octobernovember2022 - 31
FEATURE
client information. That data can then be sold to
identity thieves on the dark web or held for ransom
against the victimized firm.
A ransom cyber incident was brought to light
recently when two accounting firms were among
several victims of a large-scale computer hacking
scheme in the United States conducted by three
Iranians between October 2020 and August 2022.
The three men now face federal charges of conspiracy
to commit fraud, intentional damage to
computers, and transmitting demands, according
to an indictment unsealed in September.
In one instance, the hackers launched an
encryption attack last February and March, causing
a New Jersey accounting firm's network to connect
with their server. The cyber criminals demanded
a ransom of $50,000 and allegedly told the firm, " If
you don't want to pay, I can sell your data on the
black market. This choice is yours. " It is unknown
whether the accounting firm paid the ransom, but
federal authorities said some of the victims did pay
ransoms, while others contacted the FBI or local
law enforcement.
According to Verizon (https://tinyurl.
com/2pajax4c), the average cost of a data breach
for companies increased to $21,659 per incident last
year, with most incidents ranging from as little as
$800 to more than $650,000. But 5% of successful
ransomware, phishing, and other attacks cost businesses
$1 million or more.
Ransomware breaches increased by 13% within
the last year-representing a jump greater than
the past five years combined, according to a 2022
report from Verizon. In addition, external bad actors
are approximately four times more likely to cause
breaches in an organization than internal personnel.
The Verizon report also revealed that people are
the weakest link in an organization's cybersecurity
defenses. When you include human errors and
misuse of privilege, the human element accounts
for 82% of analyzed breaches over the past year,
rather than cyber thieves exploiting flaws in computer
systems.
In addition, cyber criminals have used the
pandemic as an opportunity to capitalize on people's
strong interest in coronavirus-related news by luring
people to fake malicious websites, clicking on
malicious links, or providing personal information
online or over the phone under the guise of COVID19.
Many of these scams attempt to impersonate
legitimate organizations, such as the Center for
Disease Control or the World Health Organization,
by offering fake informational updates and even
promises of access to vaccines-all for a price. These
so-called social engineering attacks accounted for
25% of total breaches in 2022, according to Verizon.
" When there is a mass amount of movement
or migration to remote work environments and a
greater number of endpoints, as well as a greater
level of anxiety, this is as much about the physical
and the psychological as it is about just general
architecture.
It involves everything, " Guccione
said. " There's a state of panic, there's a state of
uncertainty, there's transitioning-there's so much
going on that cyber criminals really gravitate toward
situations like this because they always want to
attack the lowest-hanging fruit and any companies
they view as a potential weakness. "
MOST COMMON ENTRY POINTS FOR
CYBERATTACKS
Changes in information technology infrastructure
brought about by remote work, such as a move to
cloud solutions, has shifted the focus of cyberattacks,
according to a new report from Hiscox
and Atlas VPN.
Cloud servers is now the No. 1 way in for cyberattacks,
with 41% of companies reporting it as the
first point of entry-a 10% increase from the year
before. Cloud servers has replaced corporate-owned
servers, which was the leading attack entry point,
or vector, in 2021.
Corporate-owned servers now occupies the third
spot on the list, according to the report, with 37% of
businesses reporting this as the main cyberattack
entry method. Meanwhile, the second spot now
belongs to business emails, as 40% of companies
named it the main access point for attackers.
" If you get a spam email or an email that looks
legit but is asking you to do something like upload
some information or change a password or even
transfer funds, make sure you have a policy in place
to make a verbal verification for that, " according to
Bobby Garrett, IT director at CPA firm Gray, Gray
& Gray. " No client is going to be upset if you call
them and say, 'Did you really want me to transfer
$10,000 to this account?' Because if you do it and
you don't call, they are going to be upset if it's not a
real request because there's no getting that money
back. It'll be gone. "
Employee-owned mobile devices are another
common entry point for cyberattacks at 29%, an
increase of 6% from the previous year, according
to the Hiscox and Atlas VPN report. Others include
remote access servers at 31% and distributed denial
of service (DDoS) attacks at 26%.
" When we all go remote, a lot of traditional
internal control policies become less effective and
they become dilutive when it comes to exploiting or
capturing security vulnerabilities, " Guccione said.
" And so now as we all move to this much larger
endpoint landscape and geometry, we now have to
figure out, well, what do we need to do to make
sure that we're tracking and monitoring every
endpoint-smartphone, tablet, computer-across
every employee in the organization? What can we
do to track that down and make sure that on the
prevention side of cybersecurity that we're doing
what we need to do to protect our environment? "
STRATEGIES FOR SECURING DATA
WHILE WORKING REMOTELY
In the two and a half years since the pandemic
began in the U.S., companies have been able to
fine-tune their cybersecurity processes for remote
workers. But the continued number of cyberattacks
in the U.S. means IT professionals cannot let their
guard down-and neither can a firm's employees.
The following are best practices compiled
from articles, reports, and webinars on how to
reduce the risk of a data breach in a remote work
environment. (Note: This is not an all-inclusive list
and the best practices are not numbered in terms
of importance.)
1.
