Cyber-crime is on the increase and as an accounting practice you are a particular target for attackers. Simply because you hold a large amount of data on your clients it makes it easier for a criminal to hack your systems and access hundreds or thousands of pieces of information that it would be to attack each individual business. With the increased risk comes increased responsibility your clients depend on you to do the right thing when it comes to Cyber Security yet how many of you feel you fully understand what needs to be done to meet your clients expectations?
The Threat Landscape
Your computer systems can be compromised in a number of different ways. The impact to your firm (and the harm) will depend upon the opportunities you present to an attacker, in terms of the vulnerabilities within your system. The attackers ability to exploit them, and ultimately their motivation for attacking you.
For example, an easily guessed or not frequently changed password to your firms login to the HMRC website would be easy to exploit. Imagine the scenario where an attacker gains access changes the clients bank account details and requests refunds. The first you may know about it is when the client calls querying the refund they think they are receiving. With a little more technical knowledge an attacker can use off the shelf tools to exploit known problems with your systems. They could bring more resources people or money to further exploit that first breach. To protect against these bespoke attacks you will need to invest in a more holistic approach more than would be covered in schemes like Cyber Essentials. The first step is to understand your vulnerabilities.
What are your firms vulnerabilities?
Vulnerabilities provide opportunities to an attack to gain access to your systems. They can be broken down into three main areas:
3. User Errors
A flaw is unintended functionality. This may either be a design fault or because of poor configuration, implementation or support. The majority of attacks we see today are based on the exploitation of flaws often very old flaws. The attack on TalkTalk that ultimately led to the resignation of the CEO, cost £77m and a £400k fine was carried out by a 19 year old. The flaw he exploited was older than he was and had been around since the early 1990s.
Features are intended functionality but they can be misused by an attacker to breach a system. When Microsoft introduced macros in Word documents in the late 1990s they quickly became a way of exploiting vulnerabilities. The Dridex banking trojan used spam email to circulate Word Documents masquerading as Invoices or delivery notes. When users clicked on the Word Documents it downloaded Dridex onto the affected systems.
No matter how sophisticated the security designed into a system or how carefully it is implemented. It is at risk from inexperienced users who enable a vulnerable feature or fails to fix a known flaw, or leaves default passwords unchanged. In the many hundreds of firms IT systems we have investigated over the years there is almost always an issue with one of these areas. In particular passwords and patches.
More over users generally can be a source of vulnerabilities they reuse passwords from external less secure systems, they leave laptops and mobiles unattended. Even the most Cyber aware person can give away information that may be useful to an attacker.
What does an attack look like?
Cyber-attacks take many forms but all of them can be summarised into four stages;
Survey – Delivery – Breach – Affect
· Survey – Investigating and analysing the target in order to identify potential vulnerabilities
· Delivery – Getting to the point where a vulnerability can be exploited
· Breach – Exploiting the vulnerability to gain some form of access
· Affect – Carrying out activities within a system to achieve an attackers goal
Attacks will use a number of methods to find technical information, or physical vulnerabilities they can exploit. Attackers can use publicly available information from LinkedIn, your website, Facebook and Instagram. If you are using a 3rd party to support your systems they will hold significant details about your network and also may have passwords to your systems. Are you confident that they have the appropriate security controls in place?
During this stage attackers look to exploit a vulnerability they have discovered. They do this is a number of ways but most common can be attempting to access an online system that you provide. In accountancy external facing document management systems are particularly vulnerable as attackers know that they contain very valuable information. Despite spam filters and anti-virus software phishing emails are still very successful at infecting systems. Users still click on links and download files that they shouldn’t.
The harm to your business and damage to your reputation will depend upon the vulnerability, and the exploitation method. It may allow an attacker to make changes to your system, gain access to yours and your clients online accounting and banking systems, achieve control of a user’s computer, tablet, or mobile.
Having achieved this an attacker can impersonate a user and your business to gain access to other systems. If they can access your email they can reset all of your passwords by just requesting resets.
Once inside your systems depending upon their objectives the activities they will carry out may vary but they could include:
· Retrieving information that is sensitive which they may hold you to ransom over
· Make changes to their own benefit like creating payments into a bank account they control
· Disrupting business operations such as encrypting your system so you cannot use it
How to reduce your exposure to attack
Fortunately there are many effective and affordable ways to reduce your firms exposure more common types of threat that they are exposed to on the Internet. This is far from a complete list but is the absolute essential requirements that you should have in order to protect your clients data and your reputation.
Cyber Security Checklist
1. Hardware Firewall
Do you have a separate hardware firewall that is properly configured. It should allow users to connect to authorised destinations, and block any unauthorised traffic from passing through. The firewall should be running the latest firmware and actively monitored for unusual traffic patterns.
2. Malware Protection
Do you have systems in place that can detect and block known malware before it executes any attack code.
3. Patch Management
A system for updating all operating systems, application software, and devices as soon as the patched become available.
4. White Listing and Execution Control
Software to prevent the running of unauthorised applications including USB and CD Drives
5. Secure Configuration
Restrict the function of every device to the minimum needed for the business to function
6. Password Policy
Ensure that an appropriate password policy is in place and it is followed strongly consider using multi factor authentication
7. User Access Control
Enforcing the principle of least privilege, only allowing users to access data and system that they need to for their job function.
If you need any help checking these points or simply want a second opinion please contact us on firstname.lastname@example.org or call 0117 457 6468