octobernovember2022 - 29

FEATURE
Data Security: What Could Go Wrong?
THE REALITY IS, when it comes to data security, zero risk does not exist. There
is nothing on the market today that can 100% protect you from a cyberattack
unless you completely disconnect yourself from the internet.
In 2021, IBM reported that the average size of
a data breach is 25,575 records, with each record
costing the company $165 on average, and the total
cost to a company averaging over $4.24 million. It is
critical that firms implement proactive IT strategies
using a multifaceted approach to protect data. Before
we dig into the preventative strategies to combat
threats, we need to understand what methods cyber
criminals are taking to try and penetrate systems.
WHAT'S THE CYBER CRIMINAL'S END GAME?
Cyber criminals have countless reprehensible
methods of conducting cybercrime, as noted below:
* Send out phishing emails. A phishing scam is when
a bad actor sends an email which appears to be
from a reliable source. The hacker asks for personal
identifying information, then uses the information
to access existing accounts or open new accounts.
* Collect personal information. The cyber criminal's
goal is to gather personal information to be used for
other types of identity theft such as credit card or
insurance fraud.
* Infect a computer with ransomware. The cyber
criminal infects a computer with malicious malware
which prevents access to files, systems, or networks,
and requires payment of a ransom for their return.
* Access further accounts within an organization.
Account takeovers can morph from a personal attack
on a singular computer as an entry to compromise
an entire system or network.
The threat of account takeovers continues to
evolve as the scenarios cyber criminals use to
gain access to victim's accounts also evolve. It is
important for C-suite executives and tech experts
to understand their cybersecurity vulnerabilities.
WHY WOULD GLOBAL CYBER CRIMINALS
TARGET CPA FIRMS?
CPA firms are prime targets because of the sensitive,
confidential, financial information accounting
firms amass. Hackers target CPA firms for explicit
information and then use the data to steal assets,
ransom it, or sell the data to the highest bidder.
* Obtain confidential, personal data. Cyber criminals
seek client data from CPA firms such as birthdays,
Social Security numbers, and other personal
information. The data is used to target and steal from
specific clients or to sell the data to other criminals
who specialize in identity theft.
* Attain financial information. Cyberattacks on
accounting firms seek specific account numbers,
tax records, credit card information, and employee
identification numbers.
* Gain tax records. Cyber criminals file fraudulent tax
returns from information obtained from CPA firms.
They steal tax returns and use the information for
additional identity theft.
HOW TO MINIMIZE YOUR RISK
OF A CYBERATTACK
CPA firms, regardless of size, must have vigorous
cybersecurity protections in place. The risk of
cyberattacks is disproportionally higher for smaller
and medium-sized organizations, which tend to be
much more reactive than proactive. Below are steps
to help protect you from possible cyberattacks:
* Have a good backup strategy. Hackers tend to go for
your backups first, making you more vulnerable during
the attack. Firms should have multiple backups
using different technologies and be physically
removed from the network, so in case of a malware
infection, the backup data does not become infected.
* Implement multifactor authentication for everything.
By requiring multiple login factors to prove your
identity, you can drastically reduce the chance of
unauthorized access.
* Train employees about cybersecurity risks.
Educating employees about cybercrime such as
phishing, malware, and ransomware attacks is an
effective strategy. CPA firms should create a culture
of consistent security awareness to reduce the risk
of cybersecurity breaches caused by human errors.
* Use Advanced Threat Prevent Technologies. Leverage
Next Generation Antivirus (NGAV), Endpoint
Telemetry Data, DNS Filtering, Intrusion Prevention
Systems, Reputation Based Threat Prevention, Data
Encryption - the more the better! These technologies
learn users' habits and daily activities using behavioral
detection, machine learning algorithms, and
exploit mitigation so known and unknown threats can
be anticipated, blocked, and immediately prevented.
* Patch all systems. Focus on patching any and all
By Christopher
Stark
known, exploitable vulnerabilities.
* Store data and information in encrypted databases.
Storing data in an encrypted database can deter cyber
criminals from accessing the information.
* Prepare your organization. Have a cyber incident
response and business continuity plan ready so as to
ensure critical functions and operations can remain
running if technology systems are disrupted. If your
IT systems go down, how will day-to-day account
management and communication continue with
personnel and clients? Make sure important contacts
are up to date and test it regularly!
Accounting firms are prime targets for cybercrime
for specific reasons due to all the sensitive,
confidential, and potentially lucrative information
they have in their systems.
HOW CPA FIRMS CAN SHIFT THEIR RISK
Accounting firms have significant responsibilities
to protect client information from potential cybercriminals.
Adhering to the Cybersecurity & Infrastructure
Security Agency (CISA) guidelines is an
important, proactive plan for CPA firms. More specific
cybersecurity strategies are examined below:
* Review cybersecurity insurance. C-suite executives
should determine if specific cybercrime insurance
coverage includes state-sponsored cyberattacks such
as what might be initiated by outside threats. Check
for first-party versus third-party insurance coverage,
ransomware coverage, and employ an attorney
who understands cybersecurity review your cyber
insurance coverage.
* Encourage a " security mindset " in employees.
Require multifactor authentication, training on
data security policies and procedures, and remind
personnel that phishing is still the most common
cyberattack modality.
* Enlist the help of IT security professionals. Engage
with cybersecurity experts who can help reduce
your level of risk through deploying stronger security
technologies, preventative solutions, help guide and
enforce evolving security best practices. Having a
cybersecurity team available 24/7/365 monitoring
threats is a great peace of mind.
At the end of the day, cyberattacks can have a
detrimental impact on firms. Don't wait until it's
too late to develop an effective data security plan. ■
Christopher Stark is president & CEO of Cetrom.
OCTOBER/NOVEMBER 2022 ■ www.CPAPracticeAdvisor.com
29
http://www.CPAPracticeAdvisor.com
octobernovember2022

Table of Contents for the Digital Edition of octobernovember2022
