Bots emerge as cyber threat for accounting firms

Hosted by Jeff Drew

ChatGPT and other generative artificial intelligence bots have made a big splash this year, with ChatGPT even passing the CPA Exam earlier this month, but there is another kind of bot accountants need to know about.

Cybercriminals have started using bots to identify zero-day vulnerabilities in routers, servers, smartphones, Windows, web browsers, and antivirus software. Once the hackers discover a vulnerability, they send out their bots to exploit it in as many places as possible, with CPA firms and finance departments among the potential targets.

What can CPAs do to shore up their cyberdefenses? The latest episode of the Journal of Accountancy podcast, produced in partnership with the Small Firm Philosophy podcast, addresses that question with Roman Kepczyk, CPA/CITP, CGMA, director of firm technology strategy for Right Networks and author of the AICPA Private Companies Practice Section's CPA cybersecurity checklist.

What you'll learn from this episode:

  • What a zero-day vulnerability is and why patching is so important.
  • The latest in strong password rules and tools.
  • Key cybersecurity risks and mitigation strategies for remote workers.
  • The technology trend Kepczyk is most excited about.

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at


Jeff Drew: Welcome to a special edition of the Small Firm Philosophy podcast produced in partnership with the Journal of Accountancy podcast. I'm your host, Jeff Drew, a manager with the AICPA's Private Companies Practice Section or PCPS. If you are a PCPS member, you should be familiar with our guest today. Heck, if you have any interests in technology in the accounting profession, you have likely seen or heard the name Roman Kepczyk, the director of firm technology strategy for Right Networks. Roman is also one of the most-prolific authors and speakers on all things accounting technology.

In addition, he writes a monthly technology column exclusively for PCPS members that comes out the last week of each month, May through December. To top it off, he is the author of our popular CPA cybersecurity checklist that the PCPS puts out for the AICPA. Roman, welcome to the Small Firm Philosophy podcast.

Roman Kepczyk: Thank you, Jeff. It's actually a pleasure to spend a little time with you today.

Drew: We're going to focus on cybersecurity today because it's crucially important for firms, but I do promise we will ask Roman a fun question before the end of the show. But, Roman, let's jump right in. What is the state of cybersecurity for accounting firms in the first half of 2023, what are the top threats facing firms, and is there anything new we should be worried about?

Kepczyk: Thank you, Jeff. Well, first of all, what we will say is that firms of all sizes, regardless if they're a sole practitioner, medium and large-sized firms, are potential targets for hackers. Basically, the big trend that's happened is the hackers have started using automated bots to go out there and identify specific zero-day vulnerabilities. Now that could be your server operating system where they find out something wrong and then they know who's running that operating system. It could be a device like a router. It could be an update to Windows, your antivirus, or a vulnerability inside of your browser software. It might even be the operating system inside of your smartphone.

As soon as hackers are aware of a way to get into that system, they send their bots out to everybody, and again, that includes our largest and smallest practitioners out there.

Drew: Just in case anyone doesn't know what a zero-day vulnerability is, can you explain that a little bit?

Kepczyk: Well, zero-day vulnerability is a flaw in the software that hackers take advantage of to get inside the system to inject some kind of malware. They call them zero days because the bad actors know about it, but the software developer doesn't. For example, if you happen to use a smartphone, they either use Android or Apple software. I mean, some of these zero-day vulnerabilities go on the open market for $10 million, where the hackers buy them and then they know they can get into all the Apple devices until those Apple devices are patched.

As soon as the vendor, the software vendor, whether it's Microsoft or Apple, is aware of that vulnerability, they will write a patch to fix it, block it, or somehow remediate it, and then they roll out those updates against that. But between those two dates, when the hacker identifies a vulnerability they can use and the software vendor has a rollout that the firm actually implements, that's when everyone is a target who is open to that issue.

Drew: That's a good transition into our next question. What policies and technologies should firms have in place to protect their networks and data?

