By Nick Matarazzo
A data breach can wreak havoc on your business and its reputation. Not to mention the fines incurred and countless hours you will spend reviewing your computers and the source of the threat.
Research suggests that 90% of cyber attacks stem from a phishing or social engineering attack. Educate your employees about attacks to prevent them from allowing access to company data breaches. There is an increasingly popular spear-phishing technique that employs some combination of threats and personal information harvested online, including passwords! These threats usually include a deadline designed to create urgency and increase anxiety. The goal is to trick you into following their directions. Usually, this involves cybercrime techniques, such as providing links to “verify” that their threat is true, but which load malware, backdoors or Ransomware.
The threats can vary, but some of the more common ones are:
• trick employees into clicking on a link in an email or text message
o I know you cheated on your wife
o I put malware on your computer, recorded you and I’ll send it to all your contacts
o I’m going to lock you out of all your online accounts
• phone call or email request from a bank, company office for a large payment or transfer to be made immediately. Obviously targeting firms such as Accounting where access to money is even more accessible and information more sensitive is a plus for these attackers.
In fact, like spam, it’s probably automated so there’s no specific target. The cybercriminals are just playing the odds, and even though the odds are small, an analysis of Bitcoin wallets shows some scammers have made over $250,000.
Email addresses, passwords and related data stolen from data breaches of thousands of online sites are easily available to cybercriminals. Last December, a single individual was arrested for selling online passwords from his collection of over 4 billion credentials stolen from data breaches involving companies such as LinkedIn, Yahoo, eBay, Equifax, Uber, Verisign and Home Depot. This is just one of an unknown number of shady password lookup services that cybercriminals can use.
So how can you protect your firm?
Educate your employees with this information! Inform them about phishing attempts. This will increase your firewall protection in human form! Inform them in different ways. Use emails, meetings and company newsletters to inform them and continue educating them so that it is top of mind. Here’s some quick suggestions:
• If you receive one of these emails, do not reply to it, do not click any links and, of course, do not pay anything. Just delete it.
• Never recycle an old password. The stolen password data out there is up to 10 years old.
• Use two-factor authentication whenever possible.
• Use different passwords for different sites and services.
• Change passwords regularly.
• Close down accounts immediately when an employee is terminated
• Use encrypted email to send out sensitive data
Protect the firm’s computer systems. This seems like a lot of work, but it is just a matter of seeking expert advice:
• Ensure that you have your systems reviewed by IT experts. Employee continuous monitoring to ensure cyber ongoing security. Be sure whomever you hire place data security as a priority for your organization.
• Layer your security – malware detection, email encryption and security and anti-phishing techniques.
• Designate a Data Protection Officer who must report breaches, so you can avoid possible fines.
Consider installing a password management software
• Once you have a password manager installed you no longer need to lean on your memory to remember every password you have created yourself.
• It will make it easy to then create passwords with long phrases, symbols, punctuation, capitalization – as complicated as you want them to be. This will result in increased security across the board without the need to memorize anything.
• Password managers allow people to enter a single password that password will then grant access automatically to all accounts.
• Open the doors to your accounts to your employees or to a social media manager team without even revealing the actual password. Picture this, if your company is doing public relations work for a client, your manager can provide access using the password manager for the team members working on the accounts. All without ever revealing the password. The manager can then add or remove access from any individual without disturbing others.
Keep in mind that overtime you will accumulate important data on the internal storage of your system. It is essential to back up your data. Computer systems could crash without warning and sometimes internal storage in computers becomes unavailable. Viruses or malware attacks can happen at any time and it is important to be vigilant. Sometimes, a physical event such as a fire or a flood could lead to computer damage and as a result you losing all of your data. Imagine all the hardships you would face trying to recover the missing pieces. By investing in an external hard drive or even a small flash drive you could save yourself the worry and the risk. Consider the size of your firm and assess just how much backup you will need, external drives with higher memory capacities are more expensive than the smaller devices. The flash drive, of course, is designed for smaller amounts of data and files.
By taking protective measures such as educating your staff, protecting against malware, installing firewalls and manufacturer patches, developing a cyber-conscious culture and purchasing a cyber insurance policy accounting firms can protect themselves from a threat that could potentially bring the business down.
- The Most Expensive Insurance Policy is Always the Cheapest One.
- Professional Liability for CPAs Understanding your coverage – Part II – the declarations page
- Professional Liability for CPAs – Understanding your coverage – Part I – the insurance application
- Gotcha! Three cyber policy traps to look out for (and a postcript to the CCH hack)
- Coverage for independent subcontractors via the CPAGold™ program.