In the era of online shopping, email, online banking, and remote working, you can do just about anything online. This makes life supremely convenient, but it also makes us vulnerable to a host of new crimes in cyberspace. October is Cybersecurity Awareness Month and there's no better time to consider the risks of this new online world and how we can mitigate them.
According to the the latest government survey in the UK, almost a third of businesses (32%) and a quarter of charities (24%) report having cybersecurity breaches or attacks in the past 12 months alone. And it's estimated that global losses from cybercrime skyrocketed to nearly US$1 trillion in 2020 as the coronavirus pandemic provided new opportunities for hackers to target both individuals and businesses.
Cybercrime continues to stay in the news⦠In the past month, 60 000 state department emails were stolen in a Microsoft breach, 89 GB of T-Mobile employee data was stolen and posted to a hacker forum, and Caesars Entertainment had to pay $15 million dollars as ransom for its loyalty program database. And this is just the tip of the iceberg!
Why should you be worried about this? π§
You may be thinking, these are concerning stats but these are big companies β nothing at all like your firm or the organizations that you serve. However, as an accountant, you have access to some of the most important information available β financial information. This is data that can make or break organizations.
Well, yes, you may say. That makes sense... But what if my clients are very small? What if I only really deal with SMEs?
Itβs commonly believed that cybersecurity attacks only affect larger organizations. However, smaller firms are actually more likely to be targeted, as they are seen as softer targets. Nearly half of all cyber breaches (46%) impact businesses with fewer than 1,000 employees and small businesses receive the highest rate of targeted malicious emails β especially those with fewer than 250 employees.
Plus, the repercussions for smaller businesses can be much more severe.
Larger corporations will typically have larger resources to implement a strong cybersecurity strategy, whereas smaller organizations may not be able to commit to a similar level of investment. Smaller businesses are also less likely to be able to recover from cyber attacks than large businesses, in terms of both financial loss and reputation damage.
So, what can be done to protect your data and your clients' data?
Put a layered defence approach in place π°
Imagine your client data is a great mountain of gold and you're the dragon tasked with defending it. How might you make sure no nefarious dwarves or misled hobbits steal your prize possessions? Well, you being a fire-breathing monster would help somewhat, but beyond that you probably want to situate your hoard in a secure location.
You want a castle with high walls that are hard to climb, and thick doors that are difficult to penetrate or knock down. It might help to add some archers to the battlements to detect threats as they appear, and perhaps a murky moat filled with crocodiles wouldn't be amiss.
This multi-pronged strategy is what we typically call a layered defence approach, or defence in depth.
So, how do we create our impenetrable fortress? One that considers the perimeter, endpoint, application, data, and user?
The moat teeming with crocodiles π
Let's start with the perimeter β the moat filled with crocodiles would be your firewall. A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to lower the bridge over the moat and let it pass β or whether to block it and set the crocodiles upon it.
Unsure which firewall to use? Here are a few recommended by G2 according to their ratings in user reviews:
WatchGuard Network Security (ranked 4.7 out of 5) and typically used by mid-market (54%) and small businesses (43%);
pfSense (ranked 4.7 out of 5) and typically used by small businesses (71%) and mid-market (23%); and
Sophos Firewall (ranked 4.6 out of 5) and typically used by mid-market (63%) and small businesses (27%).
For a full list, visit their ranking site here.
What if there's a really intrepid criminal who manages to dodge the crocodiles and get onto the castle grounds? Well, then you'll need some sure-fire archers to take him down.
The archers πΉ
Stationed at every battlement of the castle, you have a man with a bow and arrow. In our case, this is an antivirus tool. An antivirus works by detecting, quarantining and/or deleting malicious code, preventing malware from causing damage to your firm's devices. So, if any sneaky software finds its way onto your devices, antivirus will scout it out and get rid of it with the excellent aim of an archer.
Some good options of antiviruses include: Intego (voted best antivirus software of 2023 with a 9.8 rating and available on Mac and Android), Total AV (award-winning anti-virus), and Norton (high-accuracy, low-impact solution with online backup capabilities).
Okay, so far so good, but now, what if someone finds the secret entrance to your castle that only the servants are meant to know? You've been ratted out and someone has gotten in. This is why you need the best lock in the business β a super cryptic riddle.
The impossible riddle π§ββοΈ
In IT terms, the impossible riddle is called encryption. Encryption works by encoding "plaintext" into "ciphertext". To decode encrypted data back into plaintext requires the use of a decryption key, which is a string of numbers or a password that is created by an algorithm. In other words, this is nigh impossible to achieve for most mere mortals. And this is why it's highly recommended that you encrypt all company hard drives.
GoogleCloud notes that we encounter examples of encryption everyday, on our smartphones, PCs, and banking apps. They give the example of websites whose addresses start with "https://", explaining that the "s" stands for "secure" and that this is a sign that the website is using transport encryption. Take a look at the websites you use to see if they have this "s" in their URL and if there is a little lock icon next the URL. Another example of encryption can be found in VPNs, but more on that later.
But now for the difficult conversation we must have about those guards of yours β I mean your employees. Having the best tech in place is great, and recommended, but you're only as secure as your weakest link and, let's face it, the weakest link is typically human. How do you make sure your staff do their bit to keep the data secure?
Keeping the guards vigilant π§π»ββοΈ
There are a number of ways to keep your guards vigilant. The first is by training them in the importance of cybersecurity and ensuring that they pay attention. At Syft, we use a software called Vanta to ensure we are as secure as possible and this includes making all employees complete annual security training.
