It's startling that a cyberattack happens every 39 seconds (source: University of Maryland) and one out of every three businesses will experience a cybersecurity breach within the next two years. The average cost of that breach in the U.S.? $8.19M! As protectors of valuable financial and personal data, CPA firms are prime targets for cyberattacks. Considering the major financial risk that organizations face by failing to set up sound cybersecurity measures, we chatted with two of the Association’s experts on the topic. Joel White, CPA, CGMA, Director of Internal Audit, Risk & Compliance and Jay Overcash, Director of IT Security Strategy, answered your top cybersecurity questions.
Here’s what we learned:
Only simple tasks stand between you and cybersafety.
Do you always remember to patch? Failing to patch and update systems is one of the top ways individuals and organizations make their data vulnerable to cyberattacks such as ransomware. Forgetting who has access to the system and unknowingly maintaining inappropriate access for them is another common way organizations expose themselves. Check system access regularly and adjust accordingly. You can best protect your data by tailoring employees’ access to their clearance level and current relationship to the organization. What if, after doing all this, an attacker gets in? How can you be sure your data won’t be encrypted and lost? You can’t. But you can make sure to back up your data. Make sure you’re doing that off-site (on a remote server). Know where your valuable data is, back it up and isolate it. That way, if the local set of data is affected, your second set is out of reach and pristine.
Passwords aren’t always secure.
Be cyber smart. Passwords alone tend to be an ineffective cybersecurity measure because of the way they are created and used. Overall, longer and more complex passwords are the most secure because they’re more difficult to guess. Another reason they can be ineffective — about 77% of people reuse the same passwords for different accounts. If your Gmail account gets hacked and you used the same password for your Outlook account at work, congrats! You’ve made it that much easier for your boss to get hacked or scammed. Some tech companies, such as Microsoft, are moving toward the elimination of passwords and are planning to lean more on biometrics. Think iPhone: Your fingerprints and iris patterns, for example, are a lot harder to fake. Don’t kiss passwords goodbye just yet. They’ll still be around for a while but supplemented with more complicated data requirements.
Anti-virus software isn’t enough to protect you from an attack.
In general, anti-virus software is about 50% –80% effective. That’s because there are ways to get around any type of defense. Different security controls are designed to protect different types of devices. For this reason, it’s important that organizations practice “defense in depth.” This means placing multiple layers of security controls throughout an information technology system. So, yes, installing anti-virus software is a great first step; but never rely on a single control or security method. In addition to your anti-virus, you can turn on a firewall, which will establish a barrier between your trusted internal network and the untrusted external network. You can also look into leveraging multi-factor authentication — a layered line of defense that requires two or more types of credentials to gain access to a system or data.
Protecting your data from cyberattacks can be cheap.
While anti-viruses usually come with a cost, patching systems are free and simply require you to establish routine updates. Education is one of the most inexpensive ways to improve your organization’s cybersecurity measures. Learn to be cyberaware. If 90% of successful attacks start with a phishing scam and 80% of attacks could have been prevented by using multi-factor authentication (MFA), simply educating yourself and your staff on how to recognize a “phishy” link, or how to implement MFA, goes a long way. These lessons are a free, 45-second YouTube view away! But, to be frank, you just can’t put a price on cybersecurity. CPAs, you know how to do this: If we’re going to compare risks — the cost of a breach (which, by the way, is bound to happen sooner or later) far outweighs that of putting in place solid cybersecurity procedures. Check out these certificate programs that can get you on the right path.
Clients rely on CPAs to advise on the best security practices and vendors.
Accounting firms are largely expanding into cybersecurity assurance or advisory roles. More clients want their CPAs to assure them that their cybersecurity controls are designed to properly protect them from cyberthreats. Clients who may not be ready for an assurance service are seeking expertise and advice on security controls that the company relies on to process accurate financial statement audits. Since there’s a general IT security shortage, the associated skills are highly solicited. Small- and medium-sized firms building their practice can easily facilitate this. They can partner with an experienced boutique security company and learn their techniques or hire experienced cybersecurity professionals as in-house staff. Overcash recommends starting with the former and graduating to the latter.
The evidence is overwhelming. Organizations cannot afford to ignore the risks associated with having subpar cybersecurity measures. As a CPA, you can lead in this critical area. To help, we’re bringing you the latest cybersecurity insights, tools and resources — all available at our Cybersecurity Resource Center.