As Platinum Sponsor for this year’s event, we recently invited Graham Cluley, public speaker and independent computer security analyst, to address the Annual Conference of the AIT, a group which draws its members from IT professionals working in the Top 60 UK accountancy firms.
After the event we caught up with Graham to talk through what he sees as the top security threats facing the profession.
Graham Cluley has been working in the computer security industry since the early 1990s, when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Since then, he’s had senior roles at Sophos and McAfee and in 2011 he was inducted into the Infosecurity Europe Hall of Fame.
Today he’s an independent blogger, podcaster and public speaker and over 75,000 people now follow Graham for news and advice about computer security and internet privacy. You can sign up to Graham’s free GCHQ Newsletter at grahamcluley.com
What do accountancy firms need to do to keep themselves safe from modern security threats?
Clearly, the first thing is to take those threats seriously!
I think there’s a perception that professional hackers mainly target hard cash, for example banks or credit cards, but that’s no longer the case. Hackers have now learnt to monetise all kinds of data, especially the kind of sensitive financial data that accountants hold about their clients. So while the banks have had literally hundreds of years to get better and better at security – initially, physical security, but more recently data security – some other high-value targets, like accountants, have a bit of catching up to do.
What kind of data do hackers look for?
Most data can be monetised these days, so these are just a few examples of the more common misuses.
Say you’ve been working on a merger or acquisition. If organised criminals can steal that M&A information before it becomes public they can use it to make money from share trading themselves, or they can sell the information to others. Millions have been made from that kind of data theft.
Then there’s straight identity theft. Accountancy practices have a lot of the kind of information that’s needed to set up false identities – stuff like National Insurance numbers, business addresses, details of bank accounts, even copies of passports that have been scanned in for money laundering checks and are still sitting in an inbox or email archive months after they should have been securely deleted. With this kind of data, criminals can create credible false identities to take out loans, launder money and buy and sell assets.
Another way to monetise stolen data is through straight blackmail. The criminal simply tells the firm that they’ve obtained client data, probably gives them a small sample to prove the point, and demands money in return for silence. We know that many businesses have paid up rather than face the reputational damage. After all, what are your clients going to think when they find out that their data has been compromised? Will they ever trust you again? The damage to a brand can be enormous, as TalkTalk found our recently.
How do they get hold of this data?
One of the fastest growing types of cybercrime these days is a thing called “business email compromise”.
The first thing a hacker has to do is to break into your email system. One of the easiest ways of doing that is to send one of your employees an email telling them that they have to reset their email password – a classic “phishing” technique. A link from the email takes them to a malicious, but convincing, website which asks them to confirm their current password. Once the hacker has that, they’re through the door. It only takes one employee to fall for this and the hacker has access.
That’s exactly what happened to John Podesta, Hillary Clinton’s campaign chairman in 2016. It was through his Gmail account that the Russians were able to obtain and leak emails that had been sent within the Clinton camp, doing so much damage to her election campaign. On that occasion it was a state-sponsored organisation, but the methods aren’t complicated, practically anyone can do it.
Once you get control of an email account, you can often unlock other online accounts. Very quickly the hacker has a ton of useful information. If they’ve got a client list, for example, they might email clients telling them “Our bank details have changed. Next time we send you an invoice, please use the following instead of our normal bank account.” And some of your clients will do just that. Or they could send you an email, posing as one of your suppliers asking for payment, again with their own bank details. Because they’ve seen inside your email system they know the projects this supplier is working on, they know purchase order numbers, they know what these invoices should look like. It can be very convincing. We know that thousands of companies have lost money this way.
Apart from phishing attacks, what else should accountancy practices guard against?
It’s not always external hackers who cause problems; staff can also act maliciously and this “insider threat” is often overlooked.
IT systems are particularly vulnerable to internal attack because, in a sense, you’ve already done most of the hard work for the hacker! You’ve given your staff the network passwords, a computer and a desk to sit at so they’ve already got access to your systems.
If you’ve got a rogue employee, it can be hard to spot, hard to police and hard to protect yourself against. That’s why some of the biggest hacks in history have been insider threats – for example Edward Snowden who worked as a contractor for the NSA in America, and Chelsea Manning, the US Army soldier, both of whom leaked hundreds of thousands of documents.
It can be hard even having to think of your staff as potential hackers but that’s sometimes what it takes. For example, you can install software which will monitor unusual movements of data inside your organisation – so if someone suddenly accesses your entire client list, that might be worth investigating. Or if they copy data to a USB stick for no good reason. Or email it to a Yahoo address.
You might also want to review whether all staff need access to all client data at all times. For example, where clients are dealt with by teams it makes sense to limit access to people within those teams, in the same way that you restrict access to the practice’s own accounts
You need to be particularly careful if you know staff are leaving, whether of their own accord or not. And after they’ve left, you need to delete usernames and change passwords so that they’re not tempted to log in again remotely.
What are your thoughts on the cloud?
