By Gary Salman

It is no secret that small and medium-size businesses are favorite targets of hackers. What has been woefully underreported is the number of successful ransomware attacks that have been launched against businesses of all sizes. COVID-19 and major cyberattacks launched against Fortune 100 companies dominate the news, but in the past 12 months hackers have successfully attacked thousands of small businesses. These attacks are mostly ignored by the media.

Those who were already hit hard by the pandemic have had to quietly deal with an epidemic of ransomware attacks. Cybercriminals have upped their game and increased the sophistication of their attacks. In 2020, a vicious new tactic was introduced by cybercriminals: they are now publishing stolen data to public-facing, dark-web auction sites. Personally identifiable information, legal documents, tax records, and so on are being published if their targets refuse to pay the demanded ransom. Too many CPA firms make the mistake of assuming that “the bigger the entity, the bigger the risk,” but the reality is that small to medium-size firms are even more attractive targets for criminal hackers.

Large firms generally employ dedicated teams of cybersecurity experts who are 100% focused on attack prevention. These experts are typically credentialed, well-trained security professionals who build highly effective security infrastructures designed to find and remediate vulnerable areas. This strong, but expensive, strategy is one that most small and medium-sized firms cannot afford. Cybercriminals know this deficit, and they typically take the path of least resistance when targeting organizations.

What does this hacking trend mean for practices and firms? It’s not a pretty picture. Let’s say you arrive at work Monday morning and find 100% of your computers have been encrypted with ransomware. Your IT vendor comes onsite and says, “We have a major problem! Not only is your data encrypted, but the hackers left a note indicating they stole all your data.” Then you find out all your backups, including your cloud backup, are gone. It is eventually determined that hackers installed screen-sharing software four weeks prior to the ransomware attack and have been watching everything you do on your computer, including accessing your cloud software.

This is a common problem; one we see every week. Here are some common variables in all these attacks against providers:

• Each practice/firm thought they were protected by their IT company.
• All offices had a firewall and anti-virus software.
• Recovery and business interruption costs result in most small businesses spending in excess of $100,000.
• All local backups were encrypted with ransomware, and many of the cloud backups were destroyed by the hackers.
• Most systems had been compromised for days or even weeks prior to the IT company or practice knowing that they had been breached.

The data you store is just as vital as the data large firms have, but you cannot afford full-time staff dedicated to cybersecurity. So, what can you do to protect your client data and your business?

The good news is that there are effective and affordable steps that any size firm can take today. The first step, and possibly most significant, is understanding that your IT provider is not a cybersecurity expert. A typical IT company’s area of responsibility is the installation and maintenance of a network. Most IT companies do not have the tools, training, certifications, or real-world experience to offer an effective security solution. You must have this conversation with your IT provider. If they encourage you to engage a dedicated cybersecurity company, then at least you know that you are working with a technology partner who has your best interest at heart.

Engaging a dedicated cybersecurity company may be easier and less expensive than you think. There are companies that offer affordable, effective security solutions that add the necessary layer of protection firms should have in place to protect themselves and their clients. At a minimum, any company you consider hiring should offer the four pillars of an effective security solution:

• Pillar 1 – A complete assessment of your operations, technology, policies, and procedures. After that assessment, a gap analysis should be provided to outline the areas that represent risk.
• Pillar 2 – The management of vulnerabilities that exist on your network. These vulnerabilities are present on everyone’s network and are what hackers use to gain access to your data. They exist on your computers, firewall, printers, security cameras, and any smart devices that you may have in your practice. The discovery and remediation of these vulnerabilities are critical parts of creating a more secure environment.
• Pillar 3 – Cybersecurity awareness training for your staff. Help your employees understand the risks that exist in your practice and empower them with the knowledge to help minimize these risks. Building a “human firewall” is necessary in today’s environment.
• Pillar 4 – A penetration test performed against your network at least annually. Most cybersecurity companies employ ethical hackers who have the same talents and capabilities as the bad guys, but their role is to test the security that you have put in place. If an ethical hacker has a difficult time gaining access to your data, then a criminal will likely have the same difficulty and move along to another target.

Implementing an effective cybersecurity solution in your practice requires zero downtime. Most cybersecurity professionals can add the required layers of security without taking your network offline, and most of the work is done behind the scenes.

It is time to go on the offensive, feel empowered, and take the steps necessary to protect your livelihood. Take some of the power away from the ruthless cybercriminals who bring havoc to practitioners.

You are not powerless. You can avoid becoming a victim and remove the target from your back. You should feel confident being able to focus on your clients and letting your cybersecurity provider worry about hackers.

Gary Salman is CEO of Black Talon Security. He has more than 30 years of experience in the technology field and regularly leads training and educational workshops. He can be reached at gary@blacktalonsecurity.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.