ResponsibleBusiness
Image: iStock
Why cyber criminals love accountants
Accountants are high-value targets for online attacks, so how can risks be minimised? Helena Vallely reports
Accounting firms can be a goldmine for cyber criminals due to the vast amount of high-value personal and corporate data they handle. Bank account numbers, tax information, payroll details and other confidential information all have the potential to be exploited.
The volume and risk level of such incidents are high, with a Department for Science, Innovation & Technology study revealing that half of businesses experienced a cyber security breach or attack in the last 12 months. The accountancy sector experiences a lot of these, with data from the Information Commissioner’s Office showing that approximately 100 UK-based accountants report data breaches attributed to cyber attacks every quarter.
Successful cyber attacks can be a real threat to businesses, with the exposure of client details and financial information not only carrying a financial risk, but also potentially serious reputational effects.
The perception within the criminal fraternity is that the industry is populated with many small or independent accountants who are likely to have weaker cyber security measures.
What can cyber attackers do to accountancy firms?
Muhammad Yahya Patel, lead security engineer at Check Point Software, says that accountants are a strategic target for criminals as they often work within a larger supply chain and, once compromised, attackers can use their access or impersonate the firm to breach clients’ networks.
Cyber attackers can use stolen data to craft highly specific spear-phishing campaigns, tricking targets into unwittingly handing over additional information, clicking on malicious links or making payments to fraudulent accounts. Access to bank details allows cyber criminals to redirect payments or siphon funds to themselves.
Mark Wilshaw, cyber security services manager at SYTECH, claims smaller firms are most at risk. He says: “The perception within the criminal fraternity is that the industry is populated with many small or independent accountants who are likely to have weaker cyber security measures.”
For Wilshaw, this perception – plus the high value of the data accountants hold – makes accountancy firms an ideal target for attackers.
So, what are the steps accountants can take to protect themselves and their clients?
Nail the basics
Benson Varghese, founder and managing partner of Varghese Summersett, says attackers want “exploitable data”. He adds: “That could mean identity theft, tax return fraud, or business account access for more sophisticated financial fraud.”
Varghese says that weak passwords, outdated software and reusing passwords across platforms can leave accountants exposed to attacks. However, following key basic security principles can keep accountants safe.
The first step is creating and regularly changing strong, unique passwords for all accounts. “Criminals always look for the easiest target and often move on after hitting a wall,” says Varghese.
For Wilshaw, multi-factor authentication (MFA) is always advised as a simple and effective step for preventing cyber breaches. MFA adds another layer on top of a password, requiring additional verification to access certain services and stopping malicious users. Wilshaw says there are many different methods of MFA, but the most popular is attaching an authenticator to a service that generates security codes.
Keep staff trained
On top of the risk of external cyber attacks, it is possible for accountancy firms to fall victim to insider threats and employee error. This isn’t always malicious – for example, employees may inadvertently mishandle client information or share login credentials, which can lead to sensitive data being compromised.
It is important for employees to have the skill to identify and manage security risks, both internal and external. Wilshaw says providing staff with security awareness training will let them spot dangers such as phishing emails and social engineering methods.
Nirav Chheda, co-founder and chief executive of Bambi NEMT, says his employees undertake ongoing cyber security training. He says: “We enforce strict security measures and keep our team sharp with the latest know-how on dodging cyber threats like phishing and ransomware.
“I believe when our team understands the risks, and has the right tools and knowledge at their disposal, they stand a much better chance of protecting themselves and our clients.”
Build a digital ‘fortress’
Another key step accountants can take is making sure their software is kept up to date. Chheda says: “It’s about building a fortress around our operations with tools that can spot and stop cyber threats dead in their tracks.”
Yahya Patel says patch management – regularly updating software to fix vulnerabilities – is essential, as attackers often exploit vulnerabilities in outdated software. He adds: “Regular updates across the entire IT environment help protect against both new and known vulnerabilities.”
A clear patch management process should be established that accountants and clients can easily follow. Updating at agreed times, and automating updates, can reduce downtime while warding off potential cyber attackers.
Varghese adds that it is also important to have oversight of client software. He gives the example of one client who had outdated accounting software, but the weakness was caught before it could be exploited. “Regular updates fix these vulnerabilities,” he says. “A simple task can save many headaches.”
Back-ups are also critical to protect against ransomware attacks. Ensuring back-ups are frequently updated and stored securely will help the firm recover quickly in the event of a ransomware incident.
Get expert help to implement a clear incident response plan
Yahya Patel says small and medium-sized firms that may lack dedicated cyber security teams should be particularly focused on guarding against attacks.
Such firms often rely on IT teams for basic tech support, but cyber security expertise requires a specialised approach. A cyber security expert or managed service provider with cyber security experience can be an essential partner for these firms, handling critical areas such as proactive monitoring, threat detection and response planning.
A well-defined response plan for cyber attacks allows firms to act quickly and efficiently if a breach occurs. Yahya Patel says: “In an era where cyber threats continue to grow in sophistication, a proactive approach to cyber security is essential for any organisation managing high-value data.”
The plan should clarify responsibilities, ensuring each team member knows their role in containing and resolving an incident. A cyber security lead should be established, as well as other roles such as communications and technical support, to ensure responses are decisive, rapid and organised.
Successful cyber attacks can have serious detrimental impacts on accountancy firms. However, taking practical steps to protect themselves, making the right decisions and investing in cyber protection can be the difference between success and failure.
As Chheda summarises: “This isn’t just about keeping our data safe; it's about maintaining the trust that our clients place in us. We put cyber security front and centre not just to defend data, but to safeguard our future and the future of those we serve.”