Properly implemented, the cloud can bring enormous benefits in terms of improved security, particularly for smaller firms who don’t have the dedicated resources to set up and maintain their own security arrangements.
Of course, there have been well documented security breaches to cloud-based services, so you need to make sure you can trust your external third party. And you need to follow best practice when it comes to passwords!
Passwords. That sounds like a topic in its own right…
When I tell people what I do, they often ask “What’s the one piece of advice you would give me to stay safe online?” And my advice is this: Use unique, complex passwords and never reuse the same password on multiple sites.
For most people, password reuse is probably their single, biggest security issue. When LinkedIn got hacked a few years ago, the first thing the hackers did was to use the compromised passwords from LinkedIn to attempt to break into other systems, like Dropbox and Gmail and Facebook. A lot of times they succeeded.
So you need to make sure that you use different passwords for each site and they need to be complex passwords, not something like “password” or “1234” because those kind of passwords can be broken in milliseconds. People say to me “I’ve got hundreds of passwords – I’ll never remember them all!” but the good news is, you don’t have to. I don’t know my Twitter password; I don’t know my email password; I don’t know my LinkedIn password. That’s because I’ve got a password manager that securely holds all of my passwords and all I have to do is remember a complex master password for the password manager. For the vast majority of people, using a trusted password manager would give them far more security than they have now.
If a system supports it – and many now do – I’d also suggest using two-step verification. This is where you need a randomly generated code to complete your logon, sent to you via a different device. So even if someone has phished your password, they can’t log on because they don’t have your mobile phone and because the codes that are sent out to that device change every few minutes, so an old code can’t be used.
Would the same advice apply to businesses?
Definitely. But for businesses I’d also add “patching” to my list of priority actions.
For example, on the second Tuesday of every month Microsoft issues patches, which includes patches to close down security vulnerabilities. As soon as these vulnerabilities have been publicised, hackers will start to exploit them, so I recommend installing the patches as soon as possible, rather than waiting for the next software update.
Other operating systems, tools and browsers – like macOS, Adobe Acrobat and Chrome – work in a similar way and it’s important to keep them all up to date.
What are your thoughts on “Bring Your Own Device”?
BYOD is certainly a challenge for IT managers.
The launch of the iPhone and the spread of smart phones and tablets has had a profound effect on the world of work. So even if they’re not bringing in their own laptop, everyone now has what is effectively a computer in their pocket and everyone considers themselves a bit of a tech wiz! And if they’re not bringing in their own hardware, they’re using browser extensions and cloud-based technologies like Dropbox, or they’re plugging in USB sticks or other gadgets.
In many ways, it’s useful to have a more tech-savvy user-base, but it can mean that your network is being opened up to additional threats, which your users are unlikely to understand.
Personally, I’m not a fan of simply telling people “You can’t do this. You can’t use that.” All that happens in practice is that users find a way of getting round your ban without you realising, which is far worse! Far better to say “Come to us and discuss your needs.” Say they have a genuine business need to sync files on their laptop with the cloud, and maybe they’re using Dropbox for this already. Perhaps that’s OK by you. Or perhaps you’re happy with that so long as they use certain settings, like two-step verification. Or perhaps your practice already has a solution that you’ve licensed – like Microsoft OneDrive – and you’d rather everyone in the firm used that, instead of everyone using a different solution. My point is that, unless you can have that conversation with your users, you’ll never get a chance to tell them, so it’s always better to keep lines of communication open.
And who knows, if your IT team can educate your users at work, maybe people will start putting these sensible practices in place at home, too, which will make everything safer.
What are your thoughts on GDPR?
I think companies are terrified about GDPR. They’re putting lots of resources into it but my feeling is that many of them still won’t be able to comply. We’ll have to see what happens in terms of punishments, but I wouldn’t be surprised to see some hefty fines for non-compliance early on.
But I think rather than view GDPR as a burden, accountancy practices should be thinking “You know what? We need to do this anyway because it's our clients’ data and we really should be securing that properly.”
And although many will think that GDPR imposes an impossibly difficult level of security to reach, it actually doesn’t. This isn’t the finishing line, it’s the starting point, it’s the minimum that you should be doing to protect your information. Most external attacks aren’t targeted at specific organisations, they’re much more opportunistic than that – it’s like a burglar walking down the road and looking for the house that looks easiest to break into. If you’ve got window and door locks, a working alarm and a Rottweiler in your garden, they’ll look for a softer target! So, when it comes to GDPR, just make sure your security is above average and that will probably be enough of a defence.
What about Making Tax Digital, another hot topic for accountants?
As more and more people get online – are, in a sense, forced to get online – there’s more chance of things going wrong.
If we need the digital laggards to be online then we need to make it as easy and safe as possible, so accountants certainly need to be able to offer their clients a simple way of connecting with them online for the purposes of Making Tax Digital.
There may even be some fee-earning opportunities with MTD – giving advice on how to get online safely, helping clients to get set up, with the added bonus that you know they’ll be doing it properly.