To capture the spirit of St. Patty’s day, let’s discuss a cunning technique that nefarious leprechauns use to steal your pot of gold: cyber extortion. Boiled down, cyber extortion is an age-old blackmail scheme with a digital twist.
It starts with an unlucky target, such as a database housing sensitive information. A leprechaun (read: hacker) infects the target with ransomware or otherwise restricts access. Then — like an Oscar-worthy Hollywood villain — the leprechaun demands money, adding caveats to expedite the payment. For example, if payment is not received promptly then the leprechaun will delete the data or share it publicly. Of course, to really pack a punch, losing the data forever or having it leak to the world is hard for the data owner to stomach because, you know, absolute ruin is compelling.
Once the leprechaun receives payment, assuming all conditions are met, data access is restored and everyone can breathe easy again.
It’s high time accountants get cyber extortion on their radar to avoid this unpleasant experience and protect themselves from paying a sizable ransom. A recent Accounting Today article cites that cyber liability is a growing threat and accountants are prime targets. Given the types of information accountants are privy to these days, it’s not a huge surprise someone might want to hold it hostage.
Here are a few dos and don’ts for accountants (especially those at smaller firms) to consider with regard to cyber extortion:
Do use an encrypted email service. Once hackers compromise an email system, all bets are off. For many cloud-based systems, access is only a “lost” password request away. Click on that password reset email link and bingo. A hacker doesn’t even need to use ransomware to break in and restrict access. Email passwords must be closely guarded and encryption is vital during email transmission and storage.
Do consider a cyber liability insurance plan. Cyber liability insurance plans cover claims arising from hacking attacks (including ransomware) and loss of sensitive data. Policies often reimburse for ransom payments, client notification expenses, legal fees, credit monitoring subscriptions, and forensic service fees. The AICPA offers CPA NetProtect underwritten by Continental Casualty Company (CNA). CPAGold and Camico are other options with varying cyber liability coverage. And, if laptops simply go missing on a regular basis, some policies even cover the cost to recover or recreate lost data.
Don’t assume general liability insurance covers cyber claims. Cyber claims are not usually covered under your run-of-the-mill error and omission (E&O) insurance coverage. It would be very unfortunate to get denied for a claim after assuming the premiums you already pay will cover it. Be sure to check pronto.
Don’t assume your cloud storage provider has cyber liability insurance. Relinquishing your control of servers to a third-party service provider means the risk management is passed off to the provider, right? Maybe… maybe not. Attorneys suggest that you “review your contracts to determine whether or not you are still legally responsible for the security of the information you store in the cloud.”
Don’t assume a Mac will protect you. Just last week a new ransomware hit the scene, attacking the previously impenetrable Apple fortress. Reuters reported this was the first time Apple has been hit with a large scale ransomware infection. Moral of the story: No one is safe.
Even if you weren’t worried before, are you now concerned about cyber extorting leprechauns? If so, would you consider buying cyber liability insurance? Tell us in the comments.