The accountants my firm are invested in all aspects of our clients’ businesses, including the ways their success and security could be threatened. Our team is very focused on cybersecurity measures and we spend a great deal of time studying the methods and motivations of hackers. Most people are only opaquely aware of the threats that are around them continuously. We see examples frequently that are both fascinating and terrifying at the same time.
Our firm invests in top line firewalls, antivirus, SPAM filters, and of course, training, as do many other companies. These tools are vital and do mitigate some threats, but the truth is it’s the human users that are often the weak link in the defense chain. For this reason, we continuously stress that the absolute best defense a company can mount is by being vigilant, proactive, and educated. This goes for any type of company, whether it be an accounting firm, a feed supply business, or a family farm — no one is safe from these threats. I’ll share a couple examples that drive home why it’s vital to pay attention to protect yourself and your company.
Late one evening not long ago a colleague of mine reached out to our firm’s IT Director, stating he had started receiving SPAM emails at an alarming rate. Within a couple hours he had received thousands of messages from around the world, often in foreign languages such as Dutch, Russian, Swedish, and Chinese and it didn’t appear to be letting up. IT asked him please forward a few examples to them for examination and to take a moment and check his online accounts, such as PayPal, Amazon, etc. IT had a strong suspicion of what might be happening to him.
IT called him again the following morning and together they did some further investigating. As my colleague was carefully deleting the SPAM messages, he found an email from a major retailer that acknowledged his “Online Order.” It seemed someone had accessed his account, changed the billing and shipping address, and placed a $1,000+ order at approximately 7 p.m. the previous night. Fortunately, he called the retailer and canceled the transaction before it shipped, and changed his account settings and password to prevent further attacks. In this case, the hacker “SPAM Bombed” him a few hours before they attacked his account. By sending thousands of SPAM messages to him, they hoped the deluge and clutter of emails would cause him to miss the account changes and order notifications from the retailer, and therefore not catch it in time. Because he was vigilant, proactive, and educated our team stopped it.
Another recent example we encountered at a client was an email that was received by a team member of the company that appeared at first glance to be from a senior manager. The message was innocuous enough, and simply asked “Are you in the office today?” The team member did notice that the return email address was NOT the senior manager’s actual email address, and reached out to us for direction. This email is a prime example of spear phishing. In this case, the hacker is deliberately attacking an individual by masquerading as someone the users knows and trusts in the hopes of getting the employee to engage with them. Had the employee taken the bait and casually assumed he was communicating with the senior manager, the hacker would likely have sent a file attachment such as a spreadsheet or PDF asking him to take a look at it. The file attachment would have almost certainly carried a payload with a trojan or Ransomware. Because he was vigilant we stopped it.
Every company faces these threats on a daily basis. Sadly, we see far too many professionals demonstrate a gross lack of understanding of the risks to their organizations via these threats. They believe that because they have invested in the latest firewall or software security suite, they have adequately protected their information assets. Properly configured hardware and software are certainly vital components of an effective cybersecurity program, but equally important are guidelines, policies, and procedures that are carefully designed, documented, implemented, and enforced. And, of course, security awareness training for all employees is absolutely required to ensure the hackers do not easily compromise the system by tricking the humans into granting them access. After all, a company can spend millions in security software, hardware, and physical doors and locks but it’s all useless if an employee leaves a door or window unlocked.
Again, every business, no matter the industry, should work to safeguard themselves from the types of attacks we outlined here. I share all of this information with you in my monthly finance article because falling victim to cybercrime can be costly and devastating to your finances. As always, please reach out to me with questions.
Brian E. Ravencraft, CPA, CGMA is a Principal with Holbrook & Manter, CPAs. Brian has been with Holbrook & Manter since 1995, primarily focusing on the areas of Tax Consulting and Management Advisory Services within several firm service areas, focusing on agri-business and closely held businesses and their owners. Holbrook & Manter is a professional services firm founded in 1919 and we are unique in that we offer the resources of a large firm without compromising the focused and responsive personal attention that each client deserves. You can reach Brian through www.HolbrookManter.com or at BRavencraft@HolbrookManter.com.