeks not just days as they attempt to get their systems and data back up and running. But the other major factor for accounting firms is managing the PR, as criminals will threaten to publicise the data they have stolen. You are a trusted professional service firm and losing your client data can be severely damaging to your business’ reputation – and in some instances can be company ending. Not forgetting the loss of money, insurance claims, stress to management, potential fines, and your reporting obligations to the ICO.  

What are these “vulnerabilities” that the cyber criminals exploit?

It is a good question. There are many that we find when assessing accountancy firms, so I will explain the top ones.

The first one is that every business now has their employees working remotely on laptops and this is a favourite way in for criminals. Is the laptop’s local firewall on? Have you reduced their permissions to standard privileges?

The second one is your people. Are your staff trained to spot dodgy emails? And to not just click on any link? Or to not fall for vishing calls? We have seen a spike in vishing attacks – often leading to staff being tricked into giving away access to your systems.

Third on my vulnerability list is your office firewall, as it is visible to the outside world. Who is accountable for applying regular security patches? When did you last get it scanned for vulnerabilities?

And finally, have you ever tested your data backup? A significant proportion of the backups we assess, would not survive a ransomware attack, rendering them useless.

This is obviously a broad topic so accountant firms should contact us to learn more.

Doesn’t the accountants IT support firm fix these vulnerabilities?

Unfortunately, that’s the biggest misapprehension that people have believed to be true. They believe that their IT support are taking care of their cybersecurity and that is rarely the case. Any firm that has ever suffered from a ransomware attack or had their email account taken over – they had an IT support company. The IT support company are not trained to do it, they don’t live and breathe it every day and are often not being paid to manage cybersecurity. To properly manage your cyber risk, you need to get specialist cybersecurity help as it is one of the top threats to your firms ongoing success. If nothing else, after reading this, go away and work out what your cybersecurity requirements should be.

What would be your top cybersecurity tips for an accountancy practice?

Let me give you a top four (but at a high level). The first thing to do is to work out what your risk is. Where are your crown jewels? Where is your data stored? You need to understand where your data is and make sure that those systems are well protected. The second thing is to make sure that your endpoints (this is the computers and devices that your employees are using) are well set up and configured correctly. Have a professional look at them and ensure that they are resistant to an attack. The third one is to look at your email system. The majority of businesses are using Office 365 or Google G-Suite. You must go over the account from a security perspective and look at the filters, blocks, settings and the alerts that you can switch on and configure to make your organisation safe. The last one is related to GDPR and a legal requirement. Make sure that your staff undergo cyber awareness training and do simulated attacks so they can play their part in defending your practice from the ever growing and sophisticated cyberattacks.

How can smaller accountancy firms afford the costs associated with getting secure?

I suppose the easy answer is, how can they not? But I have the dubious benefit of knowing how horrible and costly a cyberattack can be. This doesn’t need to cost the earth, it can often be less than the cost of one junior employee to get this sorted, and vulnerability assessments can be done at a reasonable cost. Your first step should be to speak to your trade body and see what they advise.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post