By Stan Sterna
Cyber criminals love to exploit a crisis – which partly explains the recent uptick in cyber-attacks since the beginning of the pandemic. According to recent data, cyber-crimes have risen over 100% within the last year. As aggregators of both financial as well as personal data, CPAs and their firms are especially vulnerable to a cyber breach. As such, it’s important for firms and their employees to understand the risks and how to mitigate the same.
The Hackers’ COVID-19 M.O.
Since March 2020, many cyber schemes have been designed to exploit the increased reliance on technology brought about by the pandemic and the resulting conversion to a remote or hybrid work environment. Accordingly, there has been a proliferation in cyber-attacks that prey upon this increasing dependence on technology as a substitute for personal client contact, such as ransomware, phishing and social engineering schemes. Recently, cyber criminals have become more emboldened, demanding larger and larger ransom payments in untraceable digital currency. Some attempt to sell, confidential data on the dark web, while others try to steal liquid assets through fake requests for wire transfers purportedly made by clients of respective CPA firms.
The technology we use at home is often cited as one of the primary reasons for the uptick in both the frequency and severity of cyber breaches. Wireless routers, for example, can be especially vulnerable. Some home routers are improperly configured, while others might be missing updates or have inherent security flaws providing hackers with an open door to take a peek at your data without your knowledge.
Another risk that emanates from a remote or hybrid work environment is the increased use of personal devices as well as employer-owned mobile devices to conduct business. While many think the risk of a hack is lessened by using an employer-owned device – confidential firm and client data can still be exposed. For example, while using a company VPN provides additional security when logging into a public Wi-Fi network, it is not 100% foolproof. A CPA choosing to use their mobile phone for business – specifically using SMS text or voice based Multi-Factor Authentication - could make you more vulnerable to a breach. Microsoft has identified both as being vulnerable. For example, voice-based authentication can be susceptible to deep fake voice cloning. SMS texts are usually easy to intercept and frequently in plain text and unencrypted allowing a hacker to easily read their content.
What Your Firm Can Do To Mitigate The Risks
Although a cyber breach cannot be completely avoided, there are still things that firm leaders and CPAs can do to mitigate the risk. Staff should be instructed on how to use remote devices properly and be able to identify the vulnerabilities that may result if proper safety precautions are not taken. For example, consider training on how employees should secure their devices prior to logging into a public Wi-Fi network. In addition, advise employees that relying on SMS text and voice-based Multi-Factor Authentication are poor data security practices.
To minimize data security risks, emphasize the need for employees to keep their home routers updated year-round. Assessing a home router on a regular basis while adequately patching it with the most recent firmware can be an effective deterrent to a cyber breach.
Firm leaders should also place a heavy emphasis on data security within the firm. To help lessen the risk of a breach, leaders should invest in security patches that can help correct and address known vulnerabilities and weak points in the current technology. Keeping an eye on all active devices and systems within the firm is also crucial in order to make sure you are staying up to date with added security patches and antivirus solutions. In a time of evolution and change, it may be particularly helpful if firm leaders refer to and leverage existing firm policies on the use of technology in the workplace and how to maintain the privacy of confidential information. Sometimes a refresher can make all the difference and potentially save a firm from a breach that can have a devastating impact on its reputation. Instead of annual training on existing data security policies, consider implementing continuous training on updated privacy and security protocols throughout the year.
As a firm leader, it is important to keep the conversation about data security alive and well. Sending out reminders to firm employees that emphasize the importance of proper cyber security practices can also be a good way to mitigate your risk. Steps to share can include use of only firm-issued or approved devices to access company resources or simply listing preferred tools and platforms employees should use – such as cloud storage platforms, portals for sharing information and virtual conferencing tools.
All in all, a security breach is something that no CPA or CPA firm wants to deal with. Although the probability of a hack cannot be completely eliminated, there are strategies and tactics to lessen the chances of a breach. In a world where a remote or a hybrid work environment has become more common and with cyber criminals taking advantage of this “new normal”, data security should be a high priority for all CPAs and firms. Revisiting your training playbook, implementing safety procedures and keeping your technology up to date are all important ways to help minimize your chances of one day falling victim to a cyber breach.
This article is provided for general informational purposes only and is not intended to provide individualized advice.