What lessons can we learn from the Shirbit cyberattack? - opinion

How can we protect our personal information and finances safe from cyberattacks?

Cyber Hackers (photo credit: REUTERS)
Cyber Hackers
(photo credit: REUTERS)
 Recently the computer system of the Shirbit insurance company was hacked and some customer data was stolen and published after Shirbit reportedly refused to pay a ransom. This reminds us that our information and know-how are valuable assets, just like bricks and mortar – we should consider how to keep them both locked up and backed up.
The Israel National Cyber Directorate (INCD) published data security instructions on December 6, and the Israeli CPA Institute has advised its members to apply them.
Advice to the government!
The INCD published guidance to the government about parallel verification of people on the telephone, fraud analysis, tracing IP addresses, geolocation and so forth.
In the case of the Shirbit leaks, the main risk concerns the publication of pictures of identity cards and driver licenses as the issue dates are often used for verification purposes (including for online tax reporting).
Therefore, the INCD recommends issuing smart new identity cards. The INDC began promoting a year ago a legislative amendment to enable use of secure biometric identification by smartphone rather than using issue dates and birth dates. It seems this still needs to be done.
Advice to the public:
To help prevent data leaks or phishing/vishing expeditions (imposters trying to gain access), the INCD recommends not clicking on links or attachments received, instead to yourself go into their website by keying in the address or using a search engine. Also don’t give away internal information of a business, call them back. (Comment: many invoices are sent electronically for you to click on, check you know the sender).
As for passwords, the INCD recommends making them a long non-standard combination of upper and lower case letters, numbers and symbols. As for securing personal details, the INCD recommends two-step authentication or a number of techniques such as authentication apps, SMS messages to smartphones, verification codes, fingerprints of facial identification.
Another obvious thing is to check your credit card purchases and check they are all yours. Also, ask your credit card company to send a warning SMS regarding any charges out of the ordinary.  
The Israeli INDC published plenty more guidance on its website in English and Hebrew, which is well worth reviewing. Much of it was written two or three years ago, but it is never too late to ward off some hackers.
And some more from the UK National Cyber Security Centre:
The UK National Cyber Security Centre appears to perform a similar role to the INCD. They likewise recommend backing up your data and safeguarding against malware (malicious software). 
Malware is software or web content that can harm your organization, such as the recent WannaCry outbreak. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software. Consequently, it is recommended to install and turn on antivirus software, and prevent personnel from downloading doubtful apps. Also, only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). Keep all IT equipment and systems up to date (patching) to help improve security. Control how disk-on-keys (memory sticks) and memory packs are used, as well as. And switch on a firewall. 
Firewalls create a “buffer zone” between your own network and external networks (such as the Internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on.
Consult a computer expert on all computer system aspects. Consult them and lawyers on European GDPR privacy requirements.
Computer experts tend to recommend a more advanced firewall and full disaster recovery ability in place – this is more extensive than backing-up. And correspondence from outside the business should be filtered or vetted.
Also, when employees leave, their access to their old email account should generally be stopped, and any subsequent emails from business contacts be re-routed to someone else senior.
It is interesting to note that although Israel seemed to be falling behind on e-filing of tax returns, Israel is now catching up to other countries. This was partly due to the need to adopt protective measures – the government wants taxes not viruses. Accountants and other tax advisers use encrypted systems of the Israeli Tax Authority. Emails to or from tax officials can take an hour or so to arrive. The good news is there is now less need to attach copious supporting documents to tax returns due to data quantity limits intended to keep out the bad stuff.
As always, consult experienced professional advisers in the sphere of expertise in each country at an early stage in specific cases.
The writer is a certified public accountant and tax specialist at Harris Horowiz Consulting & Tax Ltd.