Don’t Be Deloitte: Data Breach Lessons for Accountants
How to prevent hacks or handle the fallout.
In 2016, hackers stole client information from the email system of Deloitte, a “big four” accountancy and consulting firm. No one noticed the breach for a year. Though the timeline remains murky, details of the hack trickled out to the public in September 2017.
Using Deloitte as a cautionary tale, we’ll take a closer look at how you can prevent hacks, or how you should deal with the fallout of a data breach at your accounting firm.
Why Deloitte Matters
At first glance, the Deloitte data breach may not look like a major deal. Because hackers usually go after social security numbers and financial information, right?
Here’s why the Deloitte incident matters: The firm’s clients include departments of the U.S. government and several Fortune Global 500 companies.
The breached email system stored the following information1:
- Deloitte usernames and passwords
- Health information
- IP addresses
- Company architecture
If Deloitte can be hacked, so can any business.
Where Deloitte Failed
In the first half of 2017, 7.25% of data breaches occurred within the financial industry.2 This amounts to 67 data breaches and 137,885,329 stolen records.2
Keeping these stats in mind, you’d think Deloitte would take every possible measure to protect their data. The firm even offers cybersecurity services.
So how did hackers fool a company that markets their own IT expertise? They accessed the Deloitte email system using an administrator’s account that required one password and no verification steps (more on this later).1
Data Breaches and Legislation
Currently, state laws dictate your legal responsibilities related to data breaches. Larger hacking incidents at Equifax and Uber, along with the Deloitte data breach, have led lawmakers to push for national data breach laws.
Hackers aren’t just going after huge companies. They’re targeting small and medium businesses, too.
It’s never too early to train your employees on data breach prevention. You don’t want your accounting firm to make the headlines for all the wrong reasons.
You should train your employees on data breach prevention and best practices, because your accounting firm stores a wealth of information, such as:
- Social security numbers
- Mailing addresses
- Email addresses
- Phone numbers
- Real estate documents
Cloud Accounting and Liability
If you use cloud accounting, the information listed above is stored on a server. Your cloud accounting vendor probably handles software installations, updates, backups, and data storage for you. But that doesn’t mean they’ll be liable if a hacker breaches one of the data centers that holds your clients’ information.
You might even store your own data in an on-site server at your accounting firm. But how do you take every possible measure to prevent data breaches when hackers are so smart?
Create a Data Storage Policy
Your first step is to create a data storage policy.
To get the ball rolling, work with your team to answer these questions4:
- Are your laptops locked to a docking station on your desk?
- Is the data on the laptops encrypted?
- Are computers (servers, PCs, and laptops) in a locked, secured room when you leave the office in the evening?
- In the event of fire or theft, is backup digital data in a fireproof safe, either on-site or elsewhere?
- Have you ensured that original client source documents in your possession are only copies and the originals are either stored securely elsewhere or returned to the client?
- Do you maintain a master list of all items entrusted to you and in your possession?
This list offers solid first steps to help you keep data on lock-down at your accounting firm. Next, you’ll need to offer email security training to your employees.
Enforce Email Security
66% of malware attacks are carried out through malicious email attachments.3 These attacks start when a hacker sends an email with the goal of getting the recipient to download an attachment. The file in question could look like a financial report.
If the employee falls for the scam and saves the file, malicious software will start doing a number of things. It can lock the data on a computer or log keystrokes to collect important passwords.
Obviously, you don’t want any of this to happen at your accounting firm.
Follow these steps to prevent email malware attacks5:
- Tell your employees to never download files sent by unknown users
- Use a well-rated antivirus and make sure it is kept up to date
- Always have the latest updates installed
Set Password Rules
In 81% of hacking-related breaches, hackers use stolen or weak passwords.3
Have your employees use these best practices to protect passwords6:
- Avoid dictionary terms
- Encourage employees to never write down or reuse passwords
- Use multi-factor authentication (MFA). MFA grants access to users only after they have presented several pieces of information in addition to their password, and this security measure could’ve prevented the Deloitte hack
- If you’re unable to roll out MFA, encourage users to create long passwords that use numbers and special characters
What to Do if You’re Breached
Even if you follow every IT security best practice, your accounting firm could get hit with a data breach.
Address these items if your accounting firm is hacked4:
- Immediately inform clients of the breach
- Consult the master list of the items with which your client has entrusted you, and begin the task of reconstructing what was lost or stolen
- Assist your client in contacting financial institutions, credit bureaus, and others to inform them of the potential for identity theft
- Notify your commercial and professional liability insurance carriers of the theft or fire loss
- Review your data security policy, and determine how to close the loophole that led to the breach
Cyber Liability Insurance Offers Extra Protection
A professional liability policy may not cover all the costs associated with data breaches. That’s why many companies offer cyber liability insurance to cover the costs.
Cyber liability policies often cover the following:
- Unauthorized access, unauthorized use, unauthorized disclosure, or theft of private consumer information, confidential business information, or other sensitive legal or client information occurring at the company or at a company vendor
- Cyber terrorism, extortion, or espionage
- Transmission of a computer attack or computer virus due to misuse of the company’s computer system
- Misuse of the company’s computer system, website, email, social networking, or other electronic communications resulting in harm to others
The Only Constant is Change
As technology evolves, so will the techniques of hackers. Don’t let a preventable slip-up lead to a leak of client information. Remain vigilant, and never stop reinforcing your firm’s cybersecurity.
This article is for informational purposes only.
1Burns, Janet. “Deloitte Hack May Have Exposed Emails, Passwords of Clients And Staff.” Forbes. 25 September, 2017. Web. 18 December, 2017.
2“Data Breach Statistics.” Breach Level Index. 2017. Web. 11 December, 2017.
3“2017 Data Breach Investigations Report.” Verizon. 2017. Web. 11 December, 2017.
4Dingler, Wilhelm. “Outsmarting the Identity Thief.” Pearl Insurance. 14 November, 2017. Web. 18 December, 2017.
5Matthews, Mike. “3 Steps to Prevent Malware Attacks Like WannaCry.” Internet Creations. 17 May, 2017. Web. 21 December, 2017.
6Winkler, Ira. “How safe are your passwords? Real life rules for businesses to live by.” CSO. 30 August, 2017. Web. 21 December, 2017.