Skip to main content

The Importance of Cybersecurity in Modern Day

October 04, 2023

By Stan Sterna and Nicole Graham

Cybercriminals love to exploit a crisis – and unfortunately during a time of turmoil like we've seen in recent years, data incidents are more prevalent now than ever before. Infiltration can happen anywhere and with an even greater frequency considering the dependence on technology by industries worldwide.

As aggregators of data, CPAs are prime targets for cybercriminals. Bad actors often design and shape their tactics to specifically exploit the accounting profession's increase use of technology such as cloud-computing, smart devices, and electronic communications. As such, CPAs relying on technology for convenience and to perform daily tasks, need to be prepared for the worst should they fall victim to a breach.

Generally, cyber-attacks against CPAs fall into three main categories: ransomware, selling stolen data, and committing theft of client funds. Ransomware typically involves cybercriminals using malware to deny user access to systems and demanding payment in an untraceable digital currency in exchange for a decryption key to unlock the files. Some criminals steal data specifically for profit, attempting to sell infiltrated confidential data on the Dark Web. Social engineering schemes involve cybercriminals posing as clients and making fraudulent wire transfer requests to dupe a CPA to transfer client funds.

The Risks of Practicing Remotely

In a world where remote work has become more common, the probability of a cyber breach has likewise increased. While routers set up in CPA firms are typically designed to provide security, home routers can be susceptible to a breach. For example, home routers can be improperly configured, creating an opportunity for hackers to exploit security weaknesses. The goal of a cybercriminal is to attack the vulnerabilities within the home router design. Therefore, it is crucial for CPAs to understand the risks associated with using such devices and work to mitigate them. CPAs should assess their home routers to ensure that it is properly configured and adequately patched with the most recent firmware.

In addition to keeping your home router updated year-round, it's important for CPAs to keep an eye on how they conduct and discuss business using both their personal as well as employer-owned devices. Many CPAs think that using employer-owned technology fully protects them from a data incident; however, this practice can expose confidential firm and client data. For example, using a company VPN provides additional security when logging into a public Wi-Fi network, but it is not foolproof. Additionally, if a CPA chooses to use their personal cellphone for business, it is recommended to use secured technology and devices recommended by the CPA firm. It is also advised to avoid using SMS texting and/or voice-based Multi-Factor Authentication systems. Microsoft has identified both forms of authentication as having security vulnerabilities, potentially exposing other data stored on phones.

What Your Firm Can Do to Mitigate the Risks

Although a cyber incident cannot be completely avoided, there are still things that CPA firms can do to mitigate the risks. Staff should be trained on the vulnerabilities that exist in a remote work environment and how they can be avoided. For example, training on how to secure devices prior to logging into a public Wi-Fi network and what to look out for can act as a great first line of defense. It may be helpful to reinforce existing firm policies on the use of technology in the workplace and how to maintain the privacy and security of confidential information. Sometimes a refresher can make all the difference and can save your firm from a cyber event. Instead of implementing an annual exercise of revisiting policies, training on privacy and security should be a continuous activity.

In addition to training and reinforcing data security protocols, firm leaders can help mitigate the risks by placing an emphasis on security. One of the many tactics of cybercriminals is to go after vulnerabilities within firm-owned devices. Firm leaders can invest in security patches that correct and address known vulnerabilities and weak points in the current technology.  Monitoring active devices and systems within the firm is crucial to making sure everything is up-to-date with added security patches and antivirus solutions.

As a CPA firm leader, it is important to keep the conversation about data security alive and well within your firm. Creating a culture of cybersecurity awareness is key. Sending out friendly reminders to firm employees that emphasize the importance of proper practices is a good start in identifying the risks and steps for your staff to follow. Steps to share can include:

  • Employees should only use firm-issued or approved devices to access company resources.  
  • If employees are using personal devices for business purposes, employees should strengthen the security settings on their devices. Electronic work files from company resources should remain on company-issued or approved devices and not placed on personal devices.
  • Reinforce how to identify phishing emails.
  • List the preferred tools and platforms employees are to use such as cloud storage platforms, portals for sharing information and virtual conferencing tools.
  • Provide employees with clear guidance on how to report technical issues and empower them to report suspicious activity

All in all, a security breach is something that every CPA wants to avoid. Although the risk cannot be completely eliminated, there are still ways to lessen the chances of an incident. In a world where remote work is the “new normal,” cybersecurity should be a high priority for all CPAs. Simply revisiting training, implementing safety procedures, and keeping your technology up-to-date, can go a long way in lessening the chances of a security incident.

Bios

Stan Sterna, Esq., is a vice president with Aon Insurance Services, providing strategic quality control, claim/litigation management advocacy and risk control consultation to some of the country's largest accounting firms.

Nicole L. Graham, Esq., is a risk consultant with Aon Insurance Services, delivering risk management consulting services to regional accounting firms to assist them with mitigating professional liability risks.

This information is provided for general informational purposes only and is not intended to provide individualized guidance or advice. You should discuss your individual circumstances thoroughly with your professional advisors before taking any action. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.