A guide on cyber security for accounting firms

Accounting cybersecurity is more important to practices than ever right now

Cyber criminals mean business, and it seems that one their most attractive prime targets is the Australian accounting firm. CrowdStrike, a leading US-based cyber security company, identifies that the accounting industry is a prime target for cyber attacks, as accountants hold a lot of valuable financial data.

In their 2022-23 annual cyber threat report the Australian Cyber Security Centre revealed the following cybercrime statistics related to accounting firms:

• Annually, cybercrime costs small accounting practices an average of $46,000 medium-sized practices approximately $97,200 and large practices $71,600;
• Accounting is part of the sixth most targeted sector in Australia, with 4.7 per cent of all cyber-attacks;

• The number of cyber-attacks has risen 23 per cent in the past year, which is the equivalent to one every six minutes.

Today’s cybercriminals are acting more frequently in Australia and New Zealand, due to our relative prosperity which hackers consider attractive.

The real cost of cyber threats for accounting practices

It is important to note that accounting practices that fail to adequately protect their client's financial data can be penalised.

The Privacy Legislation Amendment Bill 2022 has maximum penalties for serious or repeated data breaches from the current $2.2 million penalty to whichever is the greater of:

• $50 million;

• three times the value of any benefit obtained through the misuse of information; or

• 30 per cent of a company’s adjusted turnover in the relevant period.

For accounting practices, this Bill is a reminder that is an obligation to protect client data, and this needs to be upheld to remain compliant with the law.

The pandemic has only heightened the cyber threat to accounting firms

The pandemic has only worsened things. With the overnight working-from-home revolution due to the pandemic and all the added cyber challenges that came with it, including a deluge of Covid-related scams, practices with the nature of the accounting data they hold, need to be more on-the-ball than ever to avoid the risk of a financial data breach.

The reputation of the practice is at stake

It goes without saying that the professional reputation of any accounting practice plays a critical role in their continued success, attracting clients and long-term relationships, which are the life blood of an accounting practice. A data breach leaves the reputation of accounting practices open to vulnerability, and potential legal ramifications, in the face of stolen or misused financial data.

What accounting professionals can expect from this blog

For the unprepared, there is no doubt the threat of cybercrime to accounting practices is a minefield. We thought it would be useful to map out what we believe are the main accounting cybersecurity challenges.

We believe every accounting firm must not only be sure that they themselves are doing all they can to protect their clients’ financial data, and the practice’s reputation - but also that their trusted accounting practice software providers are on-the-ball with accounting cybersecurity too. We also believe it is important that practices consider the bigger picture in terms of what the threat of cybercrime can do to business culture and learn lessons from those practices that have suffered the consequences of not acting soon enough to bolster their cyber security.

How can I create a robust cyber defence for my accounting practice?

To ensure that the risks of a cyber attack are effectively mitigated, the Australian Institute of Company Directors recommends that company directors treat their organisation’s online assets with the same degree of attentiveness and care that they pay to their real-world assets.

So, rather than risk the pain of a data breach yourselves, we must stress that you must consider what you can do to protect your practice data from the impacts of cyber attacks.

Continually bolster your policies and controls

Every accounting practice today should have a robust cyber security policy in place. Many of the tips in this blog will help firms consider the basis for putting in a new accounting cybersecurity plan, as well as for bolstering existing policies and controls. This is an activity that should be front of mind continually.

Access client management software for accounting practices lets you control who can access accounting data and perform specific operations. For example, you may designate that only certain staff have permission to delete client data from your database.

Make sure your cybersecurity training is up to the mark

Of course, training of this nature is paramount to individual accountants. Record of training is proof that the accounting practice workforce is equipped to act in the best interests of clients and to protect their financial data.

Take data storage and encryption seriously

It is essential that policies and procedures reflect the risks posed by allowing staff to use external storage media in terms of exposing the business and its clients to viruses but also the risk of compromising financial data. Of course, a lack of encryption is particularly risky for the safekeeping of client data for staff working on their devices at home, out of the office or travelling with them on public transport.

Log & report any cyber security incidents

Introduced in 2018, the NDB scheme requires businesses to notify individuals when the loss of their information through a cyberattack is likely to result in serious harm.

It’s imperative to familiarise yourself with the scheme to see if your business needs to comply, and if so, ensure you can meet its obligations in the event of data breaches.

Set a cybersecurity budget for the firm

Setting aside a budget for specific cyber security accounting risk areas is a sure sign that an accounting firm is taking cybersecurity challenges seriously.

It really helps to regularly share real life stories with your staff

Sharing examples of what is happening in cybersecurity in the accounting space is one of the best ways to emphasise the importance of cybersecurity to your workforce, and the role each person in your team must play to keep the business safe from cyber criminals.

