Throughout my career, I’ve witnessed firsthand the chaos that cybersecurity risks can create in accounting firms. Without diving too deeply, I’d like to share a couple with you.
The cost of carelessness
Several years ago, I watched as an accounting firm found itself in a crisis that could have been easily avoided with proper cybersecurity measures and practices in place…
It all started with a single staff member working on an unmanaged device. This absence of security left her susceptible to a seemingly harmless phishing email. She clicked a link, inadvertently exposing her credentials to a hacker who gained a foothold into the firm’s systems.
With access to the employee’s inbox, the intruder began quietly watching like a spy. Over several months, the bad guy absorbed the nuances of company communications. This included how employees interacted with clients and the terms they used with each other. This surveillance allowed them to craft messages that mimicked legitimate company correspondence.
As if it couldn’t get any worse…
Armed with an understanding of the firm’s operations and culture, the hacker executed their fraud. They created rules in the inbox to allow them to delete certain emails, and then, they impersonated a client, requesting a large financial transaction that mirrored actual client requests. The email was so convincing that it resulted in the unauthorized transfer of nearly $500,000.
Imagine the surprise when, several days later, the actual client called to ask about the missing money. This prompted an immediate chaotic triage, identifying and isolating infected devices and a comprehensive audit of devices and email accounts, uncovering additional compromised emails that had also been infiltrated.
Even simple cybersecurity measures, like a secondary confirmation through a phone call, could have prevented the firm from being shorted half a million dollars. I don’t know the full cost of legal fees or insurance ramifications, but skimping on a few dollars monthly to cover all devices certainly had an outsized impact on someone’s bottom line.
A Friday afternoon frenzy
One summer Friday afternoon, I was cleaning up for the weekend when our support team received a frantic call from a client at a very large firm. An executive operating from a personal computer at a vacation house had clicked on a malicious link, triggering chaos. Their email account immediately began sending emails with malicious links to everyone in their contact list, including clients and coworkers.
This became a problem spiraling into pure chaos…
Trusting the authority of the sender, several coworkers clicked on the link. Fortunately, those at secure workstations or using secure email instances were shielded, but the malware spread from personal devices, leading to a flood of calls from concerned clients to the firm’s main phone number.
Despite our security alerts successfully halting the malware on managed machines, the infection continued to grow on unsecured devices. The risk of the malware spreading to every client loomed over them, threatening to exponentially grow every few minutes.
Because we couldn’t stop employees from logging in to their network from personal devices…
We proposed a drastic solution…
Shutting down the firm’s entire network.
While disruptive, this would be crucial in preventing further damage and preserving the firm’s reputation. Especially considering the upcoming weekend when firm employees were unlikely to read internal emails and would likely be going about their day on personal devices.
At this point, the COO was uncomfortable making the call, so we ended up conferencing in the CEO from his vacation. To say he was irritated is an understatement. Despite initial “resistance” (which is to put it nicely), he came to understand the potential reputational damage after a lengthy (and time-consuming) conversation.
So, midway through the afternoon, we pulled the trigger and shut down access to the firm’s network.
The outcome?
Over the weekend, our team worked overtime to clean all devices, including unmanaged ones. And I’m proud to say that by 9 a.m. on Monday, we had restored access and cleaned everything thoroughly. The invoice the firm had to pay for our work was significant but paled in comparison to the potential loss of business and reputation had the attack continued. I’m also happy to report that several years later, the firm participated in a very large merger that I believe would not have occurred had its reputation been tarnished.
Still wondering why cybersecurity matters in your firm?
These are two of the many examples I’ve personally witnessed that illustrate the catastrophic impact of short-changing security measures. Say it however you want: Penny-wise but dollar-foolish; an ounce of prevention prevents a pound of cure; leaping over dollars to chase dimes. Whatever your phrase, the cost of prevention is far less than the cost of recovery.
Remember, this is about more than preventing financial loss. It’s about safeguarding your firm’s integrity and credibility, your staff’s time and peace of mind, and perhaps most importantly, your weekends!
Don’t find yourself in the same predicament as these two firms. Work with a cybersecurity partner—we can help.