Cybersecurity awareness among accounting firms has skyrocketed within the past five years, primarily because CPAs are an ideal target for cybercriminals who know that accounting firms hold and maintain valuable financial information about their clients.
As accountants adopt new systems and technology in their practices, they will need to continue to raise their awareness of their vulnerabilities and to enhance their cyber defenses in at least five different areas:
#1 Internet of Things (“IoT”) Devices
In late 2016 the American Institute of Certified Public Accountants (AICPA) reported that an internet-enabled copier provided an opening for hackers to access documents that one accounting firm had been scanning into a digital format.
IoT devices are frequently overlooked when security patches are being installed, and many of those devices include embedded legacy firmware with known security flaws.
CPAs should devote extra attention to these devices in their offices.
#2 Phishing Scams
During the busy April 2107 tax season, a group of hackers targeted CPA firms with email messages that purported to be from the AICPA.
Those messages included attachments, which, if opened, would install malware or other malicious code into a CPA firm’s networks to enable the hackers to steal valuable information.
Hackers are very much aware that CPAs and employees of CPA firms can be easily distracted during busier times of the year and they prey on that distraction to launch phishing and other email scams.
Staying aware of risks and refraining from opening attachments in all emails are best practices for all accounting firms.
The busy tax season and the end of the accounting year are also ideal times for cybercriminals to launch ransomware attacks against CPA firms.
A ransomware attack can be launched from an email attachment or an employee’s accessing a suspicious website. Those attacks can freeze an entire network and destroy valuable data unless the targeted CPA firm agrees to pay a bounty to the cybercriminals.
Again, heightened awareness is the best defense against ransomware attacks.
#4 Remote Access Security
A CPA firm needs to do more than just protect its own internal networks and systems, it needs to be aware of its endpoint security.
Smartphone, laptops, and other mobile devices that employees use for remote access to a firm’s networks can introduce another layer of cyberattack vulnerability, particularly if the firm has a “bring your own device” policy that allows employees to use personal devices for remote access.
#5 Enhanced Protection for Sensitive Data
CPA firms should maintain stronger controls and impose more limited access to client bank account numbers, credit card information, usernames and passwords for financial accounts, and other sensitive information that hackers could use to misappropriate client funds.
At a minimum, access to that information should be restricted to employees who have a need to know that information in order to fulfill their job responsibilities.
A CPA firm that enhances its cyber defenses will improve its chances of deflecting a cyber attack, but even the most robust defenses will not provide absolute immunity from all attacks.
Recognizing this, insurance providers have developed cyber insurance for CPAs. These insurance policies can provide reimbursement for a CPA firm’s direct losses and for liabilities that it may incur to third parties whose data and information are compromised in a cyber attack on the insured CPA firm.
Most critically, cyber insurance for CPAs can help a firm to recover from a cyber attack quickly in order to maintain its reputation and trust among its clients.
It is not an exaggeration to say that CPA cyber insurance can be the difference between a firm’s ability to continue to provide accounting services following a cyber attack instead of closing its doors forever.
So what are you doing to protect yourself from cyber hackers? Share your thoughts below.