Top problems
Leading privacy event types reported by CPA firms in the AICPA Professional Liability Insurance Program in 2019:
• 15% — External breach to CPA firm's network
• 15% — Ransomware event
• 15% — Breach at service provider
• 14% — Business email compromise
Source: CNA Accountants Professional Liability Claim Database, underwritten by Continental Casualty Company. Copyright © 2020. All rights reserved.
One email is all it takes
You wouldn't let a stranger into your house, so don't let clicking on a strange email jeopardize your business.
• 48% — the portion of business email compromise (BEC) cases that resulted in a breach of sensitive information.
• 18% — the portion of all BEC incidents that targeted financial services organizations (including professional firms).
• $264,117 — average amount BEC threat actors stole from victims per incident.
Source: Crypsis 2020 Incident Response & Data Breach Report.
Ransomware exploits more than technical vulnerabilities
Like many data security incidents, it often starts with human manipulation and social engineering.
• 43% — the portion of ransomware incidents where social engineering was the attack vector.
• 200% — the rise in the average requested ransom amount from 2018 to 2019.
• $115,123 — the average ransom amount demanded in 2019.
Source: Crypsis 2020 Incident Response & Data Breach Report.
Do not underestimate the power of a strong password
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every three months.
47% — the portion of small businesses that have suffered an attack involving the compromise of employees' passwords.
Source: Ponemon Institute 2019 Global State of Cybersecurity in Small to Medium-sized Businesses.
Implement security safeguards
Address cybersecurity vulnerabilities using security practices employed by small businesses.
Security practices employed by small to medium-size businesses:
• 47% use multifactor authentication.
• 46% provide an alternative to keyboard entry (i.e., voice recognition or biometrics).
• 43% require the use of authentication apps.
• 41% periodically change passwords.
• 38% prohibit employees from reusing the same password on internal systems.
• 37% monitor third-party sites where compromised passwords are shared.
• 29% require minimum password lengths.
• 28% assign randomly chosen passwords.
Top controls:
• Secure configuration.
• Implement a security awareness and training program.
• Boundary defense.
Sources: Ponemon Institute 2019 Global State of Cybersecurity in Small to Medium-sized Businesses; 2020 Data Breach Investigations Report, Verizon.
Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact specialtyriskcontrol@cna.com. Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
