The Devil is in the Email

Accountants learn best from their peers

Like all professional services providers, accountants see the most insightful and relevant learning opportunities coming from their peers. Hearing first-hand what other firms have done to solve specific problems in their business is when action takes place. The mantra of the smart man learning from someone else’s mistakes holds true. 

The problem with peer education around breaches and data security however, is it’s embarrassing and painful to share. Breaches of data mean breaches of client trust. Nobody likes to put their hand up to relive a painful experience on how they let their client down and lost money because of something that seems so stupidly preventable with the benefit of hindsight. 

Why action is being taken 

What’s encouraging is the shift in focus that we are seeing in the accounting industry. Cyber-security is no longer relegated to the bottom of the agenda in the partners meeting, and firms are actively reviewing the form of tools, staff training and policies to manage their risk.  

Interestingly the driver hasn’t been the legislation itself. The real catalyst for action has been the weekly flow of emails that accountants are seeing from legitimate and credible businesses known to them that are clearly (or not so clearly) bogus followed by a cap in hand message apologising and requesting that it be deleted. Embarrassment now public! 

A recent case in Far North Queensland saw an accounting firm infect three of its clients triggering a costly PI claim and a lengthy embarrassing reporting process.  

It’s an extra kick in the teeth when you’re trying to frame yourself as a trusted advisor, a trusted source of information, who happens to be spreading misfortune. There’s no catalyst for change greater than protecting and enhancing our reputation. 

The devil is in the email 

With the ATO’s operational framework mandating accounting apps to increase security measures with two factor authentication and the like, the soft target is now an accountant’s mailbox. Frequently inboxes hold years of correspondence and information ripe for fraudulent behaviour, the added advantage of being able to communicate on the victim’s behalf to propagate itself.  

Making that even easier is the current turf war that Microsoft Office 365 and Google Apps are in to convince us how convenient their mail systems are to login to and access. Nobody likes getting held up when accessing their email and immediate convenience almost always trumps security. This means login pages are simple to use and simple to hack. Both systems are open to automated brute force password cracking tools from anywhere in the world.  

How is the problem solved? 

Most firms are by now using a passwords capture tool to consolidate cloud logins and remain in control of app access however, this becomes trickier with email passwords as users generally need to be privy to in order to login to mail on their phone or login to their desktops (often an Office 365 identity is the same as the company domain identity needed to access work computers).  

The solution for protecting mail is using SAML (Google) or Federation (Microsoft) to unify your desktop, cloud app, email and mobile device logins into the same identity that can be controlled and tracked by the firm.  

This unification bypasses the standard Microsoft/Google login technology providing enterprise level security functionality making the chances of overseas or brute force intrusion far less. 

You can read more about SAML and what it means for your firm here 

This article was written by Jamie Beresford, CEO of Practice Protect, whose sole focus is protecting accounting firms’ reputations with tools, policies and education to keep data safe without sacrificing convenience.

Get Started With Practice Protect By Requesting A Free Cloud Security Consultation

The fastest and easiest way to learn more is to call us on 1300 010 114 or click here to schedule your free Cloud Security Consultation.