Blog

With recent targeted attacks by hackers on accountants, we thought it would be best to explain how hackers can break your security, and the duty of care your software provider holds to protect its users. We look at it in two levels, first your duty of care to protect yours and your clients’ data, and second, your software providers duty of care to protect your data – So choose your cloud software providers wisely!

Your duty of care

Hackers generally use two methods to gain access to your system that generally start from email phishing. A phishing email scam is essentially an email sent to you from either a compromised email address or a random email. It could be masked as another “sender”, hitting reply and checking the return email will expose the real return email address. The phishing email will have an action to navigate to a website or download an attachment from the email. Once you have clicked a link or downloaded the attachment, the hacker will potentially use the below methods to gain access to your passwords.

1. The hacker may trick you into installing keylogger software at a local level. The software logs keystrokes and exposes the passwords when logging into software, it then sends this information back to the hacker for them to access your cloud systems. Generally, this isn’t the preferred method as local antivirus protection software can detect and stop the keylogger from executing its function.
    
2. You or a staff member have entered email & password details into a fake website. The website could be disguised as anything – ATO portal login, Xero account, Facebook etc… so always check the URL of the website! Once you or a staff member entered your details into this fake website, it exposes the password to the hacker in plain text for them to then navigate to the software they are masking and use your details to login. Furthermore, most people use the same password for multiple systems, we recommend you use multiple passwords for different systems to mitigate the damage of exposing your password. 

TIP… The most important account to protect is your email account, as generally this is the method for resetting most cloud software provider passwords. Do not share the same password you use for your email address with other systems!!!

Your software providers duty of care

First and foremost, your software provider holds a level of responsibility to protect you and your data in their systems – but with that said, the liability will always come back to you for making the decision to use their software.

Make no mistake, your clients will hold you accountable for any data breaches mentioned from the above paragraphs. If, however, your software provider has a security breach on their system and they have exposed your data then the liability will be on them.

What can software providers do to protect you from the above security concerns? It really boils down to three industry standard controls to protect users – they are called ‘Preventative, Detective, and Corrective Controls’.

• ‘Preventative Controls’ are security measures such as, two step authentication or IP tracking. 

• 2 step authentications are when a person logs into the software with a second method of identification – this should be a method of mobile device identification, as the hackers will may not be able to access your physical mobile device. A software providers 2 step authentication method should differentiate from email verification, as the second method of identification in a majority of breaches stem from a user’s email account. 
   
• IP Tracking is when the software provider tracks the IP/MAC address used to access the system. If for instance a new IP/Mac address logs into the system a notification is sent to the account holder, again usually a method of notification outside of email to authorise or notify the account holder of the new device intending to access the software. 

• ‘Detective Controls’ are in place to detect security violations and alert the defenders of a possible breach. Hackers very rarely do things manually. For example, if they are trying to access your cloud provider to strip client details, they will not manually go through each page to pull the data, they will write a script to tell the computer to automate this process and do it in bulk. Most software providers can write intelligent audit trails and logs of their software to detect “inhuman” like actions and activity. If the system detects possible inhuman like activity, it will apply an automatic lock on the account to minimise the impact of the breach.

• ‘Corrective Controls’ are security measures which help mitigate the impact of the breach. For example, if a hacker has bypassed the above security controls – what can the software provider do to lessen the impact? If the hackers have stripped or crypto locker viruses (relevant to document storage providers) the data, can the software provider use a backup of their system to restore your data or documents? Along with providing user training or applied software updates to prevent future breaches. 

Past the above “user” security measures, your software providers need to have internal security to protect the data from possible breaches on their end. To mention one, your software providers should not be storing your password information in a plain text database – they should be using a password encrypting technique to protect the password saved in their database, this method is called ‘salted password hashing’.

The question that really needs to be asked by software providers is – “what are the hackers looking for, and what can they do with the data?”. This in my opinion is the most important question, as it forms the framework of the security measures the software provider will put in place to prevent these attacks. For instance, if hackers are looking to swipe TFN’s from your practice manager system to lodge fake returns – then the preventive, detective and corrective controls needs to be centred around these areas of concern. If none of the above security holes have been patched, your software provider is being negligent.

If you have suffered a security breach in the past and believe it could be a result of your software providers negligence, my advice to you is to this:

1. Record all clients that leave your firm along with the value that client brought to your firm.
    
2. If you can find a way to benchmark client satisfaction and record the time it takes to repair relationships with clients that have suffered a database breach – do it! 
    
3. Have another read of our November 2015 blog on Security Tips in the Cloud for accounting firms.