High Cybersecurity Risks Demand a Proactive Defense

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton at irene_walton@ajg.com. 

Cybercrime and data breaches are now major threats for CPA firms and their leaders. Since 2018, the incidences of breaches that featured ransomware or extortion increased more than 40%. Globally, cybersecurity breaches sparked business losses of $1.5 trillion per year and hits to revenue of up to 25%.¹  

In 2021, a record number of ransomware attacks – when hackers encrypt computers and data until a ransom is paid – affected businesses of all types and sizes. The damages from these attacks will likely become more severe as ransom amounts increase. Ransoms grew from $7,000 in 2018 to $200,000 in 2020.²  

Ransomware is just one piece of the accounting industry’s cybervulnerability. Accounting leaders must plan for, and mitigate, the first- and third-party financial impacts of cybercrime and insider-precipitated data breaches. These costs can be immense. According to Ponemon Institute’s 2020 Cost of a Data Breach Report,³ the average cost of a U.S. data breach was $3.86 million. This included lost business averaging $1.52 million. Even if your losses are a fraction of these amounts, they can still be the difference between booking a profit or loss at the end of the year.   

Cyber Risk Management 

A defense from cyberattack can have dozens of elements. But before building your defense, first create an overarching strategy for keeping your firm safe. Experts say this involves building an enterprise cyber-risk-management program consisting of risk assessment, risk mitigation, and risk monitoring.   

• Risk assessment – Involves periodically evaluating the entirety of your business to identify weaknesses that could lead to a cybercrime or data breach. Plug gaps immediately with effective control policies and methods.
• Risk mitigation – Includes installing proven defensive measures that limit your external attack or internal mistake vulnerabilities. Also, develop an incident-response plan that allows you to reduce breach costs and accelerate recovery.
• Risk monitoring – Comprises continuous processes that track external threats and evaluate your firm’s ability to defend against them. This typically requires performing compliance reviews and operational audits that challenge your system’s ability to respond. 

Even though all three elements are essential parts of a cyber-risk-management program, mitigation is where your firm’s ability to defend itself will succeed or fail. 

Risk Mitigation

As you might imagine, risk mitigation is a multifaceted endeavor. Here are some of the major defenses you should put in place at your firm: 

• Instilling cyberhygiene – These steps are not revolutionary; they’re the basic blocking and tackling all accounting firms should perform to keep their and their customers’ data safe. Examples include mandating strong passwords and frequently changing them, requiring multifactor identification and encrypting sensitive information, implementing firewalls, and using a virtual private network. Backing up data frequently is also essential given the rising ransomware threat.
• Separating duties – It is important to distribute sensitive data and processes across multiple employees so it is more difficult for hackers to steal all of a company’s data by compromising the credentials of a single employee. In practice, this means accounting firms should divvy up accountability for functions such as payroll, accounts payable, and accounts receivable to multiple people to prevent a dangerous concentration of data.
• Educating employees – Verizon’s 2022 Data Breach Investigation Report⁴ reveals that about one-third (30%) of data breaches resulted from social engineering (attempts to trick employees via social media channels).  Since the human element is implicated in many data breaches, it is essential to put all employees through training to ensure they practice safe computing.
• Managing remote work – Accounting firms must deal with the security implications of allowing employees to operate from their homes and other locations. Mandating that they use only approved company devices and secured networks will reduce the likelihood of malicious actors accessing corporate data.
• Managing vendors – Training your employees is just the beginning; you must also assess the cybersecurity protocols of external entities that have access to your data. You need to know who on the outside is using your data, on what devices, and how it is being stored and transmitted.  

At the end of the day, CPA firms will operate in an increasingly dangerous cyberenvironment. Only those that do the necessary planning stand a chance against increasingly skilled cybercriminals.   

 
¹ Malia Politzer, “Top Cyberthreats Targeting Accounting Firms,” CPA Insider, AICPA (March 16, 2020). 
² Isaac Kohen, “3 Cybersecurity Trends CPAs Must Address This Tax Season,” CPA Practice Advisor (Jan. 31, 2022). 
³ www.ibm.com/security/digital-assets/cost-data-breach-report/1Cost%20of%20a%20Data%20Breach%20Report%202020.pdf 
⁴ www.verizon.com/business/resources/reports/dbir