OVERVIEW OF THE ISSUES SURROUNDING CYBER-SECURITY
In 2012, a New Jersey man hacked into several accounting firms stealing the tax forms and personal information of over a thousand clients. He used this information to file more than $6 million in fake tax returns. He also sold the pilfered data to other hackers on the dark web. He was eventually caught by the FBI, but the damage to these clients was done. The accounting firms involved had to notify their customers that they had been breached, and that they were the root cause of their tax fraud nightmares. These victims were also left to wonder what other attacks were waiting for them now that their data was in the hands of other malicious sources who had purchased their confidential information.
This incident is not unique. Incidents of hacking and cyber-breaches are on the rise across all industries and for companies of all sizes. Accounting firms face the standard cyber-risks that all industries with internet-facing systems are exposed to, but they also face unique risks based on the nature of their work and the data that they possess, as outlined herein.
Our cyber-security providers have seen these issues first-hand. They have performed proactive security assessments and penetration tests1 for many forward-thinking accounting firms and have been involved in cyber-breach incident responses for companies who have already fallen victim to malicious cyber-attacks. This case study seeks to outline the issues we have found and bring further attention to both the gravity of this situation and the need for action by those organizations who are not fully cognizant of this risk or who falsely assume they are safe.
In performing security assessments and tests, our partners AT&T, Verizon, grid32, have all found that almost uniformly, our clients in the Accounting Industry have had vulnerabilities in their systems that would allow malicious attackers to gain access to a dangerous set of data and access, including:
• Access to company records, including financials, partner compensation, payroll records, and employee social security numbers and confidential information.
• Access to client data, including financials, tax records, data files, and access credentials.
• Ability to access banking and financial accounts, transfer money out, and re-route inbound funds.
• Access to IT administrator accounts, allowing full control of networks and all resources.
• Access to user accounts, including emails, network access, and all assigned capabilities.
• Full control over networks, devices, phone systems, and security systems.
Having access to all these items at once is obviously troubling and it could be severely damaging in the wrong hands. Damages could include financial losses, lawsuits, government-imposed fines, embarrassment, and job loss. All this access and information was gained remotely, without our attack team ever setting foot in the facilities. Thankfully, our trusted professionals were able to provide remediation steps to our clients to close the security gaps and limit the likelihood that these attacks would occur in the real world. Unfortunately, far too many organizations are not taking the proper steps to prevent similar attacks. The issue looks to only be getting worse as attackers recognize the pervasiveness of vulnerabilities and caches of valuable data in this industry.
UNIQUE FACTORS AFFECTING ACCOUNTING FIRMS
Besides the standard risks inherent to all industries with internet-facing systems, accounting firms faces additional threats due to the volume and types of data that they typically house. As seen in the previous example, hackers are heavily targeting tax information so that they can file fraudulent tax returns. In 2013, the IRS paid $5.8 billion out in fraudulent tax returns. In addition, they prevented a further $24.2 billion, making a total of $30 billion in fraudulent federal tax returns filed. There are a significant number of fraudulent returns being filed at the state level as well, to such a degree that Turbo Tax had to temporarily stop processing state returns in 2015. The IRS and individual states are getting better at detecting and preventing tax fraud, but this is only increasing the volume of attempts. Whereas hackers used to try to file, for example, three returns for $10,000 each, for a payoff of $30,000, now they need to file thirty returns, for $5,000 each, to get a similar return. This need to file a larger number of returns means that the attackers need to gain access to large caches of tax-payer data. Accounting firms are a perfect source for this, putting them squarely in the crosshairs of a malicious underworld that is becoming increasingly more organized and sophisticated.
In addition to the threat brought on by tax fraud, hackers have learned that breaching an accounting firm can have a similar payoff to breaching scores of companies and individuals, since you not only get the firm’s data, but usually troves of data on their clients. Besides tax fraud, there is also typically data attackers can access to perpetuate other cyber-crimes. This includes banking credentials, which can be used to perpetuate another trending attack, wire transfer fraud. Other sensitive data that hackers may be after includes personally identifiable information, employee records, business plans, intellectual property, or access credentials for client networks and resources.
These factors make accounting firms a certain target for malicious attackers, and there is an absolute need for all accounting firms to take proactive steps to protect their data, and the data of their clients, from prying eyes. Breaches can expose accounting firms to the direct costs of damage, claims for damages from clients or third-parties, costs of compliance or fines from statues or regulations, and damage to their image and reputation.
Besides the obvious need for accounting firms to protect their own information and that of their clients, being savvy with cybersecurity is simply good business. Clients depend on accounting firms for advisement on many topics, including cybersecurity. Letting clients know that a firm takes cybersecurity seriously, proactively addressing threats, can be part of the marketing pitch to help attract and retain clients. It can even create billable services, as many accounting firms offer cybersecurity services, including many that upsell security services to their client-base.
WHAT CAN BE DONE?
There are a few basic steps accounting firms should be taking to help mitigate this risk:
1. Have an Information Security Committee that meets regularly and includes key personnel and staff from relevant departments.
2. Have a written Information Security Program, with documented policies and procedures, as well as risk analyses and contingency plans.
3. Have a Penetration Test performed annually by an independent security firm, and ensure the remediation steps that come from the test are activated?
4. Train all staff on Cyber-Security Awareness.
5. Use strong and unique passwords and enable two-factor authentication whenever possible.
6. Encrypt data when transmitted and when stored, especially data that resides on mobile devices such as laptops.
7. Allocate the proper funds for cyber-security.
1WHAT IS A PENETRATION TEST?
A Penetration Test is a security exercise where a team of highly trained security experts attempt to hack into the client’s network to find security weaknesses. The intent is to discover ways that a real-world attacker might be able to compromise the systems. The highly trained security team is careful not to cause any actual harm and a report is provided detailing all the vulnerabilities and weaknesses found and recommending what needs to be done to fix them.
In-house I.T. staff are usually pressured to make things functional and easy-to-use, which diametrically oppose security. Also, it is difficult for an organization’s own IT staff to objectively look at their own systems from an outsider’s perspective. Just like a CFO needs a CPA firm to review their financials, senior IT leadership benefits from having a team of certified security experts independently test their system to give them valuable insight.