Tax Season Hack

Why Accountants Need Encryption Now More Than Ever

Now that we’re past the mad rush for spring filings, it’s time to take a breath, reflect, and think about the future. There is a dark reality brewing on the horizon, and for some small- and mid-sized businesses it has already arrived.

Not long ago hackers focused their efforts exclusively on large companies. The payoff for a successful attack was enormous as many of these targets weren’t taking data security (protecting their customers) very seriously.

Headline news stories appeared almost weekly spotlighting the latest breach. Millions upon millions of records were stolen, often because someone in an admin position mishandled their login credentials. Even companies like Equifax, with a massive IT organization, made security mistakes which cost them (and some 145 million U.S. citizens) dearly.

Fast forward to today. Many things have changed; some of these changes are good, others are not. On the positive side, more companies are realizing that a graceful recovery from a breach is no longer good enough. Many of these large companies are thinking differently about how they handle sensitive data in order to prevent a breach. They are using better encryption methods, taking better care of credentials, and diversifying their data risk by spreading it out across many secure servers (instead of inside one big repository where a hacker sees a giant bull’s-eye). While there’s still much more work to be done, these larger companies with cash to spare on security improvements are without a doubt getting smarter.

On the negative side, hackers are getting smarter too. And as a result, they are changing strategies. No longer are they focusing efforts exclusively on large companies which historically had the best return for their efforts. Today, the true goldmine of sensitive data is small- to mid-sized businesses that are still way behind the curve when it comes to digital security.

Another negative is an increasing reliance on mobile devices for doing business. While mobile devices usually have fairly strong native security (biometric authentication, encryption, etc.) they are also ripe for attacks via SMS. There is also a new wave of mobile ransomware attacks where a device suddenly becomes locked pending payment in bitcoin to some anonymous hacker.

A Lack of Awareness

According to a 2017 study by the Better Business Bureau[1], about a third of small-business respondents had never heard of ransomware. Equally as alarming, a quarter of the people surveyed had never heard of phishing.

While some small businesses might understand the attack vectors, many routinely make mistakes that have the potential to wipe them out. For example, a large number of small businesses – including accounting firms – are still using free, public email (Gmail, Yahoo, Hotmail, etc.) to share extremely sensitive information. Also, client records are being kept inside the free versions of some popular cloud storage companies who routinely indicate a lack of focus on security. These same small businesses are likely using outdated operating systems that are ripe for a ransomware attack.

Another survey, conducted by Nationwide[2], reports at the end of 2017 58% of small businesses claimed to have been the victim of a cyber attack; and this number is predicted to grow as the toolset for widespread distribution of smaller attacks becomes a hacker commodity.

Unlike the larger companies who have teams of lawyers ready to execute a damage control plan in the event of an attack, most small businesses can’t recover from a breach of their clients’ sensitive data. Consider for example an accounting firm with only 20 clients. If 15 clients decide to take their business elsewhere (someplace perceived as being more secure), the financial impact will be devastating.

Protecting Data

The good news is that there are some very simple and inexpensive things that can be done to protect your accounting business from an attack. And while none of these are foolproof, they can drastically reduce the risk of a breach.

  • Use encryption. If you store digital copies of your files, make sure you encrypt them with keys that only you can access. There are many free cloud storage companies that claim to offer encryption, but bear in mind that the free version almost always means that your key is the same key used by many other users of that system. Read a little about the encryption technology used by these systems and looks for “unique” keys.
  • Stop using email to share important information. No matter how convenient or how ubiquitous email may be, it is never secure. Phishing is the second most common type of cyber attack (behind computer viruses) and it happens inside your email inbox. There are some encrypted email products, but they are generally very hard to use and require software installations on both the sender and recipient email accounts. There are better ways to share securely.
  • Use a strong and unique password for your important data. One of the most common mistakes people make is to reuse passwords for many accounts. While your bank might have strong security, your local neighborhood watch group might not. And if your neighborhood watch password is the same as your bank password, this could lead to trouble. Another common mistake is to use a guessable password. An easy solution to this problem is to use a passphrase instead of a password. A passphrase is a combination of three small words that are easy for you to remember but extremely difficult for a human or a computer to guess. Add example of a passphrase: “doggaragedroplight.”
  • Diversify your risk. Don’t store all your important data in one place. If possible use unique encryption to segment the data so that a breach only impacts one client or one project. You can survive a breach if you can keep the losses to a minimum.
  • Beware of the back door. Almost every system that requires a password for access also has a way to “reset your password.” What this really means is that the provider of this system can get into your account. And a common way of resetting passwords is through a code sent over SMS (text messaging). Many people don’t know that SMS has an easily exploited security hole that could easily allow a hacker to grab that code and take ownership of your account. Look for systems that allow you to disable the “reset your password” feature and that don’t use SMS for authentication.

As stated by Theodore Roosevelt, “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.”

With the craziness of tax season behind us, there is no better time than right now to start implementing the habits and technologies that will keep your data and your clients safe.


[1] 2017 State of Cybersecurity Among Small Businesses in North America

[2] Nationwide Survey: Nearly Half of Business Owners Have Been Victims of Cyberattacks — But Didn’t Know It. October 09, 2022

Dave Martin, VerifyleAbout the Author
Dave Martin is Vice President of Marketing at VeriFyle, a provider of secure messaging and file sharing solutions. He oversees corporate communications, brand strategy, website and customer acquisition.

Say something about this...
Share on Facebook
Tweet about this on Twitter
Share on LinkedIn
Email this to someone
Print this page