We also require the use of two-factor authentication so that when you log into Syft, you're not just relying on one password.
Authentication, authorization, and frequent monitoring are all key to keeping your guards on top of that treasure. Plus, it's a good idea to update and patch your network devices and software regularly and to encourage your staff to use secure passwords for all their accounts and devices.
Pro Tip π‘: Use Password generators and keepers such as Google Passwords on Chrome, Apple Keychain on Apple devices, or LastPass to ensure your passwords are strong and secure.
If your staff work remotely, it's also good to advise them to be cautious with public WiFi. You don't know who else could be using a public network, so it's always better to use a VPN, a virtual private network, which encrypts your data and masks your IP address, browsing activity, identity, and location. You can think of this as an additional high barrier for thieves to scale.
Take a look at what your allies are doing to protect their kingdoms π€΄
When it comes to security, there's a lot to be learned from others. As a business, though you want to be walled off from cybercriminals, you're not an island. Most businesses interact with other businesses, especially if you consider the software that you use. There are many protocols that others have in place that you may want to assume in your own business.
It's a good idea to align your network security architecture with industry standards and frameworks. These provide you with best practices, guidelines, and benchmarks to improve your security posture and compliance. Some of the most widely used standards and frameworks are ISO 27001, NIST Cybersecurity Framework, CIS Controls, and SANS Top 20 Critical Security Controls. You should choose the ones that suit your business context and objectives. At Syft, we follow the guidelines of SOC 2, meeting criteria around five key pillars:
Security;
Availability;
Confidentiality;
Processing Integrity; and
Privacy.
Although the requirements are different for a SaaS company and an accounting practice, a lot of these pillars are beneficial for both organization types. For instance, when it comes to security, Syft ensures that network and application firewalls are in place, as well as two-factor authentication, and intrusion detection. Where possible, you want to make sure these measures are in place. If you use software such as Xero, QuickBooks, Sage, or Syft, see if you can set up two-factor authentication to secure your account.
Pro Tip π‘: Investigate the security measures put in place by software or apps that use your data or your client's data. When data is out of your hands, there's not much you can do about it. Investigate all the software you use to see what security measures they have in place and whether these are sufficient.
When it comes to privacy, Syft has certain measures in place to control who has access to data. You may want to apply this principle in your own firm by only giving staff members access to information that pertains to them β applying the principle of least privilege.
It's also considered best practice to perform regular risk assessments and vulnerability scans to determine the level of exposure and potential impact of different threats. This will help you prioritize your security needs and goals so you can be proactive in your approach to security.
It's not enough to have all these measures in place though; you need to know what you're up against.
Knowing what you're up against π€Ί
Are you protecting your gold well enough? Not just from greedy dwarves or well-intentioned hobbits but from whole armies of orcs? Each type of criminal has a different modus operandi, so you and your staff need to be aware of the approaches they may try and how you can evade these. Some of the most common crimes include:
Phishing scams: where your staff may be deceived into handing over confidential information via email, text message, or some other online message.
Solution: Always double-check the email address you receive a message from, especially when it's asking for financial or other confidential information. And don't click on links or attachments in emails that look potentially suspect. Is the grammar and spelling correct? Is the font size, color, and typeface consistent? Is there an urgent request for money in the email? Tread with caution.
Ransomware attacks: where criminals enter your system and encrypt all your data, only offering to decrypt it for a fee. 48% of ransomware attacks are the result of exploitable vulnerabilities in your system, while 20% are the result of brute-force credential attacks, and 12% are the result of phishing. The remaining attacks arise from abuse of trusted relationships, previously compromised credentials, and other elements.
Solution: The best way to protect yourself from ransomware attacks is to ensure that all devices on a network are updated frequently. Software companies regularly release updates that patch any discovered common vulnerabilities and exposures (CVEs), so itβs crucial to update these vulnerabilities before cybercriminals can access them.
The silver lining to our preparations for potential invasion π
Although cybercrime is prolific, I do have some good news for you. As Xero wrote in a recent article:
"Despite stereotypes you might have seen, cybercriminals arenβt necessarily well-funded geniuses who lurk in the shadows building sophisticated hacking programs. The barrier to entry is actually much lower, with cybercrime tools and services available to anyone with the right motivation."
That's right β most criminals are not super-smart tricksters who are ready to evade every line of defence. And now that you know the kind of security you can put in place to protect against their attacks, you're well on your way to being a very happy dragon and knowing that your golden hoard β your clients' data is safe.
There are a lot of bad actors out there, from your traditional hacker to cyberactivists and "script kiddies", who don't really have much technical expertise, to malicious insiders β employees who steal from right under your nose. The last point may be worth stressing again. Threats aren't always from external parties; sometimes your right-hand man has nefarious intentions and this is why establishing policies around least privilege access and monitoring your employees' activity is so important.
To recap π
The best thing that you can do to protect your firm and client data from internet criminals is to put in place layers of defence, including:
A crocodile-infested moat β a firewall;
A line of sure-fire archers β an antivirus;
An impossible riddle β encryption;
Vigilant guards β employees who are trained and know how to keep their passwords and other data secure;
Trustworthy allies β the software providers with whom you work;
Knowing what you're up against; and
Doing regular checks to find weak spots in your defence system β including keeping tabs on your employees and what they are able to access.
With all this in mind, you are now ready to get your layers of defence lined up to prepare for whatever opportunists may be checking out your trove of precious information.
β