Mike Newman

Earlier this year, the world was left awestruck when Mary Callahan Erdoes, the head of asset and wealth management at JPMorgan Chase, publicly announced that the organisation faces 45 billion hacking attempts every day.

This massive figure equates to over 520,000 hacking attempts every second, highlighting just how determined criminals are to compromise financial institutions.

It’s safe to say few other financial institutions will possess the same resources to keep safe in the digital world, but this doesn’t make them any less of a target.

Criminals go where the money is, which puts accountancy firms directly in the firing line. This means they must use the figures from JPMorgan Chase as a catalyst to improve their defences.

So, what are the key threats accountancy firms need to be aware of and what steps can they take to improve their resilience against them?

Understanding today’s top attack vectors

The number one threat to any organisation in the digital world today is phishing. In most cases, criminals use phishing to trick employees into handing over corporate login credentials, because when these enter their possession, they can suddenly have access to corporate networks, where they can steal data or execute a ransomware attack.

The biggest risk with these types of attacks is the activity is not spotted as malicious by security tools. If an employee is duped by a scam and hands over their corporate login credentials, they will never realise they have done anything wrong. This means the attacker can login into the network and access and steal sensitive data, but because they have logged in using legitimate credentials, security teams and tools will never detect anything malicious, until it’s too late.

Within accountancy firms, this problem is heightened because of the volume of credentials accountants manage. From login details to access the corporate network, to credentials for Government Gateway and ASA accounts, or even the details of clients’ online banking platforms, accountants manage multiple logins which criminals consistently work to compromise.

To heighten the problem, criminals understand that in many cases passwords for client accounts are shared among multiple team members within accountancy firms. This often leads to passwords being stored in word documents or spreadsheets on central drives without any security. When a criminal does manage to get access to the corporate network, this is the first thing they will hunt for.

So, what can accountancy firms do to improve the security of the credentials they manage?

Driving phishing resilience through credential security

The number one goal for phishing actors is to steal credentials from employees, so the best defence is to is to bolster security around credentials so they can’t be stolen.

One of the best ways to improve security is by removing credentials from the hands of employees by using single sign-on (SSO) and enterprise password management tools. These tools remove passwords from the hands of the workforce, enabling them to access all the applications they need to perform their roles, without the need for them to ever see, know or enter passwords.

A further security addition for accountants is the ability for these tools to integrate with platforms like Government Gateway. This provides a secure mechanism for storing and sharing access to Government Gateway accounts among team members. Accountants can access all the Government Gateway accounts they need via a single login, and they never have to see, know, or manage passwords, which means they can’t be tricked into revealing them via sophisticated phishing scams.

Phishing is a major threat to all organisations today, but accountancy firms are especially vulnerable because of the volume of credentials they manage. Criminals understand that one successful phishing attack on an accountancy firm can provide big returns, so it is essential they take steps to bolster their defences against these attacks today.

Mike Newman is CEO of My1Login