Unless you've been living under a rock—or in the town of Bedrock—you are no doubt aware of the growing threat posed by cybercriminal activity. As a CPA, however, you may not know the role you can play in bolstering your organization's cybersecurity efforts.
Whether in public accounting or business and industry, CPAs are key stakeholders in cybersecurity. Public accountants, of course, are responsible for safeguarding their clients' most sensitive financial data. Management accountants such as CFOs often oversee risk management, under which cybersecurity typically falls. And in organizations of all types, CPAs play crucial roles in developing budgets that help determine how cybersecurity measures are implemented.
Improving cybersecurity starts with accepting that your organization is not immune from cybercrime and educating yourself on the biggest threats to your computer networks and data. You can then begin taking concrete steps to shore up your cybersecurity defenses.
This article looks at the five biggest cybersecurity risks CPAs and their organizations face, then offers a five-step battle plan for the fight against cybercriminals.
5 TOP CYBERSECURITY RISKS FOR CPAs
You might think that most business leaders are well-aware of the threat posed by cybercriminals. After all, high-profile breaches at Sony, Target, and innumerable other organizations have generated a flood of media coverage and social media chatter. Despite that, far too many business professionals still don't grasp the size and severity of the threat.
One of the toughest mindsets to overcome is one that believes the organization either has nothing worth stealing or is too small to be targeted—or both. Wrong. Everyone is at risk.
Still think you're too small to be a target? Hackers usually target anyone with a vulnerability in their IT systems. And when they do pick a target, hackers sometimes choose small organizations solely to gain access to other organizations.
The bottom line is that you don't know what you don't know. If you don't realize you are at risk, you are not likely to take steps to identify and subsequently mitigate the risk.
Passwords continue to be a major security risk for organizations. The Verizon RISK team's 2013 Data Breach Investigations Report found that 76% of corporate network breaches directly resulted from lost or stolen credentials. Weak, easily hacked passwords are also a concern. SlashData's annual "Worst Passwords" report, which is compiled from millions of leaked passwords, has found that since 2011 the most frequently used passwords are "123456" and "password." And not only do people use simple, weak passwords, but they also often use the same one for everything, further magnifying the risk. A breach exposing passwords on a social networking site might seem unrelated to your business. But what if an employee's password was exposed in the breach and his or her place of employment or bank was identified on a profile page? The compromised password could be used to attempt to log in to other systems (see the sidebar, "An Approach to Strong Passwords").
The impact of weak and repeated passwords is magnified now that so many cloud systems are in use, because the bad guys no longer have to be inside the network to use discovered passwords. Add in what is now standard remote access to systems by vendors, and the problem again grows larger. Several major breaches have involved compromised vendor credentials.
As hard as it is to believe, Sony actually had a folder called "Password" on its breached network. It's hard to imagine how this could happen in an organization so large, but during our IT security audit work, we routinely see not only passwords written down in all kinds of places, but also unsecured password documents stored on employee computers and mobile devices. Don't do this.
If you are overwhelmed by the number of passwords you need and just can't remember them all, you might want to consider using a password manager that securely stores your passwords for various sites. With this approach, you need to remember only the strong password you create to access the password manager. You can find dozens of password managers with an online search. I recommend device-based managers as opposed to cloud-based ones, provided you have device security protections in place. I also lean toward the paid managers, though there are several well-reviewed free ones.
The purpose of a phishing email is to entice the reader to click on a link or an attachment, opening the door for hackers to steal data or infect systems with malware. The Target breach and many others started with a phishing email.
Phishing emails come in many forms, notifying you of a package shipment delay, potential fraud on your credit card, or a lottery win, just to name a few. While many phishing emails are filled with misspelled words and grammatical errors, others are very well-written and look quite believable.
A targeted phishing email is known as spear phishing. This occurs when the email is not completely random but has relevance to the recipient. For example, if you receive a message that looks as if it came from your bank warning of possible problems with your account, you are more likely to heed the request to click on a link than if you receive a random message supposedly from a bank where you do not have an account. The ability to craft spear-phishing attacks to specific targets is why seemingly harmless breaches of email addresses can be dangerous.
Organizations use filtering to prevent many phishing emails from reaching employees, but some slip through in even the best systems. And it is quite difficult to get users to slow down and think before opening emails and clicking on links and attachments. My company performs phishing tests for many of our clients, and even when the employees have been trained on the dangers of phishing, the click rate is still surprisingly high. In organizations with no training, the click rate can be alarming. And, remember, all it takes is a single click to potentially infect an entire network.
