Cyber Security Threats for the Accounting Sector

Cyber Essentials Scope

People trust their accountants with confidential information about their business, their money and their personal data and consequently, accountants rely heavily on their reputation as responsible, security conscious professionals. Yet, this abundance of client financial information makes accounting firms extremely vulnerable to cyber attacks. Cyber criminals know that accounting firms hold the kind of high value data that they can sell, use to commit crimes or springboard from to launch further attacks. Innovative malware, including ransomware, password theft and guessing, and social engineering are just some of the ever-evolving methods online criminals use to access the bank accounts and financial transactions of accounting clients.

Cyber Essentials is the Government approved, minimum cyber security baseline scheme for all organisations. A Cyber Essentials certification covers the basic technical controls that will help protect organisations from a whole range of the most common cyber attacks and demonstrates an organisation’s commitment to cyber security.

In this blog, we map the key mitigations to cyber threat to the five core controls of Cyber Essentials.

Secure configuration

If a cyber attacker is looking for a weakness in the defences of your business, they will find it in the human weaknesses of your staff. 90% of all cyber attacks start with a phishing email (a fraudulent email sent by cybercriminals that mimics a legitimate communication from a trusted source). Even with training, people get tired, are busy, forgetful, and make mistakes. If a malicious link is clicked, having a device which has the basic security configuration in place, decrease the impact of malware on the wider system or stops malware installing in the first place.

As an attacker, if you were looking to break into a company, an obvious idea would be to steal a key. Weak, stolen and reused passwords are still the Achilles heel of security.

Organisations that do not have a comprehensive, living password policy for all their staff (including contractors), or allow access to online accounts using just a password with no additional factor of authentication (such as a security code sent in an SMS), are vulnerable to cyber breaches. Accounts that are accessible over the internet (cloud services) are particularly at risk.

Consider that cyber attackers may already have some of your passwords. An attacker simply goes onto the dark web and purchases a list of credentials that have been gathered from breached sites. They then use the stolen user name-password combinations to try accounts across multiple sites hoping for a match. Automated ‘List cleaning’ tools to facilitate these high volume attacks are readily available.

This extremely simple and common method of account burglary, known as credential stuffing, is facilitated by the fact that a great deal of people re-use the same passwords (66% of users admit reusing passwords), and many organisations allow their staff to access accounts using only a password.

Attackers also use high powered fast computers to try all combinations of letters and numbers on login pages until they have cracked your password. A typical ‘brute-force’ attack can try a few hundred combinations every second which means that simple passwords, (all lower-case letters) can be cracked in seconds.

Your password policy should include:
  • How to create good passwords using three random words or a random generated password created by a password manager. Specify which one and how to use it.
  • Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length).
  • If an account has the additional protection of multi-factor authentication (MFA), the password needs to be at least 8 characters long with no maximum length.
  • Accounts that do not have MFA enabled, need to also use a deny list to automatically block users from picking the most common passwords (eg password1234, qwerty!, manchesterunited).
  • There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

Accounts can be made more secure by adding multi-factor authentication to the log-in processes. This will mean that, even if credentials have been compromised, an attacker cannot gain access.

Multi-factor authentication (MFA) requires the user to have one or more types of credentials in addition to a password, before being able to access an account.

Whether an attacker acquires your password via a phishing attack, stolen credentials from another breach or manages to crack it using a brute force attack, if you have MFA enabled, this will be your safeguard. Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.

Many accounting firms have switched to cloud accounting to enable customers and employees to access accounting software from different devices and from various locations. Although very convenient for sharing information, remote data access can pose a huge security problem if the cloud service is not configured securely. All access to all cloud services needs to be secured with MFA to prevent unauthorised users from accessing your data stored in the cloud.

User access control

Many security breaches caused by members of staff are done in error, however, according to the Cyber Security Breaches Survey 2019, 75% of businesses that identified breaches stated that their most disruptive threat was intentional. Malicious insider threats could be from an existing member of the workforce acting for their own benefit, or an ex-member of the workforce abusing their former access.

The rule of least privilege is a security principle that dictates that people need to only be given access to the information they require to carry out their responsibilities and no more.

In line with this principle, the number of accounts with privileged access should be limited to the absolute minimum and not used for day to day use. By following a process for the creation, use and monitoring of user and admin accounts, staff will be prevented from checking emails and browsing the web while logged into an admin account and protected from accidentally installing malware from phishing emails or malicious websites.

To limit any potential issues from former employees, immediately remove or suspend accounts that are no longer being used, it is also good practice to limit or block the use of USB and other portable removable media and devices.

Firewalls

With the hybrid working model looking set to stay, at least for the short term, many professionals are spending half of their working hours outside the security of the office network. Remote working staff may be accessing work information from home, on the train or at a hot-desk. Likewise, they might check their work emails on their personal mobile phone or laptop and this increasing use of personal devices for work purposes, known as Bring Your Own Device (BYOD), can raise security issues. All devices that are used to access organisational information and services including data in the cloud should have security settings enabled on them. This should include having the software-based firewall activated and configured correctly.

The firewall on your device (and router) drastically reduces the risk of a hacker intercepting the data that you send and receive over the internet. If you connect to a public WiFi connection such as the free internet in a coffee shop or on a train, it’s not difficult for someone to hack into a laptop or mobile device that has no protection.

To prevent this, many organisations use a corporate virtual private network (VPN) to give remote employees secure access to internal applications and data. A VPN is a technology that allows a secure and private connection on the internet and reduces the risk of a data breach.

Security update management

Within a piece of software’s functioning life span, as soon as an error or ‘vulnerability’ is discovered, the manufacturer creates some additional code to correct and close the potential opening for a hacker. This is known as ‘patching’ or security updates. All modern software will need to ‘update’ on a regular basis as part of its maintenance which ensures that vulnerabilities are patched within 14 days of the update, and other ‘bugs’ (faults) corrected. It is recommended that ‘automatic updates’ is enabled on all devices where possible.
Security update management can prevent attackers from using known vulnerabilities. Using supported software and devices and making sure they are kept up to date with the latest software updates, as well as buying software and apps from trusted sources, reduces the opportunities for hackers.

Malware protection

Anti malware software will block most malware from downloading and prevent users accessing insecure websites. It is a good idea to have this on every end point device.

The process of putting in place the Cyber Essentials five core controls will eliminate all the common security gaps that up to 90% of cyber attacks rely on. Even targeted attacks, usually start with simple attacks such as a phishing campaign.