With so many accountants moving over from desktop to cloud-based software applications, it seems natural that their focus has turned to information security.
And so it should: with more websites that hold personal data being infiltrated, the need for accountants to protect their practices’ data is becoming increasingly urgent.
Approximately 50 years ago, Fernando Corbató altered the world as we know it by helping to deploy the first computer password – which in turn revolutionised not only how we use technology but also how we think about privacy. Interestingly, the former MIT professor has declared that he thinks passwords are a nightmare – and I tend to agree.
In 1962 one of his colleagues printed out a master list of passwords to increase his computer time allowance – and this was the first known computer password breach. Sadly, password cracking has moved on to far more sophisticated breaches.
When password cracking first started to become professional in the early 1990s, the only tools available to hackers were simple dictionary attacks from basic word lists grabbed from the internet. These lists were of limited help to hackers and only got them so far when trying to guess passwords.
Things improved for hackers in 2009 when a company called RockYou had its website breached and more than 32 million raw passwords were leaked. This large password payload helped hackers refine their attack methods and added statistical rigour to their techniques. These were real passwords, not just a list of words from a dictionary, and thus professional password hacking was born.
RockYou started the endless feedback loop, and more websites followed: eHarmony, Ashley Madison and then LinkedIn.
The LinkedIn breach means hackers have a new treasure chest of passwords significantly larger than anything they have had access to before. This new bounty will help hackers move on to even bigger treasure troves.
Further password breaches will follow as a result of the LinkedIn breach, and accountants should be constantly vigilant about their information security, and that of their clients, from this point on.
Be alert, but not alarmed – here are five tips for accountants to manage cyber threats in a world of password password hacking:
1. User a password manager
A password manager is an application that helps you store and retrieve passwords. The passwords here are usually heavily encrypted and require a master password to access. This master password is usually very strong and allows you full access to your entire password database.
The LinkedIn hack was so toxic because most people share the same password for different sites. Once hackers have your LinkedIn password, there is a good chance they can access others. A password manager will help stop this.
You may be wary of putting all your passwords in one place. What if the password manager itself gets hacked? It's possible, but unlikely, as password managers put far more effort into security than your average website does.
Password managers also use ‘hashing’ techniques on their password databases, and should they get hacked, the hashing means hackers will need a significant amount of time to ‘unhash’ the passwords and make sense out of them – by which time you will have been able to take remedial action. LastPass is the manager I prefer and it works on almost any device.
2. Use strong passwords
Any tricky password combination of a word followed by some numbers will take less than a microsecond for a hacker to guess. Sadly, any cunning mnemonic or special wordplay trick that you have conjured up has also likely been anticipated by hackers.
Here is a simple tip. Unless your password looks something like this: 'wfTIZQvDb95hF91BZSXSfEFk', consider it easy to guess.
Obviously there is no way you will be able to memorise these types of passwords for your day-to-day internet usage. So again, use a password manager. Handily, LastPass also generates strong passwords for you to use.
3. Use multiple security layers
Combining multiple security controls will help protect your practice’s resources and data. An effective and simple start would be ensuring you run dedicated anti-malware alongside your traditional anti-virus solution. I like Malwarebytes working alongside Kaspersky AntiVirus, with the Symantec Email Security cloud service running on email servers.
If you have a dedicated IT person, they can ensure all these applications are running on your employees’ computer using something called ‘group policy’.
4. Watch out for spear phishing
A good example of a ‘spear phishing’ attack is where an attacker sends an email that looks like a legitimate message from a trusted company, in the hope that the victim will give up some lucre. Normal phishing emails are typically relatively easy to spot (they look spammy), but more recently these emails have become quite impressive and hard to initially recognise.
My suggestions here are to ensure your employees:
• Handle all emails with a bit of suspicion. Remain sceptical of any email that has a strong call to action (particularly attachments);
• Ensure the email tone is consistent with what they expect;
• Ensure bank transfers and other sensitive business processes have adequate sign-off measures;
• Be wary of spammy social media invites, particularly from LinkedIn;
• Spend a bit of time researching spear phishing. Companies such as PhishMe have great resources for keeping up to date with the latest threats.
5. Take care with PUAs
PUAs are potentially unwanted applications. This includes adware, browser extensions and any software that comes bundled with other software. These PUAs can cause havoc with an accountant’s business.
Anyone downloading the popular uTorrent application earlier this year (your kids might have downloaded movies) would have been the unlucky recipient of a PUA called ‘Epic Scale’, which rudely uses your computer to mine bitcoins.
Even more concerning is the growing threat of ransomware, which is becoming an issue for unwitting accountants who install software without fully realising what they are in for.
Again, talk to your designated IT person about group policy to ensure unwanted software cannot be installed on your employees’ computers. Also ensure your backups are frequent. And stop downloading movies from torrents.
Conclusion – consider yourself a target.
It is crucial you acknowledge that you are at risk and take steps to manage that risk.
The phrase 'only the paranoid survive' could not be more relevant to this situation.
As an accountant, much of your business is built on trust – and you’ve worked hard to earn that trust. You probably spend a lot of time making sure that your clients’ tax obligations are up to date, and considering their exposure to business and financial risk. Add information security to those things, because as the world digitally transforms and more of your operations move online, ensuring the safety of your information will go hand in hand with ensuring the safety of your and your clients’ businesses.
Julian Plummer, managing director, Midwinter