How Accounting Firms Can Address the Growing Threat of Social Engineering

Emerging threats for accounting firms have steadily risen over the years, with more and more business emails being compromised, leading to an annual loss of around $2.4 billion. Just a few months back, an accounting service based in Maine suffered a huge data breach that compromised personal information of over 1.1 million individuals.

Unfortunately, accountants for small and medium-sized businesses are attractive targets for hackers for obvious reasons—the treasure trove of information they have at their disposal and the lack of the same level of security as larger companies. So, it’s more important than ever to be aware of the cyber threats out there, particularly in the area of social engineering.

Let’s examine how accounting firms can implement measures to protect data and comply with regulations against this ever-growing threat of social engineering.

The Cybersecurity Landscape in Accounting

One of the big problems in accounting is that there is a real lack of understanding about the importance of cybersecurity, hence the troubling numbers mentioned in the intro. A lot of smaller accountancy firms simply don’t invest in this area, so they don’t have the necessary basic measures in place, such as encryption, multi-factor authentication, and regular data backups. Additionally, this lack of attention extends to staff training about cybersecurity not being a priority, and systems not being up to date.

Social engineering, in particular, occurs through the manipulation of users who divulge confidential information. This is called Phishing, where cybercriminals trick the user into clicking on a seemingly safe link that actually contains malware or spyware that infects the system once it has breached its defenses. Usually, the links come through an email promising some kind of prize or reward. Either the damage is already done by clicking the link, or the user then also fills out a form or gives away bank details.

Aside from phishing, there are a couple of other attack forms to be aware of. Scareware is a form of malicious program that is designed to create panic with a notice such as “you need to download this now to stay safe”. It usually comes in the form of a pop-up ad. Lastly, an attacker might pretend to be an employee or engineer wanting to address an “IT problem” and request information about the system.

The Importance of Staff Training

The fact is, even though we are going to discuss some technical forms of defence you can take, social engineering is primarily concerned with human vulnerability. In fact, according to research from Stanford University, human error is responsible for around 88% of data breaches.

That’s why investing in awareness and training for employees is absolutely crucial. They don’t have to be incredibly extensive and time-consuming sessions; they just have to give staff the lowdown on recognizing the common attack forms we discussed and then reporting anything that looks suspicious.

There are lots of organizations that offer free courses for accounting companies on cybersecurity training. For example, the Cybersecurity and Infrastructure Security Agency (CISA) offers free training around incident responses and the SANS institute gives a good run down of phishing examples and how you can spot them more efficiently.

Data Security Software

If an intruder does manage to breach the system through social engineering, this is where a comprehensive security system and access management solutions can protect you against attacks. A cybercriminal cannot easily decipher information if it is encrypted and stored properly. Regarding other steps to take, multi-factor authentication provides another layer of security where users have to provide two or more verification methods.

Elsewhere, many cyber attackers look for vulnerabilities in outdated software. This is something that many smaller accounting firms need to be aware of—if there are legacy systems in place, then data can be really exposed. Therefore, ensuring that systems are up to date with the latest security patches is a crucial step. Lastly, backing up that data means that if an attack does occur, then accounting firms can restore it without losing crucial information. This is where cloud-based backups that are also encrypted will provide much-needed security.

A Human-first Approach 

Overall, accounting firms need to recognize that human error is the weak link in the cyber defence chain, and therefore focusing on training and raising awareness represent the first steps towards being cyber secure. With that basis in place, accountancy firms can add technical defences, including encryption, multi-factor authentication, and up-to-date systems.

It might seem like an unnecessary and complicated ordeal, but the risks associated with a data breach are far more costly than the outlay spent on any training or security measures, particularly when companies make the most of some of the free resources that are available.