Cyber security is one of those things that doesn’t really impact you until it does, and the recent high-profile breach of Optus’ networks has brought this back into focus. There’s always an element of risk when it comes to data storage and information and there’s no denying that it’s possible to do nothing to mitigate that risk and never face consequences for it. But when that risk becomes a threat or an attack, those consequences can be serious and long lasting.
Last month, one of our clients contacted us after they had experienced an unexpected cyber security breach that was having a financial impact on their business.
With the rise of cloud-based accounting software comes greater risks and this is what happened in our client’s case. Cloud-based software has a lot of benefits for many businesses, small and large, and for most, those pros outweigh the cons and/or risks. The software also has its own safeguards in place to protect your data and information, but this is not failproof.
This client uses cloud-based software but chose to download an invoice and email it as an attachment instead of sending it directly from the software.
The email was intercepted by a hacker who then proceeded to change the bank details on our client’s invoice. The third party made payment of the invoice in good faith, but the money went to the hacker and not to our client. Both parties were out of pocket. Who is at fault here? Which party takes the financial burden? How does this get resolved?
To support our client, we:
- Encouraged our client to contact their IT support to determine if the email hacking attack was on their email or the invoice recipients’
- Had them contact some trusted third parties to check if this was a one-off incident
- Sent a bulk e-mail on their behalf to clients who had received invoices in a similar manner to advise them to check payment details
- Contacted their accounting software provider to see if there is anything they can help with in this situation
- Ensured that everyone who had access to these emails and accounting software changed their passwords and activated 2-factor-authentication
While we did everything we could to help our client, we cannot change the fact they are out of pocket.
Fortunately for our client there is an easy fix to ensure this does not happen again. Sending out their invoices and monthly statements through their accounting software instead of their own email system will provide a further layer of protection. The risk is significantly lowered as there is additional security in place enforced by the software as well as real-time e-invoicing and a clearer path to track where a security breach has occurred.