Cybercriminals love a crisis. Panic-inducing events such as the COVID-19 pandemic prove to be lucrative opportunities for the unscrupulous to capitalize on fear.
Social engineering attacks tailored to exploit the public unease surrounding the coronavirus have been on the rise. One sophisticated attack falsely claimed to be from the World Health Organization. The phony email included an attachment purportedly containing updated safety measures and treatments for symptoms. It exploited the public's hope for a swift end to the pandemic but, in reality, concealed malware designed to steal personal information.
The coronavirus pandemic has forced major changes to the ways we work and carry out day-to-day activities. Millions of Americans have been required to adapt quickly in order to work remotely. For CPAs, the adjustment has occurred during the height of busy season. The shift in where CPA firm employees work has resulted in significant changes to the way practitioners interact with clients and collaborate with one another. Social distancing and limitations on in-person meetings have created heavier-than-usual reliance on virtual and electronic communication.
Just as working remotely enables CPA practices and their employees to continue to serve clients during the pandemic, the responsibility of every practitioner to secure confidential client data continues as well.
In light of the ongoing cybersecurity threats caused by the pandemic environment, CPAs should exercise enhanced cautionary measures in order to avoid falling victim to schemes seeking to exploit security weaknesses and human psychology. Fortunately, both CPA firms and their employees can implement a number of measures to avoid such incidents and to protect and secure data.
ADDRESS THE RISKS OF ACCESSING SENSITIVE DATA REMOTELY
Ideally, data should be encrypted, whether in transit or at rest. To access the firm's systems remotely, employees may use home wireless networks, which may be less secure than accessing the same information from the office. Unsecured or less secure networks may offer a back door to malicious actors monitoring connections to harvest confidential information. For example, data sent in unencrypted form can be easily intercepted and stolen by cybercriminals.
For this reason, security experts recommend that virtual private networks (VPNs) be used to route traffic to the firm's systems when working remotely, making it difficult for unauthorized parties to intercept the encrypted data and rendering it unreadable if they do.
REINFORCE SECURITY WEAKNESSES WITH PATCHES
Just as viruses mutate, cybercriminals' tactics to exploit and obtain access to sensitive data also evolve. Similar to vaccines, security patches are developed to help correct and address known vulnerabilities used by cybercriminals to gain unauthorized access to devices or applications.
It is important for firms to periodically assess whether devices and systems are up to date with security patches and anti-virus solutions.
STAY ENGAGED WITH VENDORS
The pandemic has shifted the preferred way for conducting meetings, conferences, and even social events to online. With such a dramatic shift in a short period, a number of security weaknesses with certain platforms and vendors have been revealed. Many providers have responded with options for users to address security concerns.
Rather than relying only on a vendor's reaction to security weaknesses, consider proactively managing vendor discussions in order to understand the controls or practices they may have in place to address any of the firm's security concerns.
For example, to support the shift to remote-working environments, many firms have implemented VPNs to permit employees secure access to firm resources. Consider discussing these changes with other vendors such as cloud service providers to determine whether changes affect the compatibility with the vendor's technical requirements.
PROMOTE EMPLOYEE SECURITY AWARENESS
Like taking showers and wearing clothes other than pajamas, data security may not be the first priority on a CPA firm's growing list of matters to be tackled. However, it is essential during this critical period of disruption that employees be reminded of the importance of maintaining cybersecurity hygiene.
Consider sending friendly reminders to firm employees that emphasize the importance of the following:
- Employees should use only firm-issued or -approved devices to access company resources securely.
- If employees are using personal devices for business purposes, they should strengthen the security settings on their devices. Electronic work files from company resources should remain on company-issued or -approved devices, and not placed on personal devices.
- Reinforce how to identify phishing emails:
- Links and attachments from unknown or untrusted senders should not be opened without careful inspection. When an embedded address appears suspicious or unfamiliar, hover over the link to view the full URL, or use URL checkers to confirm the safety of a suspicious link before clicking on it.
- Do not respond to requests for sensitive information (i.e., account details, tax return information), especially if the request is marked as "urgent," without verifying the validity of the requester, even if it appears to come from a colleague or client. If the request is obtained via email, always confirm directly with the requester using alternative, verified contact information such as phone numbers.
- List the preferred tools and platforms employees are to use, such as cloud storage platforms, portals for sharing information, and virtual conferencing tools.
- Provide employees with clear guidance on how to report technical issues and empower them to report suspicious activity.
EMPLOY STRONG AUTHENTICATION PRACTICES
The importance of using strong passwords and multifactor authentication to enhance security measures is nothing new. Now is not the time to allow these security measures to lapse or weaken. Refer to guidance on best practices outlined in NIST Special Publication 800-63, Digital Identity Guidelines, and continue to use strong password and authentication practices, including:
- Password length: Should be 8—20 characters.
- Password complexity: Consider requiring a combination of capital and lowercase letters, numbers, and special characters.
- Password protection: Passwords and user IDs should never be shared.
The coronavirus has been widely referred to as the "invisible enemy." This is a reminder that the invisible or intangible can have an impact as significant as physical threats, such as accidents or crime. Security risks take on similar characteristics, with the impact made tangible in the form of information compromised, reputation damaged, or dollars lost.
Depending upon the size of the CPA practice, the aforementioned tips and advice may seem too daunting and technical to tackle. Just as the global response to the COVID-19 pandemic has been multifaceted, requiring collaboration and support, a CPA firm's approach to addressing data security risk should be similar. The firm's leadership sets the tone and prioritizes data security. IT professionals are then empowered to establish security protocols to address the firm's data security risk. Finally, every individual at the firm is responsible for doing his or her part in maintaining cybersecurity hygiene.
Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact email@example.com.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.