IPH cyber breach highlights risks for accounting firms

The recent IPH cyber security incident, which impacted the document management systems and practice management systems of two of its subsidiary companies, is an important warning for accountants in terms of document management, says UNSW associate professor Rob Nicholls.

IPH first detected unauthorised access to a portion of its IT environment on 13 March with preliminary analysis identifying that Griffith Hack and Spruson & Ferguson had been impacted.

Documents contained with the document management systems of these two firms included client documents and correspondence.

Given that these firms are two of the biggest patent attorneys and IP lawyers in Australia, Mr Nicholls said the information that was accessed was potentially quite valuable.

“There were confidential advice files between the lawyers and their clients and some of documents were things like patent applications that likely won’t be applied for a few months,” said Mr Nicholls.

“There would be information about the patent shared between the IP lawyer and the client which has value in itself.”

If a similar type of cyber security incident were to occur involving a document management system or practice management system used by an accounting firm, this could have significant repercussions.

“For many accounting businesses, [unauthorised access] to confidential client information could lead to embarrassment or repetitional harm to their clients,” Mr Nicholls said.

“Even if it just simple advice advising against a particular strategy because it’s on the borderline of tax avoidance or evasion, just that alone could be incredibly embarrassing to the client, regardless of the steps that the client took next.”

Accounting firms should therefore think carefully about their outsource providers and how they’re managing their client’s data.

“You need to consider whether your providers are holding records at the same level at which you would want your records held if you were a client of the business,” said Mr Nicholls.

Practice Protect chief executive Jamie Beresford said access and storage are two of the key elements with data security.

“Access is where and how humans are accessing the data and that’s what gets targeted rather than the storage itself,” said Mr Beresford.

“While a lot of people think that cyber criminals are going to hack through their firewall and get to all their files, that’s not what hackers do. Hackers trick people or leverage shortcuts in the way that people access information.

“That’s why we say cybersecurity is a human issue because it’s all about tricking a user into giving them a password or clicking something they shouldn’t, so that they can gain access, using that legal method of access that a normal user would use.”

While data security is about controlling access, it also needs to be easy for employees, outsourced team members, providers and other external parties to access the information they need.

“For example, if someone is starting at a company and on day one they’re given ten different passwords for 10 different applications such as their practice management software, their document storage, their email and the many other apps they need to use, and they have to sign up to all those individually, that creates what we call password sprawl,” he said.

Instead, firms are better to consolidate access by having a single sign on.

“This means that instead of creating multiple accounts across all the different applications, they can use a single sign on platform with one set of credentials that is controlled by multi-factor authentication and location control, but they only have one account,” he stated.

“That account controls access to all the other applications that the firm uses.”

Accounting firms may therefore want to look for practice management software that use security assertion markup language (SAML) or OpenID.

“What that does is allow the application to join another identity platform,” said Mr Beresford.

“SAML and Open ID are technologies that a provider writes into their code that allows them to use a consolidated identity rather than creating their own.”

If the software provider doesn’t use Open ID or SAML, then they should at least have multi-factor ID, he advised.

Firms may also want to consider geo-blocking as part of their controls on access.

“If someone wants to work from home, then that’s not a problem but it will prevent them from logging in on from their Uncle’s house up the road,” he said.

“You might want to put some controls in place to lock them from their home office, or on a work controlled computer, for example.

“Another example is where a firm may give someone a company laptop that’s controlled and with no viruses on it and you’ve got management over that device. You’re going to be completely comfortable with your staff accessing your client’s data on that but you may want to stop your staff from logging in on their 16 year old nephew’s computer that’s full of viruses. So you want to be able to restrict to a specific device.”

One of the most important tips for keeping client data secure is to avoid sending files through email.

“Email is the number one entry method for hackers because there’s just so much data in there,” he said.

“There’s a huge risk in having those files just sit there forever.”

Firms should instead use a file transfer utility or if they need to use a file sharing platform like Dropbox or SharePoint then the share link should have an expiry.

“It should be set up so that it expires in 14 days or whatever is required. That way, when clients have accessed and downloaded it, they’re not going to have it sitting there forever,” he said.