With a recent surge in cyber and ransomware attacks on the world’s largest corporations, security is likely to be top of mind for accounting and bookkeeping professionals. What’s even scarier to security experts, though, is that high-profile breaches can actually make people feel safer. “The common misconception is, ‘It’s not going to happen to me. It’s happening to the big guys, and I’m not a big guy. Why would they ever come after me?’” said Marc Pickard, Co-founder/CEO of CBTech Support. We sat down with Pickard, and with Benjamin Hecht, Senior Director of Business Development at Kokua Technologies, two leading security experts, for a talk on security threats, and how to best manage them.
Sophisticated attacks are only a small portion of bad actors, Pickard explained. More common are “spray and pray” attacks, or hitting a large number of people via email in the hopes that one or two bite. “For every 100,000 emails a spammer sends, they only need 1 percent of people to fall for it to make it worthwhile,” Pickard said. “These players are going to stay away from the ‘big guys’ because they have more defenses in place.”
Having your guard down makes your firm vulnerable. Here are eight easy and low-cost solutions to protect your clients’ and firm’s information, many of which can be implemented today.
1. Start this zero-cost habit right away
According to Hecht, the first action bookkeepers and accountants can take is to set up multi-factor authentication on sensitive websites, such as banks and email accounts. “It’s an added layer of security and one of the easier things to implement.” And it’s free. You know the drill: when creating a username and password on a website, you’ll get a prompt to set up 2-step authentication, which sends a passcode to your phone so you can verify you are in fact the person logging in. Some of us blow past this step when we’re in a rush, but it’s a habit worth keeping. That way, if a scammer gets a hold of your login, you’ve put a roadblock in place. You can either turn on this feature on the website, or download an app, such as Google Authenticator, to receive passcodes there.
2. Encrypt your computer’s hard drive
This step sounds more high tech than it is. “Most people think encryption is a complex setup or that solopreneurs wouldn’t be able to do it,” Pickard said. “But most computers have an encryption tool built in.” It is surprisingly easy to set up if you have the correct version of Mac software or Microsoft Windows (a Business rather than Home edition), and you can always upgrade your software to take advantage of this tool. Encrypting your hard drive converts all of the data into an unreadable code that can only be accessed by the people who are authorized. That way, if your laptop is lost or stolen, the perpetrator cannot access any information from your hard drive, Pickard explained. Check out the steps to encrypt your Mac or encrypt Microsoft Windows, which can take less than an hour to complete.
3. Beware of emails that create pressure or urgency to act
Email is the No. 1 way scammers get access to your personal information, and a common tactic of phishing emails is to create panic, Pickard said, such as: Your account is going to be shut down if you don’t act fast, click here! Your invoice is outstanding and will be sent to collections, click the attachment! The best way to combat this panic-inducing tactic? Slow down, Pickard said. “We all go through our emails like a bat out of hell,” he said. “We think, If I don’t get it done now, it’ll never get done. But spammers are counting on us to miss things.” If you do in fact have an unpaid invoice, you would have received multiple notices about it before they start demanding action. “If you do not know the sender or were not expecting the email, chances are it’s not legitimate,” Pickard said. “It’s human nature to avoid conflict and want to make things right. But no legitimate company is going to make you feel like something bad’s going to happen in 48 hours.”
4. Resist the urge to “Click & Complete” the email
Even if you know the sender, Pickard advises to pause, and verify the information in one way other than email, before taking any further action. “We’re all so reliant on emails, but that’s what spammers are counting on,” Pickard said. For instance, if you receive an email saying your Microsoft account is delinquent, don’t click the link. Instead, open a new tab in your internet browser, and log into your Microsoft account, where — if the email is accurate — you would be able to view the same message. Toggle to Subscription & Billing or Messages to see if you have any alerts. “Chances are, you don’t,” Pickard said.
5. Never (ever, ever) provide banking or wire information without speaking to the requester
We all think we would never be so naive as to give our banking details to a scammer, but Pickard offered a scenario that would be easy to fall for. Say you’re in the middle of a real estate transaction, and you receive an email from the real estate company you’ve been working with requesting your wire information, Pickard said. If that company has been hacked, the sender’s email could look exactly like the person you’ve been communicating with. “If you reply, you’re replying to the spammer,” Pickard said. Before doing anything, call the person to verify they’re the sender. “I know it’s hard to get in touch with the right person, especially at big companies,” he said. “But call.” Nothing bad will happen if you call, while a nightmare could unfold if you don’t.
6. Stop sending attachments back & forth
As accounting and bookkeeping professionals, we’re all guilty of requesting a bank statement or W9 over email. However, since clicking attachments is a huge security risk, we’d all increase our firm and clients’ security if we stopped requesting them in the first place. “Never send any personally identifiable information over email,” Pickard said. He advises using a secure and encrypted file share service, such as Citrix ShareFile, Dropbox, or SmartVault to send and request any files or attachments. The person receiving the link can only pull or drop items into the folder but cannot access any content without logging into the password-protected site.
7. Have an off-site solution & back-up plan
It is not enough to back up your hard drive, Hecht said. Companies need their data backed up daily by a solution that’s off-site or on the cloud. “That way, if there’s ever a fire or flood and all of your physical computers get damaged, you will have all of your data backed up at a second location,” he said. “Off-site solutions are the only way to restore your systems to a pre-virus or pre-ransomware status.” It is also not enough to purchase malware software and forget about it. “We suggest having a sound plan,” he said, noting that COVID highlighted its importance. “What happens if your entire company can’t show up to work tomorrow or you lose service for a few hours? What’s the plan?” A plan means ‘If this, then that,’ he explained, such as: If we all cannot get into the office, then are there remote workforce capabilities?
8. Educate your employees
Finally, according to Hecht, the biggest threat to your company isn’t external. It isn’t even the hacker. “It’s not training your employees,” he said. In fact, 85 percent of breaches involve a human element, according to Verizon’s 2021 Data Breach Investigations Report. “Most of the time it’s because an employee clicked on a malicious link or downloaded a file they shouldn’t have,” Hecht added. He recommends KnowBe4.com, which offers free tools and training materials as well as affordable programs that any company can implement. The program sends fake phishing emails to your employees. “It can be kind of fun to start spamming your employees and see if they fall for it,” Hecht said, with a laugh. “It’s a conversation starter. It’s affordable and something you don’t need an IT company to roll out. The majority of what we see is because of human error, which is why cybersecurity awareness all comes back to training your employees.”