Ensure you have a modern cybersecurity
plan that covers remote work environments:
Firms need to make sure endpoint security and
enterprise password security software is running
on all employee devices, Guccione said.
" We know password security is the trojan horse
into your business. So at the end of the day, you
could have the best antivirus protection and you
could have the best privileged access management
system running, but if you do not put a cloak of
armor around your password security and your
password internal controls and enforcement policies,
you are in real serious trouble because this is
where the cyber criminals know exists the lowesthanging
fruit. This is where it's at, " he added.
2.
Use a Wi-Fi password: But do not use the
default password, Jim Bourke, a partner at
CPA firm Withum and managing director of the
firm's Advisory Services practice, said in a video
for the American Institute of CPAs.
" If you're using the default password on your
Wi-Fi device, change the default password. Go into
your Admin settings and make that change, " he said.
Bourke also recommends changing your service
set identifier (SSID). " What is your SSID? That is your
OCTOBER/NOVEMBER 2022 ■ www.CPAPracticeAdvisor.com
31
https://tinyurl.com/2pajax4c
https://tinyurl.com/2pajax4c
http://www.CPAPracticeAdvisor.com
octobernovember2022
Table of Contents for the Digital Edition of octobernovember2022
From the Editor: What's for Dinner?
From the Trenches: Your Firm and Your Cloud
The Pros & Cons of Offsite Data Storage
Now's the Time to Engage in Thought Leadership
40 Under 40 Accounting Leaders & 20 Under 40 Influencers
Finance Pros Can Be a Powerful Defense Against Cybersecurity Threats
2022 Digital Security & Cybercrime Update
The Staffing & HR Advisor: Strugging to Recruit Top Talent? Start Re-Recruiting!
The Leadership Advisor: 5 Alternative Work Schedules to Replace Your 9-to-5
4 Steps to Successfully Implement and Manage Change in the Workplace
Converting an S Corp to a C Corp
The Millennial Advisor: Change is Hard
The Labor Law Advisor: Review Your Exempt Employees: Manager & Supervisor Pay
The ProAdvisor Spotlight: Intuit Tax Advisor Delivers Innovative Tax Planning and Tax Strategies
Cyber Insurance for Accounting Firms
Data Security: What Could Go Wrong?
9 Tips to Thwart Cyber Thieves Coming for Your Firm's Data
Marketing Your Firm: Boost Firm Efficiency with Proposal Software
AICPA News: A round-up of recent association news and events
Bridging the Gap: Exploring New Roles and Positions in Your Firm
octobernovember2022 - 1
octobernovember2022 - 2
octobernovember2022 - 3
octobernovember2022 - From the Editor: What's for Dinner?
octobernovember2022 - 5
octobernovember2022 - From the Trenches: Your Firm and Your Cloud
octobernovember2022 - 7
octobernovember2022 - The Pros & Cons of Offsite Data Storage
octobernovember2022 - Now's the Time to Engage in Thought Leadership
octobernovember2022 - 40 Under 40 Accounting Leaders & 20 Under 40 Influencers
octobernovember2022 - 11
octobernovember2022 - 12
octobernovember2022 - Finance Pros Can Be a Powerful Defense Against Cybersecurity Threats
octobernovember2022 - 14
octobernovember2022 - 15
octobernovember2022 - 16
octobernovember2022 - 17
octobernovember2022 - 18
octobernovember2022 - 19
octobernovember2022 - 2022 Digital Security & Cybercrime Update
octobernovember2022 - The Staffing & HR Advisor: Strugging to Recruit Top Talent? Start Re-Recruiting!
octobernovember2022 - The Leadership Advisor: 5 Alternative Work Schedules to Replace Your 9-to-5
octobernovember2022 - 4 Steps to Successfully Implement and Manage Change in the Workplace
octobernovember2022 - Converting an S Corp to a C Corp
octobernovember2022 - The Millennial Advisor: Change is Hard
octobernovember2022 - The Labor Law Advisor: Review Your Exempt Employees: Manager & Supervisor Pay
octobernovember2022 - The ProAdvisor Spotlight: Intuit Tax Advisor Delivers Innovative Tax Planning and Tax Strategies
octobernovember2022 - Cyber Insurance for Accounting Firms
octobernovember2022 - Data Security: What Could Go Wrong?
octobernovember2022 - 9 Tips to Thwart Cyber Thieves Coming for Your Firm's Data
octobernovember2022 - 31
octobernovember2022 - 32
octobernovember2022 - Marketing Your Firm: Boost Firm Efficiency with Proposal Software
octobernovember2022 - AICPA News: A round-up of recent association news and events
octobernovember2022 - Bridging the Gap: Exploring New Roles and Positions in Your Firm
octobernovember2022 - 36
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/octobernovember2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2022
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/november2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/july2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/march2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2021
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_November_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_July_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_June_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_April_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/CPA_Practice_Advisor_March_2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2020
https://www.nxtbook.com/endeavor/cpapracticeadvisor/december2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/november2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/october2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/september2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/august2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/july2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/june2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/may2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/april2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/march2019
https://www.nxtbook.com/endeavor/cpapracticeadvisor/february2019
https://www.nxtbookmedia.com