Accountants: How to Stay Safe from Cyberattacks When Working Remotely
COVID-19 has forced nearly every business in the UK to shut its doors or to start working remotely, including accountants. For those of us whose businesses are built around remote-working tools and cloud-based methods of accounting, the impact has been minimal. For those who are unfamiliar with cloud solutions, it can feel a little like being thrown into the deep end of a pool, especially with little protection from cyberattacks.
The learning curve is steep. And, unfortunately, part of that learning curve must include how to guard yourself and your clients against cyberattacks and online fraud.
Modern hacking is not like the movies.
We all love to see the Hollywood film with the young hacker pounding away at a keyboard and suddenly cracking through the Department of Defense’s firewall through sheer ingenious skill. For those of us who know even only a little about cybersecurity, this kind of movie scene is laughable.
Factually, almost all successful “hacking” these days is done through “social engineering” or password-theft as a result of poor security practices.
Social engineering — beware of email and online communication!
If you ever get an email from “someone you know” and that person is requesting delicate information such as passwords or other confidential information, politely refuse to send the information. Via email and then phone the person up personally to ensure they posted the email.
That is a popular method of obtaining sensitive information and was the method used behind the notorious (and highly embarrassing) hack of the federal security firm HBGary.
If, upon calling the purported sender of the email, you discover they did not send the email, then inform them that their email account has likely been hacked. The first step they should take is to immediately and without delay change their email password to a secure password consisting of 12 or more characters, lower and upper case letters, numbers, and at least one special symbol.
Never send passwords by email — do this instead.
Never send a password by email. When sent by email, the password sits in the email account…forever. It’s the easiest way for hackers to find passwords for sensitive accounts.
Google has recently implemented the option to send “confidential emails” in Gmail. But if you are not using Gmail as the email backend for your business, this option is not open to you.
One tool we like to use is OneTimeSecret which allows you to send sensitive information in an encrypted manner. The data sent is then destroyed after it is viewed.
If you choose to add a passphrase to the encrypted message in OneTimeSecret, then send the passphrase to your client via SMS, or phone them.
Never save passwords in a text file on your computer.
Best security practice dictates that you should use a different password for everything. That’s many passwords to remember and is quite impossible to do.
You do need to save your passwords somewhere, but these should only ever be kept in tools that are designed specifically for the saving of passwords —not in a text file or Word Document or Excel spreadsheet.
“Password Managers”, encrypt the passwords stored in them so anyone else cannot view them. The only password you need to remember, then, is the one to access the Password Manager itself.
Make sure that password is a powerful one. Write it down and put it in a safe or in a safe deposit box.
Some Passwords Managers are:
Your Google Account
Using the Google Chrome Browser, your passwords automatically save in Google, and you can access it at the link Google Passwords. Just make sure your Google Account’s password is robust.
The benefit of this password saver is that you can access it from anywhere.
KeePass
Which is a free tool where you have to type in the details manually for every password you save? You can also configure it online so that you can access it through a website, but that starts getting a little advanced.
There are very many other tools you can use as well.
Phishing — another typical hack
Phishing is when someone sends an email and makes it look like it comes from someone else. Con artists often try and get banking details from people by sending an email that looks like it comes from an official bank.
They could do this to your clients as well.
Phishing is a well-known scam which is unfortunately difficult to combat because it targets the client.
Fighting against phishing can only be done by adequately informing your clients regularly that you will never ask them for things such as passwords, account details, etc. in an email. You can then also put a notice on your website to inform clients not to fall for this practice.
No doubt you’ve seen these kinds of messages and alerts from many of the big UK banks such as this page on Lloyds Bank or this one on Barclays Bank.
The only way to fight a phishing scam is to be proactive. Send an email to your clients informing them that you would never ask for account details or payments via email. Not only does such an email help reduce phishing scams, but it also makes you look professional in your accountancy practice. And that inspires confidence, which is always good for business.