By Dr. Sangeeta Chhabra
As we know, accountants play an integral role in handling the most sensitive financial data and, as such, assume the role of custodians. Moreover, accountants have become key targets for an increasing range of threats.
These threats could take the form of a sudden email from a client, high-priority requests for wire transfers, or minor anomalies in a financial statement or report. And in a world where cybercriminals and fraudsters have become more tech-savvy, complacency could cost you dearly.
In short, accounting firms must always presume someone is always watching them and continuously observing their systems, people, and processes.
The expanding threat landscape
The threats faced by accounting firms are not limited to just one category. They include digital, physical, and procedural weaknesses. Cyber threats grab the most eyeballs, but the list of threats does not stop there. Mishandling of a client file, overheard conversations in the office, or a compromised laptop could be equally damaging as a ransomware attack.
While digitizing accounting services has been a boon, simplifying life, it has also increased firms’ vulnerability to threats. Anything digital or connected to the internet becomes a potential vulnerability and entry point for cyber threats and fraudsters.
Accounting firms often hold both personal and corporate financial records, and criminals are aware of this. A breach can expose personal data, enabling identity theft, and leak insider information that attackers could leverage for corporate espionage and market manipulation. The threat does not always come from outside. Insider threats, whether intentional or unintentional, account for a significant percentage of security incidents.
Why accounting firms are attractive targets
To understand why accounting firms are lucrative targets for cybercriminals, it is necessary to examine the nature of their work. They are the custodians of their clients’ most closely guarded secrets—the financial statements.
These statements not only contain a business’s revenue, expenses, assets, and liabilities, but a close evaluation of them can reveal a lot of critical information about them, such as pending mergers or acquisitions, strategy, and vision, that may not be available in the public domain. In the wrong hands, this information could become far more dangerous than leaking credit card numbers.
The business of accounting firms is periodic, with tremendous pressure of deadlines during the tax season. Such pressure could lead to lapses and errors in judgment, such as clicking on a suspicious link in an email, skipping a security step, or using an unsecured channel for sharing documents.
Some may think that smaller firms are not as vulnerable simply because they are not as lucrative targets as larger firms. However, the truth is that smaller firms may be easier targets due to their weaker and, at times, non-existent IT security.
Cybercriminals and fraudsters are also aware that these firms may be using outdated software, have undertrained staff, or follow inconsistent password policies, making them soft targets.
Building a layered defense
Many firms rely on a single layer of security and assume that one strong barrier will be enough to fight off most threats. However, effective threat prevention is about building multiple layers of protection so that if one fails, the others still hold.
Key components of a layered approach include:
- Data access controls: Grant access to sensitive files based only on role and requirement. Not everyone should have access to everything.
- Multifactor authentication: Multifactor authentication, such as a password and a one-time password, can significantly reduce the risk of unauthorized access.
- Regular software updates: Outdated systems create vulnerabilities that attackers can exploit, leading to cyberattacks. Regular software updates could alleviate such vulnerabilities.
- Email filtering and encryption: Automated advanced filtering tools can easily segregate suspicious-looking emails and prevent them from causing harm. Encryption can make intercepted messages unreadable and render them harmless.
- Endpoint security: All devices (laptops, desktops, office phones) should receive regular software updates to ensure 24/7 protection.
- Backup and recovery plans: Regular backups and disaster recovery plans can help ensure business continuity in the event of a breach or data loss. Because even the best-laid systems and defenses could fail, this is a necessity rather than a choice.
- Vendor and partner screening: Third-party service providers and vendors often have some level of access to your systems. If they are not following the same security practices as you, this could lead to vulnerabilities. Screening and validating their security practices regularly is a key step to ensuring zero vulnerabilities.
Even with multiple layers of security, keeping them all running smoothly in-house can take up significant time and resources. Managed security service (MSS) providers take on this responsibility for you, offering round-the-clock monitoring, spotting threats early, and responding quickly to any issues. This ensures every part of your security setup is regularly maintained, up to date, and ready to protect you against new and emerging risks.
Creating a security-first culture
Technology alone is not sufficient for threat prevention. Accounting firms should consider security as part of their culture through leadership commitment and practical training that resonates with employees, helping them understand the importance of security systems and practices.
Training sessions should focus on practical simulations, mock calls, and role plays rather than standard presentations. Such an approach helps ensure that the importance of threat prevention and zero vulnerabilities reaches every level of the firm.
Senior leadership and directors following the same protocols as everyone else helps reinforce the importance of security systems and protocols, and therefore adherence.
The cost of inaction
According to the IBM Cost of a Data Breach 2024 report, the average global breach cost has reached $4.88 million—a significant increase over last year’s $4.45 million and the biggest jump since the pandemic.
The benefits of investing in highly sophisticated security systems may not be immediately visible, leading some firms to ignore threats to cut costs where they shouldn’t. What they don’t understand is that the consequences of a breach could be devastating.
The results could not only be catastrophic financially but could also permanently damage the firm’s reputation, potentially leading to client loss. This reputational damage may at times be impossible to recover from.
Looking ahead
Threat prevention is an ongoing, ever-evolving process rather than a static, one-time effort. Firms should always remember that technology evolves at both ends and that threats evolve equally fast as defenses. Accounting firms need to have a balanced approach to threat prevention. They must remain vigilant and invest in technology and people. The key is to be alert and assume that some are closely watching and are ready to pounce at the smallest of weaknesses or vulnerabilities.
ABOUT THE AUTHOR:
Dr. Sangeeta Chhabra, co-founder and executive director of Ace Cloud Hosting, is a leader and innovative entrepreneur with more than 20 years of experience in the IT sector. She has positioned the company as a leading global provider of IT and managed cloud services, celebrated for its QuickBooks hosting tailored for the accounting sector, managed security services, Desktop as a Service, and public cloud offerings for SMBs and enterprises. Under her leadership, Ace Cloud Hosting was honored as the Best Outsourced Technology Provider at the CPA Practice Advisor Readers’ Choice Awards 2023, among other accolades. Beyond her professional successes, Dr. Chhabra is a passionate advocate for women’s empowerment and is committed to fostering an inclusive environment at Ace Cloud Hosting.
Photo credit: Just_Super/iStock
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
