In accounting firms and their clients’ businesses, malware attacks are becoming an almost inevitable fact of life. How will you respond to an attack?
By David Braue
For years IT experts have been warning of the dangers of malware – small programs (malicious software) that users accidentally install on their computer by, for instance, clicking a link in an email. Yet for years the malware threat has been regarded as relatively low-level. Now it is officially on the rise as a business threat.
Australian Taxation Office (ATO) formally warned tax professionals of an “increase in practices that have had their computer systems affected by malware”. It also singled out “ransomware”, a particularly nasty form of malware which encrypts users’ files and then announces they will be decrypted for a fee.
The ransomware threat is growing particularly quickly. Recent figures from security firm CyberArk Labs suggested a 35 per cent yearly increase in ransomware attacks. A late 2015 report produced for a group of security software firms estimated that just one piece of ransomware – called CryptoWall – had produced more than 407,000 attempted ransomware infections and successfully extorted US$325m from victims in just nine months of 2015.
For most companies, the risk of a security breach is no longer measured in terms of if it will happen, but when. Security specialist Mandiant Consulting warns that malware can hide for an average of 146 days before being discovered – even within enterprises that have dozens of security staff whose jobs revolve around keeping up with malware threats.
Jon Oliver, a senior architect at security specialist Trend Micro, says 2016 has brought more than 50 new families of ransomware so far, when only about a dozen were in operation in 2015.
“Accounting firms, doctor’s surgeries, hotels and the like all require their computing systems to run on a day-to-day basis,” he adds, “but they are the least likely, compared with enterprises, to have sophisticated backup solutions. So where ransomware might be annoying in an enterprise, they would typically not be forced to pay because they have a backup.
But for an SME it is a very big issue – and that’s why you’re seeing payments escalate.”
Education and systems
Tax professionals and other businesses generally take precautions such as shredding sensitive printed information after it’s no longer necessary. Many businesses cannot say with confidence that their electronic data is managed as carefully – or that they would even know if it were stolen or copied by stealthy malware. That underlines the need for staff education and strong security systems.
Michael Gianarakis is a former Ernst & Young and Deloitte accountant who now works as Asia-Pacific director with Trustwave’s SpiderLabs operation. He says accounting has traditionally been an industry where “there has not been a lot of security maturity, and clients typically don’t have a very good understanding of their exposure … getting accounting employees to think in a security mindset is not very common.”
CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
CryptoLocker – perhaps the most notorious ransomware file – infects Windows PCs, encrypts their data and then displays a message telling the PC owner the files will only be decrypted if a payment is made by a particular deadline. One accounting firm recently hit by CryptoLocker ransomware recovered its data with help from strategy and systems firm Geek IT, and a new continuous-backup system was installed just a week earlier. Yet Geek IT founder Jon Paior says employees kept clicking on malicious attachments – even though ransomware had just brought the business to its knees. So avoiding basic security errors requires a serious effort at education and culture change.
The Tax Practitioners Board underlines the importance of having staff and systems that keep client data safe. A board spokesperson confirmed to intheblack.com that tax practitioners must ensure that “they do not disclose any information relating to their client’s affairs to a third party without their client’s permission”. That, says the board, means that registered tax practitioners “need to ensure that they have appropriate arrangements in place to prevent disclosure”. The board’s sanctions “depend on the severity of the breach and any mitigating circumstances, including what arrangements the tax practitioner had in place to avoid inappropriate disclosure of their client’s information”.
Developing the response
When firms themselves are hit by ransomware or other malware, the first step for any attacked firm is to undertake technical remediation or call in experts well-versed in dealing with such infections. Security experts have had some success in breaking the encryption used by some ransomware strains, and the applications themselves are often easy to remove once the data has been recovered. Other malware, however, can be extremely difficult to find and remove.
Recognising that small firms and their clients likely lack the extensive security capabilities to deal with malware on their own, security giants Symantec and Check Point Software Technologies recently began offering Australian customers access to 24/7 incident response services that provide rapid access to skilled security specialists.
Such services can help businesses minimise damage and losses in the event of a malware attack, but experts warn that the concentration of sensitive information in accounting systems makes it imperative that firms develop malware response policies for themselves and their clients, long before being confronted with the choice of paying up or losing business.
“The time to be having a discussion about whether an organisation is prepared to pay ransom, or not, is not in the middle of a successful attack,” IBRS’s Turner advises. “It is vital that business leaders understand that all organisations must raise their technical hygiene and resilience practices to help prevent ransomware.”
Recovering from data breaches is a complex and demanding effort that extends far beyond the immediate impact of the stolen information. For example, accountants may be called upon to audit business data for veracity. Businesses hit by ransomware, in particular, may need to reconstruct key data from recent backups or ongoing financial records.
When the practice is hit
When professional firms themselves are hit by ransomware or other malware, the initial task of diagnosing and restricting the infection is succeeded by an even more painful task: telling clients that the firm has been hit and their data may be compromised.
Some forms of malware will quietly send a wrongdoer clients’ personal information, business details or even the target firm’s ATO credentials. That has led to cases where fraudsters lodged false tax returns, BAS statements and other documents to claim inaccurate refunds. When this theft is facilitated through a malware breach, a firm may not know it has happened until they receive a please-explain from the ATO – and the consequences can be severe.
The ATO is urging full disclosure by any practice that is attacked. Tax professionals are urged to contact its hotline on 1800 467 033 if they have received a ransom demand or their systems have been breached. This means immediately letting clients know about the problem as well, and maintaining good communication so they know that you’re addressing it, and how. The ATO may contact clients themselves if irregularities are detected, and that makes fast client communication a commercial necessity. In the longer term, governments including Australia’s are considering laws to require firms to notify customers of data breaches.
Faced with the inability to access their files, and lacking any other way to recover them, some small businesses have come to accept paying the occasional ransomware fine – usually several hundred dollars – as a cost of doing business. That approach comes with big practical risks. As the ATO warns, “There is no guarantee you will get access to your files or that scammers will not demand further payments in future.” Beyond that, IBRS analyst James Turner recently noted that paying up may also pose ethical issues for businesses, as their ransom is funding organised crime.
In any business, the temptation to pay is strong. Some businesses feel forced to consider paying the ransom to recover their files. However, payment may not solve the problems: some strains of ransomware persist even after payment, recording passwords and taking screen grabs of employees’ everyday work. Others delete your files even after you’ve paid the requested sum.
The ATO notes that if a breach is suspected, it can take several steps to make clients’ records more secure:
- Issuing an alert to ATO staff to seek additional proof of record ownership from an affected firm’s clients
- Monitoring clients’ records for irregular activity
- Employing additional security measures, such as checking AUSkey applications in more detail and preventing business activity statements from issuing automatically
- If it’s warranted, assigning a relationship manager to help manage the issue
A security culture
Insurers like QBE have launched cyber-insurance policies that can help address damages after a cyber-attack, but they also expect clients to take precautions.
Ben Richardson, a professional lines underwriter with QBE Australia and New Zealand, says an attack is a signal that the organisation must boost staff awareness of security issues.
That should be followed by IT security investment and more communication to all staff within the business about likely threats and the escalation procedures in place to deal with attacks, he says. Baseline technical precautions include an anti-virus system, firewalls to protect internal and external networks, and frequent backup of data to a secure third-party location.
Experts stress the need to develop a culture that understands and values data security. Says Richardson: “The challenge is detecting and responding to the unknown threats as hackers are continuously evolving. The worst thing a business can do is get into the set-and-forget mindset when it comes to this issue. It’s a continuous process.”
Find out more