Kepczyk: I think when we talk about the attacks on firms, pretty much we take a three-pronged approach to smart security management. You can't just have one set of policies. You need to have a set of policies that protect your infrastructure where all the data is located, and we recommend that be in the cloud today. We also recommend you protect local devices and, of course, train your personnel. When we talk about local devices, the first step is making sure that you only allow access to people who are authorized to get access to the system. In most cases that's a login and password.

Today, everyone should be using updated complex passwords, which means every login is unique and every password is unique. What I mean by that is, if I log into a site, I can't recycle passwords between different sites because there's a threat known as credential stuffing that the hackers use. But once they breach one site, they would use that password and test it on other sites that have the same kind of login.

Today we recommend everyone have passwords that are a minimum of 12 characters, and I'll be honest, it should be probably 16 or more. The only way we can remember that is by having, like I said, either a password wallet or using a password phrase, which is a combination of three or four words that normally wouldn't appear together. We actually recommend, like I said, using complex pass phrases and having password wallets. I don't know if you've spoken about password wallets in the past. But basically, or password managers is another term, there are tools out there that once you input a complex password, it'll actually create either a very long, ugly password or create a unique one for every place you log in. Then as you log in to your websites, into your tax applications, your research, into your email and all that, it automatically inputs those complex passwords.

Then in the event one of them is breached, they can't use that same password on other sites. Some of the more popular password managers, there's tools like 1Password, Dashlane, Keeper, RoboForm, etc. I mean, if you just look at the ratings, the same three or four always appear as the top, and what we like about these tools is it allows you to set up passwords, not only for you in your work environment, but also with your family. You can have a component where your family members have unique passwords and all that. That significantly minimizes the risk of someone being able to hack your password.

The other component that all firms should be using by now is multifactor authentication. That is when you login and put in your password, there is a system out there. The most common I see are Duo Okta, but both Microsoft and Google also have authenticators, and it will send a link to your phone with a message or a code or something. That gives you just an additional layer of security that you are who you say you are and you're connecting to it. We think for, as a first step, every firm should, as identity management, start by having strong passwords, using password wallets, and multifactor authentication.

Drew: I've also heard about biometric keys. What's your view on those?

Kepczyk: Biometric keys are things where it uses either your fingerprint or it does identification of your iris or the size of your face. A lot of people use biometrics to log in to their smartphones or enter the Windows Hello device that's out there. I believe that long-term that'll become the additional step that needs to be taken. In addition to the complex password, the multifactor authentication, I think having a biometric verification will give that extra layer of security being built into it.

Drew: It's been three years since COVID-19 forced everyone to remote work, usually overnight literally. What do firms need to do today to ensure their people have in place the right systems to protect their home networks, and what do firms need to have on their end to protect themselves from threats emanating from any remote vulnerabilities?

Kepczyk: Well, on the firm's side, what I find it's very difficult for any internal firm to do their own security themselves properly because most IT people either don't have the training or they don't have the time to maintain that. We recommend firms partner with a managed security provider that can provide enterprise-class resources to protect the network. That includes the intrusion detection, prevention, remediation, all those components in it. But for home users, which you mentioned in COVID, we noticed right away that people at home had very little instruction on how to connect. In many cases, they might have even been using a family computer to connect to it. The difficulty is firms don't know what's on that computer, whether that computer or one of the devices in the home is compromised.

Best practices we recommend for remote workers is that, first of all, you use a firm-managed computer that is set for automatic updates for Windows, for antivirus, or patches to the browser. Then when you connect to the home network, we recommend anybody who uses a router, whether it's Ethernet, Wi-Fi that is older than two years, if it doesn't have WPA2, that's wireless privacy level 2 or 3, we suggest they acquire a new Wi-Fi 6 router. Then when you get that, the first thing you do, either with that new router or with the existing router you've got, is we recommend you go directly to the website that created that router and look for any updates or patches for the security software.