Malware, or malicious software, is installed without the user's knowledge, typically from an attachment in a phishing email or a visit to an infected website. The user usually has no idea his or her computer has been infected, and the malware can stay dormant for months before it is used to steal data, including passwords, or to take over systems.
Another scary fact is that the bad guys no longer need technical expertise to write the malware. That's because virtually anyone can purchase malware online; all that is needed is malicious intent and a few hundred dollars.
Misfortune Cookie, Poodle, Shellshock, Heartbleed, Freak, Venom, Logjam. This isn't the band lineup for the latest Lollapalooza rock concert. These are the names used to identify recent computer vulnerabilities that millions of computer users are exposed to.
A vulnerability is a flaw or weakness in a system that hackers can exploit. In today's world, software is written and released much more quickly than ever before, so the risk of security holes is naturally greater. The vendor must provide an update or patch to close the hole, and then systems must be updated.
For many years, most vulnerabilities were found in operating systems (Windows XP, Windows 7, etc.), but individuals became accustomed to setting systems for periodic updates, somewhat diminishing the number of weak systems. So the criminals took a new approach and began to look for vulnerabilities in applications including Adobe Flash and Java, a common application module. Many individuals and organizations never update these applications because they are unaware of the risk.
The vulnerabilities discovered each day are astounding. These are known as zero-day vulnerabilities because a remedy is not available at the time of discovery. Organizations must keep everything—servers, workstations, laptops, routers, switches, firewalls, and even mobile devices—updated all of the time. This is a daunting task.
A 5-PRONG CYBERSECURITY BATTLE PLAN
Cyberrisks are so great these days that management must get involved to ensure that appropriate mitigation strategies are in place. What can CPAs and other business leaders do? The following five steps are a good start.
Accept that your organization is at risk
This cannot be emphasized enough. CEOs, CFOs, boards of directors, managing partners, and other organizational leaders need to see cybersecurity as the huge issue it is and devote adequate resources to maintaining a secure environment. Executives don't have to become computer geeks, but they can certainly learn the basics and what questions to ask.
Change starts at the top. The CEO should not be exempt from the rule that passwords must be changed periodically. Management needs to establish and embrace a culture of strong security.
Educate yourself and your organization
Everyone in every organization needs security training. This means more than just sending out an email telling people to use secure passwords and to not fall prey to phishing emails.
The massive Target security breach started with an employee at one of the company's vendors clicking on a link in a phishing email. Do your employees know how easily they could inadvertently open the door to such a cyberattack? Get that message across with ongoing cybersecurity training that covers new and old threats, defines the organization's security controls, sets employee expectations, and explains the consequences for violating procedures.
Implement strong IT controls
Organizations need their IT department (or outsourced vendor) to implement and maintain a comprehensive list of data and network security controls. As a CPA, you usually won't be responsible for directly implementing these controls or knowing exactly how they work. But it is helpful to understand enough to at least ask the right questions of the IT folks. Among the basics you need to know are:
- Perimeter security. This first line of defense includes firewall and intrusion detection systems, in addition to intrusion prevention systems. These should be configured with appropriate restrictions to block and filter both incoming and outgoing internet traffic.
- Endpoint security. Endpoint security requires each computing device on a corporate network to comply with established standards before network access is granted. These measures protect the servers and workstations and include items such as administrative access limitations and anti-virus protection.
- Network monitoring. Part of the control environment should include a monitoring program for all IT systems that is frequent and ongoing.
- Authentication and administration controls. Authentication controls for the network and all critical systems (especially cloud systems that anyone can access from anywhere) should require complex passwords that expire periodically and restrictions on invalid login attempts, such as three strikes and you're out. Strong controls over user administration are needed as well.
- Incident response and business continuity. Finally, each organization should have appropriate business continuity and disaster recovery plans that include specific incident-response procedures for dealing with a cyberevent.
Stay current on updates and patches
Updating and patching are the responsibility of the IT department and actually fall into the above category of IT controls, but they are such a critical security component that they warrant a separate discussion.