The Australian Government’s Business website has many tips to help practices protect themselves from scams.

The Australian Cyber Security Centre (ACSC) is another trusted resource, and practices can register to get alerts on new emerging threats.

Accountants Daily regularly update their website with news and insights concerning accounting cybersecurity.

How do I ensure cybersecurity for my remote workers is solid?

Some businesses were more prepared for the remote working wave of the pandemic than others, but overall, accounting practices seem to have found the transition relatively straight-forward. Those with good accounting practice management software solutions have had remote working options available to them for many years.

While most practices could breathe a sigh of relief that the tech was working from home and that they could continue to deliver services to clients, the serious and urgent need to consider the cyber threats facing them were hard to ignore. Many accounting practices now have in place the required level of cyber security that accountants need to be able practice from home safely.

With remote working here to stay, as many accounting practices plan a hybrid working model for the future of accounting, closing and downsizing their offices, here are our recommendations for those practices catching up with cyber security for remote workers:

Make sure you have a clear reporting mechanism in place

Ensure you have a clear reporting mechanism in place for your remote workers that they can use to officially report and log any data security concerns or problems so that your IT people are fully aware of any potential threats to the practice. People who don’t work in IT may not recognise the significance of a cyber threat, so if you don’t make lines of communication available and easy, they may not alert the right people early enough.

Strong passwords with two-factor authentication are a must

If you haven't reviewed your passwords, we highly recommend you do it today! Don’t delay any longer. According to a recent poll of 3,250 individuals conducted by LastPass as part of their Psychology of Passwords report, 66 per cent said that they mostly or always used the same passwords and authentication everywhere (personal and work).

Consider all the devices in use at home & ensure they are safe

Remote workers across the APAC region are using a combination of their employers’ devices (PCs, laptops etc.) as well as their own personal devices (phones, tablets etc.) sometimes referred to as BYOD (bring-your-own-device).

Either way, accounting practices must make sure their staff understand the risks of using devices away from the office for work purposes.

Make sure they are all running the most recent software for both operating system and applications, including anti-virus software of course. Make sure staff know how to keep devices safe when away from the office, and what to do about reporting lost or stolen devices as soon as possible to the relevant IT staff to ensure your practice remains safe.

For remote workers it is probably better to supply equipment rather than allow BYOD (bring-your-own-device) so you the practice can monitor “who, what, when, where and how?”.

Switch on encryption

Devices are more likely to be lost or stolen when you have staff set up for home working. Most modern devices have encryption built in, but it may need configuring or switching on. Ensure all devices that are being used at home by your workers are set to encrypt data while at rest.

Use mobile device management

It’s a good idea to set up all your home working devices with a standard configuration so that your IT people can lock them or delete data from them remotely, using MDM (Mobile Device Management).

Have a VPN in place

Having a Virtual Private Network (VPN) in place provides an additional layer of security for home workers accessing your firm’s IT resources – e.g. your accounting practice management system, your email system etc. If you are already using VPN, make sure it is fully patched. You may need extra licences, capacity or bandwidth if you’re supporting more home workers.

Your users should avoid using free WiFi hotspots without using a VPN to ensure your/their device’s traffic is encrypted and harder for a cyber-criminal to intercept. For accounting practices using a hosted solution for their accounting practice management software, on the cloud their systems should be fully patched and optimised. If you manage your own IT infrastructure inhouse it is worth checking.

Empower your staff to spot scams, risks and threats

Human error might be the cause of many of the world’s data breaches today, but it is important to remember that your people are your first line of defence too. Regular training instils the right competencies and behaviours across the workforce and for homeworkers delivering key training material of this nature remotely using eLearning courses is ideal.

Completing modules on a ‘little and often’ basis, enables people to build training into their day and apply the teachings to their work. It also means new starters, currently onboarding at home, are empowered to grow their knowledge and adhere to security policies from the moment they join your business.

What security questions should I ask prospective suppliers for new accounting practice software?

When bringing on board new accounting practice software partners there are many accounting cyber security-related questions we’d highly recommend you ask. You cannot delve too deeply into a new suppliers' cyber security credentials.

Measures such as audits and penetration testing apply to accounting practices more than most other businesses, purely because of the highly sensitive nature of the financial information they hold on behalf of clients. This, coupled with high frequency of cyber attacks affecting the profession today, probably makes information security one of the most important aspects of any accounting practice checklist when signing up with a new software provider.

The top 5 security questions we believe an accounting business should ask of any prospective accounting practice software provider are:

1. How secure is their datacentre for SaaS?
   For accounting practices going with a cloud solution can your supplier prove they operate their SaaS solution (i.e., for cloud hosting) within an ISO 27001 certified datacentre? ISO 27001 is the international standard that stipulates best practices for an information security management system.