Download those patches, change the SSID, which is the default network name that's out there. Input a complex password that only you and your family knows. The next step is what a lot of firms mess up or individuals mess up, is they don't segment the network at home between work and family. What I mean by that is all the new routers have the capability where you can set up one configuration for work and actually prioritize the traffic on that. So when you're working on your computer back in the office, you get the best of the bandwidth there. Then the rest of the family would be on a different part of the network and segmented with a different password. You can even do a guest password for family, friends, but we think that should be separate from what you use for your work.

You'll also put all of your IoT things, Internet of Things technologies like your Ring doorbell, your Amazon Alexa, baby monitors, even the kids' games they connect to the Internet, those should be all on a separate part of the network so that if they happen to download some free software or something and it has been compromised, it does not impact you. The other thing we recommend all of our firms do is that they mandate the use of a VPN anytime you're outside of the office.

What we consider public internet, traditionally you talked about coffee shops, we talked about the airline industry, working at airports, but even client offices are considered public if you don't know how their network has been configured. We think it's very important to train your employees to always connect to a VPN before they connect to any unknown public wireless network just to be secure, and they need to be well-trained on doing that.

One other solution we found that works really well in firms is that when your people are working remote, using the mobile hotspot, the 5G or 4G system that's inside of the phone, that's actually more secure and once the accountant has learned to use that, they can consistently connect everywhere, as opposed to learning how a new connection works at the coffee shop, the client's office, or a remote site.

Drew: Then you just have to worry about drain on the battery or the battery has gotten to the point where that's not too big a problem?

Kepczyk: When we talk about drain a battery, the hotspot inside the phone, a lot of days today, you can actually plug it into your USB-C port inside your laptop and get the charge from there so, as long as one of the devices has power, it flows through. But I've been working on the road for close to three decades now, and in the last two decades, all my work remotely has been through the mobile hotspot on my phone.

I'll admit sometimes it is slow, but I know it's more secure than connecting to a Wi-Fi system that could have been breached and maybe has a keyboard logging software on it so that it captures my login and password. I'd rather [inaudible] the risk of my credentials being captured out there.

Drew: Yeah, that makes sense. You mentioned enterprise class security. I know some large enterprises that engaged outsourced tools and services for intrusion detection, prevention, mediation. Are there tools and services available that even small- to, let's say midsize firms can employ to bolster their security?

Kepczyk: Absolutely. The key thing is not having the firm try to learn it and figure it out themselves. Today there's a whole slew of focused, managed security providers, both local network managers that have a certified information specialist on staff whose whole focus is implementing security solutions. It helps if they do understand the accounting profession. Realizing that we have a variety of tax verticals, or I should say tax assurance where people are working in the field, Client Advisory Services where they're doing monthly accounting, remote workers. We have a very complex environment so it helps if you work with a managed security provider who actually understands the accounting profession that's out there and knows where the risks apply.

Drew: Data breaches, not only there's reputational risk and having to deal with potential ransomware and stuff, you can also end up as a firm being hit with fines in class-action lawsuits. Can you describe these risks and talk about how firms can mitigate them?

Kepczyk: What it really comes down to is when Gramm-Leach-Bliley came out, basically, it created rules about protecting data and that protection actually rolls to accountants and tax preparers out there. Gramm-Leach-Bliley imposed fines up to $100,000 if there was a breach or failure to disclose that breach.

In addition to that, many of the states actually started creating their own rules. We for years have talked about how Massachusetts and California are some of the toughest and most onerous, but you can have fines anywhere from $100-$10,000 per violation of not notifying of a breach or having client data get out there. There's actually a website called that lists the rules for each state and basically what the fines could be. Fines can be significant.

