Nationally recognized educator Randy Johnston, executive vice president at K2 Enterprises, outlines ransomware risks for CPA firms, how these threats are evolving, and ways to keep your data safe.
Imagine finding out that every file related to your business is locked behind a criminal’s digital paywall with no guarantee you’ll ever get them back. Ransomware – malicious software that prevents you from accessing your files, systems, or networks, and demands you pay a ransom in for their return – is the most common cyberthreat Canadians face and it’s on the rise according to the Canadian Center for Cybersecurity. Against that backdrop, let’s explore ransomware risks for CPA firms, how these threats are evolving, and ransomware protection strategies.
Why are CPA firms attractive targets?
In a tax or audit environment, documents often contain everything needed for identity theft such as personal information like full names, social insurance numbers, addresses, and phone numbers. Accounting firms are also a target-rich environment because they have a concentration of clients and the people they are connected to, which makes for a wealth of data for bad actors.
What are top entry points for ransomware attacks?
It’s been said many times, but never click on a link or attachment in an email from an unknown source. Equally, you should be alert even if the email comes from a known source. If anything seems out of the ordinary, it could be that a bad actor could be impersonating them. All it takes is one click for ransomware to take effect, with most damage being completed in around three to five minutes.
In addition to suspicious links and attachments, malware can spread through any file storage location. If an infected file is uploaded and not detected, malware can live in local drives, your phone, desktop, and shared cloud storage such as Google Workspace and Microsoft 365. On top of this, AI has increased the threat of ransomware in recent years, as AI can accelerate, automate, and ‘improve’ the scripts used for attacks. Additionally, attackers are increasingly patient and sophisticated. Even if your files are encrypted, they may gather them and not act on them for a year or two, hoping that in the not-too distant future they can break the encryption through quantum hacking.
Is there a minimum set of controls for ransomware protection?
A small set of baseline security controls is essential for ransomware protection. If an organization can only implement a few protection mechanisms, the following would be the priority:
- Reliable, frequent backups are essential and inexpensive. I recommend backing up your files every 15 minutes. Remember that major vendors like Microsoft, Google, and Zoho either exclude that they are responsible for backups or do not guarantee backup protection.
- Strong, commercial grade firewalls for both the office and at home. If a bad actor gets into your home network and you have remote access to your office, that’s an entry point for malware. One of the more affordable firewalls that can be managed by IT teams is Ubiquiti Dream Machine. Other products include those from SonicWall or Cisco.
- Anti-virus software is generally effective and low cost. For accountants in public practice, some popular products make tax and audit applications run slowly. Sophos or Huntress work well without interfering with the applications. Microsoft Defender is also an option.
- Multi factor authentication (MFA) adds a critical barrier against unauthorized access. MFA varies depending on the vendor, sometimes adding monthly fees or included at no extra charge. If you use Microsoft 365, the Business Premium version includes Microsoft Authenticator. Cisco DUO or OneAuth used by Zoho are other examples.
- Data loss prevention tools also protect data and allow you to comply with regulatory requirements. be compliant. These include Trellix and Forcepoint DLP.
Overall, think about ransomware protection like an onion and its layers – every time you add another layer, it makes it harder for the attackers to get through.
Read More
- Top cybersecurity concerns for SMEs
- Trust and technology: CPAs at the helm of ethical AI
- How to outsmart AI-powered phishing
What steps should you take if you suspect an attack?
Firms need to follow a clear, calm process outlined in an incident response plan (IRP). The first step is to stop and report the issue to others in the organization – for example, IT, your incident response team, and leadership. Next, identify all affected systems so they can be shut down, protected, and eventually restored. Avoid panicking; attackers want you to feel pressured as it increases the chance that you will make poor decisions.
Once the affected systems are identified, firms can begin recovery. You can usually budget two to three days, but sometimes this can take up to a week or two. After restoration, systems must be tested to confirm they’re clean and functional. Finally, a post mortem helps determine what went wrong – investigate whether training or processes were insufficient, if the recovery process worked, and how to prevent similar incidents. I recommend testing incident response and recovery plans at least annually as part of good IT hygiene.
When deciding to pay a ransom, what should firms consider?
Authorities advise never paying ransom as doing so will fund future criminal activity, could breach laws or regulations, lead to escalating demands, or other repercussions. In practice, however, some firms decide to pay when they have no access to their data and face the risk of going out of business.
In most cases where a ransom is paid, data will be returned. Attackers generally want a reputation for “delivering” because it encourages future victims to pay. It bears repeating that if you’ve got a strong, regularly tested backup, you can recover from the backup, and you may not have to pay. If you do pay and get your data back, you will still need to shut down your operations and better protect them through the security measures mentioned above, as attackers will often quickly retarget an organization that they know was vulnerable and could offer a valuable payoff. Expect to get attacked again in less than a week.
What are key steps to take after an attack?
After an attack, firms should immediately reach out to regulators, law enforcement, and your cyber insurance provider. Organizations should proactively maintain up to date contact information for federal and provincial authorities, insurers, and law enforcement as part of their incident response plan. Having this information ready ensures that reporting and coordination happen quickly during a breach.
Finally, document every action related to the attack – times, dates, who was contacted, and what occurred. If there is an enforcement action, a lawsuit, or a situation where you’re being denied coverage by your insurance carrier, there could be litigation related to it. This documentation details exactly what happened and can help resolve claims.
CPABC does not endorse any of the services or products mentioned in this article. It is the reader’s responsibility to research and review the services and products independently.
Randy Johnston, executive vice-president at K2 Enterprises, is a nationally recognized educator, consultant, and writer with over 40 years of experience in strategic technology planning, accounting software selection, systems and network integration, business continuity and disaster recovery planning, business development and management, process engineering, and outsourced managed services.
