Cyber attacks are distinguished between "targeted" and "non-targeted" attacks. Thus, they are either directed to a specific recipient or, as an example, malware is sent by mail to a large number of email addresses either to one person or to the firm's general email addresses.
It's the attackers’ goal to do the greatest possible damage. Often a cyber attack aims to gain client data in abusive terms and misuse it for its own purposes.
Some firms also believe that their operation is too small and insignificant to be attacked by hackers. It’s a naive assumption, which, according to experience, runs through all German SMEs. Small and medium-sized enterprises make up 99 percent of all businesses in Germany. Of course they are targeted, too, especially if their IT security and cyber security know-how normally never have the standards necessary for the best protection.
For criminals, it is not a problem to attack thousands of targets at the same time with Trojans and viruses and wait to see who bites. No company is too small for hackers, not even an accounting and tax office.
So what do you do? Live with the threat and hoping that nothing happens?
Of course, hackers are not the only problem that tax consultants can face in the digital workplace. Problems related to the GDPR cannot be ruled out either. Often, privacy laws and their implementation in practice by firms are known insufficiently or not at all. The requirements for your profession and its operational practice under the General Data Protection Regulations (GDPR) have once again increased.
Penalties and warnings can easily be incurred, because the rules and laws of the European GDPR are not being sufficiently followed. Even medium-sized businesses in Germany have paid penalties of 20,000 to 100,000 euros, already. Possible lawsuits and claims for damages are not even included in the fines.
Fines: Infringement of the Data Protection Regulations (GDPR)
Compensation: Violation of information security rules
So-called malware is malicious software that reaches outside of your office equipment and causes all manner of damage. Not only will your computers be affected, but any smartphone, tablet or other device connected to the accounting office's network can become infected, causing damage to the entire IT system. Depending on how this malicious software was programmed, for example, work computers can be encrypted and released only after payment of a ransom; or it will steal customer or bank data, possibly even destroy entire hard drives and thus work already performed. How do you get malware on a computer? A couple of examples are phishing attacks or malvertising (banners with embedded malware).
The technical protection (firewall, virus scanner, etc.) of a tax office may be quite excellent, but if your own employees and colleagues are not adequately sensitized to the dangers from the network, even the best virus scanner does not help. The BSI found in studies (IT Security 2018 Management Report) that 70 percent of all successful cyberattacks on small and medium-sized businesses are made via phishing emails. These are supposedly and deceptively genuine e-mails from supervisors, colleagues, partners or service providers. As a tax consultant, if you follow a link in a phishing email or open an attachment, you can quickly infect your computer with malware and risk losing sensitive data and work.
The phishing emails mentioned are a popular form of social engineering, a tactic used by hackers and other criminals to fool tax office staff in order to bypass IT security and get sensitive customer or corporate data or money directly. However, there are other forms of social engineering that can be dangerous for accountants. For example, criminals could present themselves as repairmen to gain access to your office and computer. Of course, the false identity game can be continued via various communication channels, such as via phone or even social media. The hackers then use curiosity, social pressure, or employee fear to get them to do something (open phishing mail, install a program, share information).
Doxing - derived from the English word for documents (docs) - means a collection of sensitive, private or compromising files of individuals on the Darknet. Hackers use many ways to get this employee information from tax offices. Subsequently, the criminals use the documents to extort selected persons with the impending publication, influence (economically or politically) or to bully with the actual publication and publicly bring disrepute. The more hackers get this information because of bad cyber security measures, the easier it will be for your law firm or your employees to become victims of Doxing.
More and more tax offices and law firms use a cloud service to outsource parts of their data processing via an online service from an external provider (DATEV, Microsoft, Deutsche Telekom, Amazon, etc.). As a rule, these cloud service providers work with very high security standards to protect their customers' data. But the data in the cloud is not automatically safe from criminals. Hackers have many options read their employees’ login information and thus gain access to the cloud, such as by reading the browser memory (cache) or with the help of a keylogger. Spying software of this kind can arrive undetected through a phishing attack on your firm’s systems. Once the criminals have penetrated the cloud with these credentials, it is difficult for the cloud provider to determine if their use is unlawful.
Cloud service providers such as Amazon's DATEV and AWS provide convenient service to tax offices and law firms. But if your own data and sensitive customer data are no longer on their own physical storage media, this is not synonymous with higher security. Only with all around protection, including employee training, raised awareness and technical security solutions, can you effectively block criminals' access to your cloud and data.
Hackers know that people in a law firm are their weakest point in IT security. That's why phishing emails are such a successful attack tactic. 59 percent of all successful attacks are done through phishing (PwC: Im Visier der Cybergangster, 2017). You can therefore figure out for yourself how much safer your firm will be if your employees are properly trained. However, with regard to phishing, knowledge of cyber security and data protection does not stop there. Employees trained in all aspects of cyber security and privacy are openly reducing the risks of cyber incidents or data breaches.
Even if tax consultants and their employees have informed themselves about cyber risks, this is usually not enough to sustainably protect against cyber attacks. Proper behavior has to be integrated into the daily work and this only works through continuous employee sensitization. For example, phishing tests regularly raise employees’ awareness of your firm's biggest cyber risk for tax accountants: phishing emails. Soon, your employees will no longer fall for phishing emails, no matter how authentic they may appear to be.
Our phishing tests
Accountants, in particular, need a defined strategy for cyber security to ensure IT security, operation, protection of customer data and their own data. Such a strategy begins with a pragmatic and simple IT security audit, that identifies the status quo of internal cyber security. This is followed by a series of measures to close the identified weaknesses in IT security. In addition, clear guidelines must be drawn up that define the behavioral security of employees password hygiene, software usage, admin rights, device usage, etc.). There must also be a clear emergency plan, defining which steps must be taken by whom in any cyber incident. Of course, this also includes the follow-up and coverage of possible damage.
Our emergency assistance
Protect your tax office and customer data in four steps.
Perseus' approach provides a personalized service to tax consultants and tax office employees. Flexible cyber security and online privacy training informs all your colleagues and staff about cyber threats and how they can identify and avert them in good time. Regular phishing tests for your employees help them implement the acquired knowledge in their daily work.
Combined with cyber security tools, you are protected at multiple levels. And thanks to our 24/7 emergency service you are fully supported and secured, should it ever come to the point of damage.
1. Ongoing, uncomplicated IT security check of your law firm
2. Raising awareness of your employees through flexible online training, including certification for data protection and cyber security; plus regular phishing email simulations
3. Technical cyber security toolbox
4. 24/7 telephone assistance and reimbursement in case of emergency
So you can take care of your business.
Our Cyber Security Package is optimally adapted to the needs of freelancers, such as accountants and tax consultants, but also their clients, small and medium-sized businesses, an uncomplicated online service that you can effortlessly integrate into your daily work routine, without wasting expensive installations or yours and your employees’ time.
Arrange a free demo appointment with our
IT security experts. We look forward to meeting you.
+49 30/95 999 80 80 (Mon - Fri 09:00am - 6:00pm)
With these services, we make your office secure.
Hacker attacks are a race against time! Our experts support you around the clock and at the slightest suspicion of a cyber attack, by phone and email. Discretion is important to us - your request is always treated as highly confidential.
Hackers try to get your corporate and customer information through fraudulent mail. By pretending to be a person (colleague, boss) or organization (bank, service provider) outside the office, the hackers manipulate your employees. With counterfeit phishing emails, Perseus regularly sensitizes its employees to develop a healthy dose of mistrust for this danger in the future.
Technical helpers for more security such as browser check, password generator, data security check and email scanner are all included in the Perseus cyber security package. Easily accessible online for all your employees, without additional installation.