We saw a scenario during COVID, where an Oregon firm who was breached, let's say at the start of tax season, didn't notify their clients until at the end of tax season, and they were fined $50,000. Another breach that happened last summer was an Illinois firm that didn't notify their members of their breach for over a year. There was actually a class-action lawsuit that went against them, and last summer they had to pay out just over $900,000 for that. What's scary is you hear about these stories all the time, they don't always make the accounting press, but there's actually a website called that lists public notifications of breaches out there, and if you do a search on accounting or CPA, you'll get a listing of the firms that were breached during this year. What happened, specifically, what records were made public out there, what information was disclosed, and what their remediation for that is.

Drew: Well, I'll put the link to the websites you mentioned in the show notes. We're getting close to the end of the show, and I promised to ask you a fun question after hearing about all the fines and lawsuits, I think we need a fun question. What technology or tech trend affecting accounting firms are you most excited about?

Kepczyk: Well, as you know, most of my time I spend consulting inside of accounting firms and working with them to develop their accounting technology stack. Over the last few years when you talk about the advances happening in client accounting and advisory services, the technology stack that firms are using to service their clients has really expanded from traditional basic accounting products that we input data into, to having it link to banking, payroll, expense reporting through the use of APIs, application program interfaces, and some components of machine learning.

I see we're getting very close to the next phase of technology and actually using artificial intelligence. There has been augmented intelligence with the CPA. When it sees a scenario and an expense report, it codes and every time that scenario comes up, it happens up again. But most of us have read about this ChatGPT that was developed by OpenAI.

Drew: Yeah.

Kepczyk: What ChatGPT does is, is a natural language interface where you type in questions like you'd ask it, and then it comes back based on the database that's been trained on and gives you a human-like response. You can actually customize it even to learn your own persona and all that. They just rolled out on March 15 ChatGPT-4, that does additional features and all that. The main point I'm making here is Microsoft has a significant vested interest in that. I think they put $10 billion into it, and we're going to start seeing in accounting firms that we can actually use this tool.

First, we'll see it in our Microsoft Office applications like Word and Excel, helping us find ways to write things better, explain things better to make grammar corrections and we have a little bit of that now, but pretty soon we'll be able to take data, for instance, and put it into Excel and do narrow analysis so that the analysis will say, hey, go and look here, look for anomalies repeated. Just imagine if it could analyze an entire general ledger system and actually help us with a lot of the things that our auditors who accountant to need. Honestly, I believe that's probably three to five years away.

The first part though, we should start seeing right away where the artificial intelligence actually becomes an assistant for us. It won't replace accountants, but it'll help us do our jobs better. When I look at the Consumer Electronics Show this year, AI was in everything, toothbrushes, toilets. But the exciting part is when it goes into information, which is where CPAs we spend our time.

Drew: Well, that'd be very welcome with the tight labor market for accountants right now, which has been getting so much publicity. We recently had an article in the Journal of Accountancy as part of the Tech Q&A series about using ChatGPT to do an Excel macro. For that it worked pretty well. I know some of the conversations the chatbot has had with some journalists have gone haywire so I think you're definitely right it's a little ways away from being ready for a full primetime, but for limited use, it's definitely worth checking out now and the potential is amazing.

Kepczyk: Yeah, and remember whatever it's trained on is what it learns and so sometimes this AI can have biases out there just based on what the data that was inputted in the beginning. If for instance, ChatGPT, if you ask them anything about the current scenario in Ukraine, it wouldn't know that there was even a war going on because everything it was trained on happened before 2022.

Drew: That's an excellent point. Well, thank you, Roman, for your time and knowledge today. A couple of reminders before we sign off. PCPS members can read Roman's monthly Digitally Speaking column on the AICPA website. All listeners can find new and old episodes of the Small Firm Philosophy podcast on Libsyn at Episodes are also available on Apple podcasts, Spotify, and where you get your podcasts. Like or follow us so you will never miss a show. If you're already following us, please recommend the Small Firm Philosophy for friends so they won't miss guests like Roman. Thanks again for listening. Until next time.