Data thieves strike at any weak point

Cyberattackers remain unrelenting in adapting tactics to exploit human and technological vulnerabilities.
Compiled by Jamie Yoo

Top problems

Leading privacy event types reported by CPA firms in the AICPA Professional Liability Insurance Program in 2019:

• 15% — External breach to CPA firm's network

• 15% — Ransomware event

• 15% — Breach at service provider

• 14% — Business email compromise

Source: CNA Accountants Professional Liability Claim Database, underwritten by Continental Casualty Company. Copyright © 2020. All rights reserved.

One email is all it takes

You wouldn't let a stranger into your house, so don't let clicking on a strange email jeopardize your business.

• 48% — the portion of business email compromise (BEC) cases that resulted in a breach of sensitive information.

• 18% — the portion of all BEC incidents that targeted financial services organizations (including professional firms).

• $264,117 — average amount BEC threat actors stole from victims per incident.

Source: Crypsis 2020 Incident Response & Data Breach Report.

Ransomware exploits more than technical vulnerabilities

Like many data security incidents, it often starts with human manipulation and social engineering.

• 43% — the portion of ransomware incidents where social engineering was the attack vector.

• 200% — the rise in the average requested ransom amount from 2018 to 2019.

• $115,123 — the average ransom amount demanded in 2019.

Source: Crypsis 2020 Incident Response & Data Breach Report.

Do not underestimate the power of a strong password

Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every three months.

47% — the portion of small businesses that have suffered an attack involving the compromise of employees' passwords.

Source: Ponemon Institute 2019 Global State of Cybersecurity in Small to Medium-sized Businesses.

Implement security safeguards

Address cybersecurity vulnerabilities using security practices employed by small businesses.

Security practices employed by small to medium-size businesses:

• 47% use multifactor authentication.

• 46% provide an alternative to keyboard entry (i.e., voice recognition or biometrics).

• 43% require the use of authentication apps.

• 41% periodically change passwords.

• 38% prohibit employees from reusing the same password on internal systems.

• 37% monitor third-party sites where compromised passwords are shared.

• 29% require minimum password lengths.

• 28% assign randomly chosen passwords.

Top controls:

• Secure configuration.

• Implement a security awareness and training program.

• Boundary defense.

Sources: Ponemon Institute 2019 Global State of Cybersecurity in Small to Medium-sized Businesses; 2020 Data Breach Investigations Report, Verizon.

Jamie Yoo, CISA, is a risk control consultant at CNA. For more information about this article, contact Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit


Scorecard preparation templates and tips

With Workiva, we've created a PowerPoint deck that helps you create your own scorecards -- quick reference reports used across organizations to update stakeholders on the performance of defined deliverables.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.