Counting the Cost: CPAs and Cybercrime
Don’t get caught off guard.
Our economy grows more reliant on technology by the day, and there’s no sign of it slowing down. While our hyperconnected world provides plenty of positives, it also opens the door to something far more sinister: cybercrime.
When it comes to digital attacks, it’s easy to think “It won’t happen to me.” But cybercriminals breached over 174 million private records in 2017… and that’s just in the United States. And when you consider that roughly 90% of U.S. companies have reported experiencing a hacking incident at some point, the picture becomes clear: Cybercrime is here to stay, so your only choice is to be prepared.
The scope of this digital malfeasance can seem overwhelming, but you aren’t powerless to defend your firm. Keep reading to learn how CPAs can help keep the cybercrime vultures at bay.
Size Up the Risk
If you’re a modest-sized accounting firm, you may think you’re off the radar. After all, why would a criminal go for your business when there are so many bigger ones they could target instead?
In reality, small and medium accounting firms can be more of a target. There are two primary reasons for this:
- Smaller firms still have lucrative clients worth hundreds of thousands (or even millions) of dollars. Sensitive information on these high-value customers is valuable on the black market, putting firms of all sizes at risk for criminal behavior.
- By their very nature, small and medium-sized firms have less resources and budget to devote to security. This can make it much easier for criminals to infiltrate their infrastructure. Though smaller organizations may not yield as high of a payday for hackers, the barrier to entry and risks can be much lower.
Bottom line? Don’t delude yourself into thinking your firm is safe just because of its size. Cybercriminals are happy to steal from any victims they can profit from.
Know the Tricks
The first step in protecting your firm is understanding what you’re up against. If you don’t know cybercriminals’ nefarious strategies, you won’t know where to focus your defenses.
Here are some of the most common types of digital hoaxes to be aware of.
- Impersonating the CEO: One of the most devious tricks in the cybercriminal’s arsenal is posing as the firm’s CEO and requesting sensitive information from a subordinate. This often occurs via email, and can look surprisingly authentic… even down to the signature and address. Most employees aren’t going to say no to a demand from top brass, so by appealing to authority, these hackers dupe earnest people into handing over sensitive material that can put your entire firm at risk.
- Holding Data for Ransom: Certain types of malware are able to scour your internal network for valuable information. Once this data is obtained, these programs hold the info hostage—refusing to return the records to their rightful owners unless an exorbitant ransom fee is paid.
- Phishing: Phishing is one of the most widespread forms of cybercrime. Scammers using this tactic will send an official-looking email that contains a compromised link or attachment. If an unsuspecting user clicks on the material, a virus can infiltrate the network and extract data—sometimes without the user even knowing.
- Unsafe Sites: Not all viruses are acquired through email. Some websites have security vulnerabilities, and users visiting these sites can end up with an infected machine just through casual Internet browsing.
Though these tactics are among the most common, new schemes pop up with alarming regularity. And unfortunately, these scams become more sophisticated and convincing by the day.
So how can your firm get ahead of such a widespread and constantly evolving threat?
Strategies for a More Secure Firm
There’s no one-size-fits-all solution when it comes to cybercrime, but here are some great ways to get started.
- Conduct a Security Audit: It’s almost impossible to know where your biggest technological vulnerabilities are if you don’t look. Hiring an outside partner or instructing an inside tech guru to scan your systems and software is a great way to identify digital holes to plug.
- Train Your Employees: Your best line of defense is one that would be most likely to let fraudsters in: your employees. Company-wide training is critical. Make sure everyone knows which red flags to be aware of. Outside expertise may be required to get your workforce up to speed, but the investment is more than worth the price of admission.
- Patch Your Software: Developers and hackers are in a constant arms race. Software is released, hackers find an exploit, a patch is created to fix the vulnerability, hackers find another opening, and on and on it goes. So if you don’t update your applications regularly, you’ll be using outdated software with big security holes. Make sure you’re updating your computer programs as soon as patches are available to mitigate risks.
- Create a Response Plan: You’ve just been informed by IT that your firm is being breached. Quick—what’s the first thing you do? Unfortunately, for most people, the answer is “panic.” But during a hacking incident, every second counts. Do you have a go-to plan in place so you know how to respond in the midst of a digital crisis? If you’re unsure of where to start, contact your local law enforcement agency and ask for specific steps to take if your firm experiences a cyberattack. Then you can build your plan from there.
- Get Cyber Liability Insurance: In the aftermath of a digital attack, cyber liability insurance will be your best friend. With this type of insurance on your side, your firm can recover lost funds from breaches caused by hackers, cyber terrorists, unauthorized third parties, computer viruses, and more. Some plans even have a public relations provision, which can help your firm fund breach notification expenses and reputation management efforts.
Cybercrime is a big threat that requires a multifaceted approach, but taking the steps above will put your firm ahead of the digital protection curve.
Better Safe Than Sorry
If you’ve never been the target of an attempted data breach, you may think you can put off preparing for one. Instead, you should thank your lucky stars that you still have time to put a strategy in place before it’s too late.
It can be stressful to think about, and it’s not fair that businesses across the world need to add cybersecurity on top of their already-full plates. But, as the old adage goes, it’s better to be safe than sorry. Heed that advice—it may be just the philosophy that saves your firm from an unmitigated cyber disaster.
This article is for informational purposes only.
“2017 – Data Breach Category Summary.” Identity Theft Resource Center, 13 December 2017.
Axelsen, Michael. “Why Even Small Practices Are Cybercrime Targets.” In the Black, 2 March 2018.
Buono, Patrick. “Cybersecurity for Accountants.” New York Society of CPAs, 1 March 2018.
Rechtman, Yigal. “Shifting the Risk of Cybercrime.” The CPA Journal, June 2017.
Streif, Jeff, et al. “How CPAs Can Protect Themselves and Their Clients.” Association of International CPAs, February 2017.
Terrill, Christie, and Rob Ragan. “Why You Need To Worry About Wire Fraud.” Forbes, 30 June 2017.