Organizations must keep all systems up to date at all times. That sounds simple—until you see the list of items that need updating. Among the items are firewalls, routers, switches, servers, workstations, laptops, tablets, phones, and peripheral devices such as printers and copiers. Management needs to ensure that IT—whether in-house or a vendor—updates all operating systems (Windows 8, Windows 7, etc.) and applications (Java, Adobe Flash, web browsers, etc.) with vendor-supplied patches. In addition, anti-virus/malware protection is needed not only for desktops and laptops, but mobile devices as well, including employee-owned devices that connect to the network.
Make sure IT establishes an inventory reconciliation, which ensures that all systems are protected. Encourage the IT team, or your vendor, to assign this role to someone—preferably not an IT "firefighter"—who has time to fulfill these duties.
If you outsource your network support to a vendor, make sure that your contracts establish and assign clear patching and updating responsibilities.
Test your security and controls
To determine its cybersecurity risk level, an organization should rely on two types of periodic assessments—vulnerability testing and information systems (IS) controls testing.
Vulnerability testing involves the automated scanning of systems to determine if known vulnerabilities (security holes in software) are present. The tests should assess protections against threats both external (outside hackers) and internal (insiders or hackers that gain internal access). Commercialized scanning software currently tests for more than 50,000 vulnerabilities.
IS controls testing verifies that the controls described above are functioning properly. Many organizations undergo a review of select controls as part of their financial audit, but this does not typically look at the entire environment. High-level oversight should ensure that IT promptly remediates any issues discovered during testing.
Organizations also need to regularly assess vendors that either host their data or have access to them via internal systems.
KNOWLEDGE IS POWER
The scope of the cybersecurity threat can be staggering. A good analogy is the story of the little Dutch boy who put his finger in a leaking dike, a small effort that helped prevent a huge disaster. What would have happened if the little boy had not acted? Even worse, what if there had been many more holes—ones no one realized were even there? The results could have been disastrous.
That's the situation facing many, if not most, organizations of all types, including accounting firms, businesses, and other entities that employ CPAs. In my company's information technology security reviews for organizations, no matter what type of entity they are or what industry they are in, a first-time check of their IT defenses usually reveals 40 or more security holes that need to be patched.
Cybersecurity is a daunting challenge—one without a foolproof solution. The good news is that you can help your organization take steps to bolster its defenses. In the end, your organization can't eliminate the threat of cyberattacks, but a mix of education, controls, and testing can significantly reduce the risk.
An approach to strong passwords
From Technology Q&A columnist J. Carlton Collins, CPA
All of my passwords start with the same lengthy prefix, such as a childhood telephone number, for example, 9126364242 (this is not the actual prefix I use). Next, my passwords all include the name of the account, such as Delta, Amazon, or AICPA. Finally, each of my passwords ends with a four-digit personal identification number (PIN). The results are strong lengthy passwords that I have a good chance of remembering, such as the examples shown below (which are not my actual passwords):
Delta account password: 9126364242delta7543
Amazon account password: 9126364242amazon9312
AICPA account password: 9126364242aicpa2209
Using this approach, the bold PINs are all I need to remember, and because hackers don't know the actual lengthy prefix I use, these passwords are very strong. With 263 active passwords on my list, this structured approach gives me a fighting chance of remembering many of them. Because uppercase and special characters are more difficult characters to type (especially on a smartphone device), I avoid these types of characters unless they are required.
About the author
Lisa Traina (firstname.lastname@example.org) is the founder and owner of Traina & Associates, which provides information systems and IT security audit and consulting services to business clients.
To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at email@example.com or 919-402-4056.
This article is modified from two CPA Insider articles, "The Top 5 Cybersecurity Risks for CPAs," June 15, 2015, and "The Top 5 Cybersecurity Solutions for CPAs," July 27, 2015.
"Technology Q&A: Unforgettable Passwords," April/May 2015, page 121
Practitioners Symposium and Tech+ Conference, June 5—8, Las Vegas
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.
AICPA Cybersecurity Resource Center, aicpa.org/cybersecurity
Information Management and Technology Assurance (IMTA) Section and CITP credential
The Information Management and Technology Assurance (IMTA) division serves members of the IMTA Membership Section, CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and accounting professionals who want to maximize information technology to provide information management and/or technology assurance services to meet their clients' or organization's operational, compliance, and assurance needs. To learn about the IMTA division, visit aicpa.org/IMTA. Information about the CITP credential is available at aicpa.org/CITP.