2. How seriously does the prospective supplier take information security?
   Can your accounting software supplier prove THEY themselves are also ISO 27001 certified? Certification to ISO 27001 demonstrates that your practice is following robust information security best practices, and the systems provide financial data security.

3. Ask for a penetration test report
   Can your supplier present a recent penetration test report? Penetration testing (often referred to as pen testing) is the practice of testing a computer system, network or web application in order to find any vulnerabilities that could be exploited by a cybercriminal.

4. Can you see an audit trail?
   Do you have access to an audit trail within your accounting practice management software? i.e. are you able to see if users are accessing areas they shouldn’t?

5. Ask about security patching
   Can your supplier demonstrate a best practice security patching process within their SaaS infrastructure? i.e. for keeping up-to-date with Microsoft database security standards?

How do I make cybersecurity in accounting a key part of my workplace culture?

Whilst human error is the cause of 95% of cyber-attacks / data breaches, we all need to recognise that well-informed, well-trained staff are an accounting practice’s best line of defence against cyber hackers. There are so many horror stories increasingly doing the rounds, that it is understandable that staff are terrified of doing something wrong and causing catastrophic consequences for their employers.

It is paramount that practices not only openly encourage their employees to share their concerns and experiences but that they also reward the right behaviour to develop an open ‘no-blame’ culture. Nurturing a counter-fraud culture is clearly going to be key for the success of cyber security policies, and more importantly a key part of the bigger picture for the success of the industry. When you’re creating a counter-fraud culture, you’ll need to assess your accounting practice’s counter-fraud maturity. There is a range of guides available on the Commonwealth Fraud Prevention Centre that can help determine this.

Make cyber security a priority

If it is not, you know it should be. There is always something more pressing and urgent to take up your time. But no accounting practice can delay this step a moment longer. We urge you to put cyber security at the forefront of developing your accounting practice’s digital footprint rather than allowing it to be an afterthought. Enough said.

Think about learning styles to make your accounting cyber security training stick

You don’t need us to tell you practices must provide quality training for their staff. It’s a no brainer. But many of the accounting practices we talk to tell us that there is room for improvement in the way they train their people on cyber security, which of course can be a very dry subject and therefore difficult to engage with. Enabling employees to choose their preferred learning style through multiple training techniques including tests, quizzes, eLearning, games, videos, pdfs and audio stories will move your firm beyond annual, tick-box training that has become typical for many organisations. If you adopt short, immersive, and relevant training, little and often that is highly targeted, the impact of your cyber security policies will increase considerably.

Ramp up your communication with staff and join the dots for them

Again, communication is obvious. It must become routine with staff. Let them know what’s happening regularly in the cyber security world. Don’t take anything for granted. Especially when new cybersecurity threats appear. Use stories and real-life incidents to bring the risks to life at home and work. Keep detailed notes of how you manage any cyber incidents and share as and when relevant. Don’t assume that employees knowing what your security policies are will impact behaviours. Practices must join the dots for their employees and make it crystal clear what is expected of them. Encourage your people to share their own stories to help build their cyber resilience and confidence in doing the right thing.

Sit down today and consider the risks of taking on new staff and your leavers

Be rigorous in on-boarding and off-boarding personnel. There are so many risks with both. Give these areas the attention they deserve.

Double check you are making the right back-up choices

Make sure your back-up procedure is fit for purpose - on-site/off-site, cloud vs the server, high security vs fast recovery. A good supplier of accounting practice management software will provide excellent advice on these matters.

Ensure your sign off procedures are hyper-diligent

Accounting practioners should put in place senior stakeholder sign off procedures for sending and releasing funds. We do not anticipate there are many practices today that don’t have hyper-diligent processes in place for this, but if you are not 100% comfortable with yours, the time to revisit them is now.

Revisit your position on cyber insurance

Consider what a specialist cyber insurance policy could offer either by speaking to your insurance broker or a specialist in the industry. Seek recommendations and references.

Cyber security for accounting firms – in summary

The stark reality is that cyber criminals employ a range of ever-evolving tactics to bypass security controls to access client data and are becoming more sophisticated in their approach to breaking down barriers of entry.

However, many accounting practices are surpassing the level of sophistication we are seeing from today’s cybersecurity threats by implementing solid cyber policies and procedures.

Given today’s increasingly perilous cybersecurity landscape, you’re running a huge risk if you don’t back up your practice data regularly. Access accounting practice data management and analytics contains an online backup system allowing you to securely store your data in the cloud. Automatic daily backups and data encryption ensure all your critical data is up to date, secure, and recoverable.