As if the economic turmoil caused by the covid pandemic wasn’t enough, businesses and accounting firms face another increasing threat. Although ransomware is not new, it sure has been in the news a lot lately. The most recent cases to make big headlines were the hacking of Colonial Pipeline, causing gas prices to spike, and the attack on major global meat supplier JBS, which surged prices in that market.
With the FBI getting involved in some of the high-profile cases (https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside), it makes dramatic reading. As noted, ransomware is not new. In 2018, the city of Atlanta’s data networks were attacked. In 2019, it was currency exchange company Travelex. In 2020, the University of California at San Francisco was a victim. Also in 2020, the travel services company CWT Global paid $4.5 million in bitcoin to attackers. Hackers have also gone after businesses in virtually every sector, even hospitals, vaccine developers and government entities.
What Is Ransomware?
Ransomware is a malicious software program that bad actors try to get onto the computer systems of an individual, business or other entity, often via bogus links or file attachments. Once the file is installed on the system, it locks down or encrypts part or all of the data on the system, preventing the user from accessing or downloading it until the victim pays a ransom. This is often done via digital currencies which are almost impossible to trace. There is no guarantee that the data will be released or that the bad actors won’t strike again.
Covid and Ransomware
There has been a significant uptick in malicious activity. By late 2020, the FBI announced it was receiving as many as 4,000 cybersecurity-related complaints per day. This was a 400 percent increase compared to pre-COVID-19 levels. At least some of this increase can be attributed to a large shift to remote work because of the pandemic.
If proper technological protocols aren’t followed (by IT and in practice by staff), remote workers accessing firm systems from their home computers or personal smart devices can expose their work systems to more threats.
“Employees in financial services, health care, public administration and retail have proved particularly attractive to fraudsters. Financial service and insurance executives experienced the largest rise in ransomware and phishing extortion attempts in the past year, Verizon found. "Misdelivery" attacks that fool victims into sending sensitive data to an external bad actor now account for 55% of the threats lobbed at financial service employees. Credential stealing and "credential stuffing," in which stolen credentials from one website are used to breach accounts on another site, are also common.” - https://www.cbsnews.com/news/ransomware-phishing-cybercrime-pandemic/
Why are Accounting Firms at Risk?
There’s good reason for accounting firms to pay close attention: Because large or small, they can be juicy targets. Firms routinely handle extremely sensitive financial and personal information on hundreds or thousands of clients, ranging from high net worth individuals to large businesses and partnerships. With a variety of deadlines for tax and financial reporting:
- What would your firm do if it was suddenly locked out of accessing all client data and faced a ransomware demand of $100,000? Or $300,000?
- How would you inform your clients?
- And how would you advise your clients if they were subject to such an attack?
For one Canadian accounting firm, it meant shutting down for a week. https://www.bleepingcomputer.com/news/security/leading-accounting-firm-mnp-hit-with-cyberattack/
While the average cost is much lower for most victim companies than the ones making the headlines (averaging $21,659 per hacking incident, and $115,000 per ransomware incident, according to Verizon and Crypsis: https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf), the top attacks often cost global enterprises more than a million. The FBI advises businesses not to pay such demands because it can encourage further ransomware attacks, but when faced with a collapse in business operations and revenue, many businesses succumb to the threats. So what should you do to protect your firm and client data?
A majority of cyber and ransomware attacks start with phishing emails, and human error is to blame. According to the Verizon report, “Nearly 85% of successful data breaches involved defrauding humans, rather than exploiting flaws in computer code.” Spoof email scams have been around for decades (remember the Nigerian prince?), but the bad guys have gotten better at using proper grammar, as well as at designing emails to look like they are coming from legitimate sources. In most cases, they include a link or a file attachment: “Hey, Bob, can you check this latest invoice?” Once you’ve clicked it, your files may be subjected to an involuntary lockdown until you give in to the data-nappers ransom demand.
According to the Journal of Accountancy (https://www.journalofaccountancy.com/issues/2021/mar/cpa-firm-liability-data-theft-cyberattacks.html), the top data breaches at U.S. accounting firms are the result of four primary issues:
- Breaches to the firm network
- Ransomware attacks
- Breach at service provider
- Business email compromise
Therefore, it is critical to train staff on how to spot phishing scams, which can help prevent the majority of ransomware attacks. Fundamentals include strong and changing passwords, multi-factor authentication, voice recognition or biometrics, authentication apps, security training programs for staff.
Standardized Security Needs to Be Established
“In accounting we have GAAP, which is a body of work built up so that when you’re looking at a company’s books and numbers, you know what they mean,” Michael Daniel, president and CEO of the Cyber Threat Alliance, told CNBC (https://www.cnbc.com/2021/06/11/cyber-standards-can-help-in-battle-against-ransomware-attacks.html). “Similarly, in the physical world, there are standard, expected security protocols that are fairly universal. A business will routinely install cameras, a fence, and locks on the gates at a plant, manufacturing facility or distribution center. “We do not have similar standards in cybersecurity,” he says.
There are several insurance firms that provide cyber coverage, including against ransomware, for accounting firms. These include InsureOn, Camico, CPAI and Cyber coverage is in addition to most firm policies, and can include coverage for ransomware, damage to the firm’s network, a client’s network, breach of client data, civil claims and legal costs.
If Your Firm Becomes a Victim
If you suspect your firm has malware on its systems, or your firm data has been subject to ransomware, it is your obligation to notify clients whose data may have been breached, as well as filing reports with proper authorities. You should also retain the services of a cyber security consulting firm as rapidly as possible. The cost to your firm’s reputation, litigation risk, and downtime will add up fast.