Before the coronavirus pandemic, many of us had flexible working arrangements in place. Or at least, we said we did, and used it on an as-needed basis, but didn’t roll out the processes and protocols on a wide scale. Why would we need to? When would our entire team ever need to work remotely, all at the same time?

Fast forward a few weeks, and here we are. We’re all working virtually and there are lot of things we are concerned about for our firms, and to make sure that our firms are protected from an information security point of view.

It’s one thing to work from home, but when we suddenly take all our financial reporting, client communications, staff conversations, tax returns, all of it – into cyberspace, if we weren’t completely set up for this before, there are probably cybersecurity gaps in our processes.

I recently got the opportunity to speak with Justin Whitehead, CTO of botkeeper. His job, essentially, is to keep Botkeeper safe and secure in a cyber world, and throughout our conversation he gave my social media listeners great insight into the cyber challenges that accounting firms are facing right now, and what to do about them.

As accounting firms are figuring this whole cyber thing out for the first time, there’s obviously a big change. And Justin reminded us that when big change like this happens, it ends up posing a new opportunity for cybercrime (because we don’t already have enough to worry about!).

The scary thing is that cybercrime is already ramping up. Justin talked about a recent phishing attack against Microsoft 365 accounts. For anyone reading who is unfamiliar with phishing attacks, it’s when a cybercriminal on the outside of the organization sends convincing looking emails that appear to be the real deal, that are in fact fakes. These fake emails encourage users to take some type of action – “click here” or “reply with this account number,” things like that. Usually, it’s a click to download scenario. The result is malware that’s injected into your computer or your browser.

Justin went on to say that the phishing scam involving Microsoft 365 contained a link to download a file, which took users to another, very convincing looking Microsoft 365 page. Once people entered their username and password, that was it. From there, the malware would resend the fake email from the account that was hacked, and so on and so forth.

The really scary thing is that the hacked usernames and passwords can then be sold on the dark web to even more malicious characters, who will use it to try to undermine entire networks. The moral of the story, and Justin’s first tip: if you see an email asking you to click on something or send sensitive data via email, always double check and ask that person before you do anything.

More than that, you can check the return sender’s email address and name closely. Look up at the address bar and see if it looks like a legitimate Microsoft domain (or whatever file sharing service it might be).

Another tip for easy cybersecurity that your IT team can implement: two-factor authentication. It should be required before downloading any type of document in CPA firms. Other ways of doing this are two-step verification, multifactor authentication (MFA), or one-time password (OTP). They all basically accomplish the same thing: better security. You can also implement these on personal email accounts and other log-ins as well.

Botkeeper’s system is pretty simple: employees receive a code via text message before accessing sensitive digital information. You might recall text verification from your bank if you sign on to your account from a different device. Same type of thinking: secure, but simple.

The value of two-factor authentication is that it’s an extra layer of protection that takes IT security to a deeper level than even virus protection software. An accounting firm can have the best virus protection software in the world, but it still can’t stop an employee from clicking on a link in an email. And Microsoft 365, or G Suite, they both have pretty good phishing protection systems built in. But it can still take a day or so before enough fake emails are flagged, and the email provider then has to shut down the fake messages. Two-factor authentication prevents that from even happening.

What if your firm IS a victim of an email phshing attack? What are you supposed to do then – respond to every single client and employee?

Justin’s advice, if an email has been hacked: first step, disable the affected email account(s). The IT folks will immediately change the password.

Step two: set up a follow-up account from someone else at the firm. Someone who can be trusted to make responses on behalf of the hacked account. This person sends out an email that says something like ‘if you received an email from me asking you to click on something, delete it and mark the email as spam.’

Cyber environments that rely on a shared Windows server, like accounting firms, can open up additional vulnerabilities since software like Quickbooks and client data platforms have to be accessed from multiple home networks. The IT folks at the firm have probably already done this, but make sure they’re using a VPN to protect virtual connections like these.

The bottom line is, everyone is just trying to stay safe right now. Safe physically, but also safe virtually, in a completely remote workspace. It’s important for accounting firms right now to just double check that all the IT security processes are in place, that people know what to look for – this is really important, as teams are scattered – and maybe have a conversation with IT about the protections your firm has, and where potential vulnerabilities are.

Cybersecurity might seem like an afterthought now, but I promise if one of your team member’s emails is hacked right before the tax filing deadline, you’ll wish you could turn back time and reevaluate your security protocols!

You can listen to the entire recording of my interview with Justin below for more insight into the Microsoft 365 phishing attack and how to protect your firm.


Submit a Comment

Your email address will not be published.

Share This