All CPA firms have something in common: we have access to a tremendous amount of sensitive client data. If we get compromised, that means some or all of our clients are compromised as well. That is a worst-case scenario for a CPA firm, and it can be tremendously detrimental to the relationships and trust that have been established over time. CPA firms have a great deal of responsibility to not only perform the services we have been hired to provide, but also to protect the data entrusted to us from cyberattacks. Unfortunately, as long as data is housed on our computers, we will be under attack. From phishing emails, to bad actors probing and poking us to find weaknesses to exploit, a cyberwar is raging. What are you doing to protect yourself?
There are countless ways to field a defense, but there are five critical areas of which CPA firms need to be mindful to enhance their cybersecurity:
- Two-factor authentication, also called multifactor authentication
- Secure management of passwords
- Secure transmission and receiving of sensitive data
- Use of a least-privilege model to secure data
- Collaboration between consulting teams and the internal tech and security teams
Two-factor authentication (2FA) is an added layer of protection for user logins. With 2FA in place, a physical token, short message service message, cell phone app, fingerprint, etc., is required in addition to a password to access a system or service. With the National Institute of Standards and Technology Publication 800-63B, released in June 2017, 2FA must be in place to be considered strong authentication, regardless of password length, complexity, or rotation period. As a cybersecurity penetration tester, I steal passwords every week. If my target does not use 2FA, as soon as I get a password I am going through their emails and logging into the network and other sensitive resources. Even if 2FA is used, it often is not in place on all external resources or is configured with flaws. Many organizations might have 2FA for their virtual private network, but not on email, which can be just as sensitive. Implementing 2FA makes compromising a network more difficult for an attacker by adding another layer to the authentication process.
Hopefully, by now, we are aware of what a strong password is. The longer the password, the better; complexity doesn’t matter as much as length. We also need a unique password for every account. These days, we have so many accounts it is impossible to remember a unique password for each one. That is where password managers come in.
A password manager is a service or software that securely stores passwords and protects them using a single strong master password and multifactor authentication. Instead of reusing the same password over and over again, use a password manager to generate and store strong, randomly created passwords in a vault. When you need access, password managers offer browser plug-ins and mobile apps so you always have easy access to your strong passwords. Password managers allow us to have strong and unique passwords for every account, which is key to making passwords harder to crack. As an added benefit, password managers reduce the number of password resets you have to perform for all your accounts.
Another threat that confronts CPAs every day is the sloppy use of email. Email is a great technology and efficient communication method, but it is not secure. I can’t tell you how many passwords, driver’s license scans, tax documents, and other types of sensitive and personal information I have found during penetration tests when going through email. Often there is enough information discovered in email to stop our testing right there and still consider it a significant data breach. Be mindful of what you communicate via email. The easiest way to prevent sensitive information from being transmitted via unsecure email is to provide an alternative and train your employees on how to use it. Clients also need to be managed because they might provide sensitive information via email. Having a client portal, secure messaging platform, or other easy-to-use resource for sharing sensitive information and files reduces the amount of sensitive data being transmitted via email. Enhance your sensitive data transmission even further through solutions such as data loss prevention software to block improper sharing of sensitive info.
Despite your precautions, it still might be possible for a bad actor to obtain access to a network. If an account is compromised, the attacker has the same access that an employee has. That is why using a least-privilege model is important when it comes to data and system access policies. Provide each employee with access only to the systems and resources required by the employee’s job function and no more. Least privilege can limit an attacker’s access if they do gain entry to your system, and it can provide more time for your firm’s defense to detect and react to an attacker before increased levels of compromise have been achieved.
Some firms provide information security consulting services, such as penetration testing or general security consulting. If this applies to you, is your consulting wing working with the firm’s internal technology and security teams? If not, the firm is missing out on getting advice from your own consulting practitioners who deal in security across a wide range of clients. They likely know what works and what doesn’t when it comes to security, and they might be able to provide valuable insight to the firm’s internal teams that don’t interact externally as much.
It is easy to get overwhelmed and feel like there is nothing we can do to prevent cyberattacks. But if we step back and break down security into digestible chunks, we can continue to mature and increase the security we provide for ourselves and our clients.
Matt Dunn, CISSP, GXPN, is lead cybersecurity analyst for Schneider Downs & Co. Inc. in Pittsburgh. He can be reached at firstname.lastname@example.org.