CPAs working in not-for-profit and government accounting fields are increasingly getting more responsibility with regard to cybersecurity and the protection of financial data. This topic was explored at greater length at PICPA’s 2019 Government & Not-for-Profit Conference on July 22-23, but Sassan Hejazi briefly explained some of the next-level thinking needed to prevent sensitive information from falling into the wrong hands. Hejazi is a director of technology solutions with Kreischer Miller in Horsham, Pa.
By: Jim DeLuccia, PICPA Communications Manager
CPAs working across many industries are increasingly getting more responsibility with cybersecurity and the protection of financial data. This is especially true for CPAs working in the not-for-profit and government accounting industries. Sassan Hejazi PhD, a director of technology solutions with Kreischer Miller in Horsham, Pa., joins me on the phone today to briefly discuss some tactics CPAs can use to better protect financial data at their organizations.
Now, Sassan, along with Frank Pina, CPA, managing director and co-chair of Mercadien PC's Forensic and Litigation Support Services Group in Princeton, N.J., will discuss this issue at greater length at PICPA's 2019 Not-for-Profit and Government Accounting Conference, which is scheduled for July 22-July 23 at the Hershey Lodge. Sassan, thanks so much for joining me on the phone today.
Oh, thank you. It's a pleasure to be with you, Jim.
What's one new IT challenge? Perhaps it's a scam or updates to regulations, that has arisen over the last several months that you've seen that could really affect CPAs working in the not-for-profit and government accounting industries.
As we all know, there were significant tax law changes adopted last year. As a result, we've seen an increased level of fake type of reach-outs, links, information-gathering type of requests in regards to the changes in the tax laws impacting the governmental and social services organizations that we are dealing with. A lot of those phishing emails and reach-outs are taking advantage of the uncertainties and changes in the latest tax laws and so forth. That has created havoc for clients clicking on the wrong links, downloading files that are infected. So, we see quite a bit of that traffic over the past year.
In your opinion, has artificial intelligence led to more challenges securing financial data?
Artificial intelligence, or AI as it's commonly referred to, it's a pretty hot topic item. A lot of companies are talking about it. A lot of software applications are using the AI techniques. What has really happened, I guess the law of unintended consequences, is that there are a new breed of software systems that have AI capabilities that can allow easier methods of harvesting unauthorized information. It's really being used in the reverse of what was originally intended. So, as the software systems become more intelligent, and the way they become more intelligent is by use of AI techniques and technologies, then they're going to be able to put into use for not necessarily the good of society, but they could be leveraged also at the same time by criminals and hackers in order to make it easier for them to launch more sophisticated attacks.
Your presentation is expected to go beyond the fundamentals of cybersecurity. What are one to two strategies you can share now regarding protecting financial data that go beyond the basics?
Maybe this borderlines on it sounds basic, but it really isn't basic. The one element, Jim, that we would recommend is the concept of trust. The web of trust. Really understanding who you are communicating with. Do you really recognize the other side of the information exchange, let's say via email or a website visit, and so forth. The concept of the trust to be always very vigilant about who you are communicating on the information superhighway, from a trust standpoint. The other element is really the level of tightening of information. We'll talk about it during the upcoming event. Technology such as encryption, making sure we have hardened mechanisms for information. Information is hard to crack. Whether it resides on our laptops or mobile phones or desktops or stored on devices, and also via communication. That would put the two really important concepts of the web of trust and verification of that, and then hardening of systems using tools such as encryption as a couple really key elements there.
It seems like it used to be that only IT professionals needed to be concerned about cybersecurity. Why is it important now for CPAs, especially those working in not-for-profit and government, to take some control in this area?
The issue is that first of all, the majority of breeches occurring because of outside of IT. This is non-IT, meaning that there end users or owners of information. So, that's in general. Then we come and zoom in in terms of our industry, and accounting industry, financial services industry, and also the industry for let's say not-for-profit and social service concerns. Then in those settings, first of all, being in the accounting business, we as accountants and accounting firms hold a valuable set of information, a lot of private personal identifiable information, or PII, social security numbers, a lot of financial information about our clients, whether they're at the individual or the corporate level. So, that is a very high value asset for folks to be able to get their hands on.
Then second, on the social services side, is that it becomes much more challenging, is that a lot of the social services or not-for-profit organizations, and even many governmental at the local and state level, frankly, have very limited IT budgets, so their defenses are not as strong as it would be in a much larger organization because of the lack of availability of funds to invest in those. When you put all these factors together, you have a perfect storm. For hackers and criminals, really, accountants who also service the space for the not-for-profits or social services, it's really a goldmine of information for multiple reasons that I just mentioned.
That's a great point that you mentioned about the lack of resources, and I suppose the lack of staff that makes this responsibility thrust upon CPAs and those working in finance, right?
Absolutely. The important thing is that we as CPAs and advisors to clients, whether internally within organizations or outside in public accounting, we have to remember that this is not an IT or a technical person's responsibility. Any time we are looking at a document, we are looking at information that has privacy concerns and confidential information about that client or individual, whether it's a corporate entity or a person, we need to be thinking about, well how am I collecting this information? How am I storing this information? Who else has access to the information that has been stored? Then how are we going be distributing the results of the analysis made of that information? Going back to the basics of how I am looking at the whole life cycle of the information. Who, what, where, when is touching that information. So, we have to be very vigilant about it. There are a number of strategies that we're going to be talking about in the upcoming talk this summer that our colleagues would be able to put into practice.
You actually probably touched on this a little bit here earlier in the conversation, but I wanted to wrap this up by asking you what is one piece of advice you can provide to a CPA who doesn't feel comfortable in getting involved in IT security, but again by the nature of their work needs to take more responsibility in this area?
Just again the vigilance about the information that they are handling. Being extremely careful. Think of it as the piece of information, any form, any document that they're handling, whether it's on their computer system or in a file folder or in their briefcase or on their desk in their offices or what have you, treat that as a precious metal, like a compound. Just be very careful about the value of that. We are overwhelmed with that information, but to us it might be just another tax return, another corporate return, another information, like a bank statement of a client or what have you, but that information has tremendous value to criminals and it's very easy to be able to get their hands on it. If it's a piece of information sitting on my desk, they could easily take a picture of it in their cell phone, or if it's sitting on an unsecured laptop or it's stored on a stick that is not encrypted, that's connected and is sitting on my desk, they can easily just pull that stick and walk away with a tremendous amount of information that could do us damage.
Again, just be extremely vigilant about how we treat that information and how we view it, and understand that the value of that information, that it has to others outside our organization.