Cybercriminals target accounting firms

This article was current at the time of publication.

Accounting firms in Australia and New Zealand are now prime targets for hackers wanting to steal highly confidential client data that can be sold online to other criminals.

There’s also been a surge in ransomware attacks where hackers break into networks to steal client data and then demand large payments, usually in a cryptocurrency, for its return.

In most cases, even when a ransom is paid, the data is not returned.

Accounting firms at high risk

In addition, international cyber security companies recently reported cases of phishing attacks by cybercriminals posing as potential new tax clients.

These involve sending emails to tax practitioners that have documents embedded with remote access software. When opened, hackers can not only access the computer of the person who clicked on the document but their entire network.

“If we look at the risk profile of accountants, it’s probably nine out of 10,” says Drew Fenton CPA, Director of specialist insurance broking firm Fenton Green & Co., CPA Australia’s preferred broker in Australia.

“If you’re my accountant you will have my tax file number [and] banking details, you know whether I’ve got a mortgage, all about my family, my business, and superannuation.

“You have my complete financial profile and that is valuable.”

Fenton says accountants are highly exposed and as well as potentially facing significant business costs to rectify the damage caused by a data breach, associated costs can be substantial.

“If your clients’ data is stolen or compromised in any way you will have legislative obligations under the Privacy Act,” he says. “You’ve got to write to all your clients.”

Firms can also be exposed to litigation by clients alleging a data breach was due to negligence.

“There’s also a legal aspect to understanding what your obligations are. There is a possible liability if you’re an accountant and pass on a computer virus to a client.”

Tyler Wise CPA, Director of Wise Accounting, provides cyber security advice to businesses including other accounting firms.

“It’s a pretty attractive space if you’re a cybercriminal to go after accountants, because we’ve got all the information they want for identity theft,” Wise warns.

“Most of our cyber security clients are fellow accountants, and that’s a result of the changing landscape.”

Wise says although there is a greater awareness among firms about the risks they face, there is also an understanding that they are not properly educated around cyber security.

“We try and bridge that and also get involved in the breaches that do occur, as we’ve seen a huge amount of ransomware attacks mainly happening in accounting practices.”

Avoiding cyber attacks

Wise says there’s no one-size-fits-all approach to cyber security for accounting firms.

“Accountants are all quite individual in the way they structure their networks and just about every firm could be exploited in some way.

“At the tail end of last year, I’d never seen anything quite like it. Just looking at the ransomware dumps – by hackers who’d taken data from firms who’d chosen not to pay a ransom – the information that was out there was alarming.

“It’s uncensored. There was one accounting firm that didn’t pay and the attacker just released all their clients’ information.”

Wise says there is a range of steps firms can take to tighten security, including:

• keeping all antivirus and other protective software up to date
• ensuring administrative access to company computers is limited
• using multi-factor security identification to make it more difficult to access systems
• having strong system password rules and management processes.

“It doesn’t have to be complex. It’s something we can all do by following simple steps which have big impacts.”

Wise adds that backing up data on an ongoing basis, independently of cloud-based solutions, is vital.

The importance of cyber insurance

Fenton says having cyber insurance is essential for a range of reasons, including financial protection and the access it can provide to specialist expertise.

“With cyber insurance, the insurance company will have set up consultants from lawyers to IT people and PR companies – whatever it takes to get you out of the mess you find yourself in.

“If you get hacked in any way, shape, or form, they will look after you. It’s as simple as that.”

James McGhie, Managing Director of New Zealand-based Apex Insurance, adds that different insurers have different policies and implement different responses.

However, almost all of them have a quick way to help mitigate a loss, with the right people able to close any loops.

“If someone is in your system, they can get a professional to quickly work out who’s there, how, why and shut them down.”

Even so, McGhie acknowledges that the cost of cyber insurance has increased significantly and that insurers are demanding more information before agreeing to provide coverage.

“Before an insurer will take you on there’s a lot more due diligence being done on your systems and security providers to see if anything is outsourced before you can even buy a policy,” he says.

“The rise of technology and the way we access information – including through COVID and working from home in a less secure environment – has made firms more susceptible to attacks by cybercriminals.

“Cybercrime is probably one of the most dangerous threats to organisations today.”

Practitioner-specific resources, designed to battle cybercrime, will be available soon. Watch this space and head to CPA Australia’s cyber security hub,