Cyber Risk Requires Active Oversight

by Dorothy C. Borchardt, CPA, and Paul Borchardt, CISSP | Aug 31, 2017
Pennsylvania CPA Journal
At the 2015 White House Summit on Cybersecurity and Consumer Protection, President Barack Obama stated, “It’s one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm. … Our connectivity brings extraordinary benefits to our daily lives, but it also brings risks.”1

The president’s message was, in part, about protecting information wherever and however it is created, stored, accessed, modified, and transmitted. From the viewpoint of accounting firms, this article examines cybersecurity misconceptions, threats, attack vectors, and due-care requirements, and provides insights on addressing some of these challenges.
 

Misconceptions

With the proliferation of awareness materials, CPA firms should know their responsibilities when it comes to protecting sensitive client information. However, there are many misconceptions regarding information security that can put a practice at risk. Here are five of the most common.

We are small, so we don’t need a formal cybersecurity program – A firm’s relative size doesn’t matter, but rather the type and value of the data in custody. As financial services entities, accountants and tax preparers are required to comply with a range of regulations, all of which require some degree of formalized program to protect client data.
  • The Gramm-Leach-Bliley Act (GLBA) was enacted to protect consumers’ private financial information. Sections 501 and 505(b)(2) state that each agency shall establish administrative, technical, and physical safeguards to do the following:
    • Ensure the security and confidentiality of customer records and information
    • Protect against any anticipated threats or hazards to the security or integrity of such records
    • Protect against unauthorized access to, or use of, such records or information that could result in harm or inconvenience to the customer2
  • The Federal Trade Commission’s (FTC) Safeguards Rule (16 CFR Section 314.3 and 314.4) supports the GLBA and imposes standards for safeguarding customer information, which may require a firm to develop, implement, and maintain a written information security program, which would do the following:
    • Designate an employee to coordinate the information security program
    • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information in systems, networks, and software, as well as information handling for data at rest, in transit, and disposal
    • Conduct or provide employee awareness training
    • Detect, prevent, and respond to attacks and intrusions
    • Oversee service providers by requiring them to implement and maintain safeguards
    • Provide for ongoing evaluation of risks that might require modification to the security program
  • IRS Publication 4557, Safeguarding Taxpayer Data, underscores the steps and standards required by the GLBA and the FTC, as well as adds specific requirements for those who e-file.3
  • Many states’ laws address the protection of privacy-related or taxpayer information.
We are too small to be a target – This may be the most dangerous misconception. Despite initiatives such as the IRS’s “Protect Your Clients; Protect Yourself”4 and “Safeguarding Taxpayer Data” campaigns to raise awareness of cyber risks, some firms continue to fail to incorporate basic risk-control practices, using their small size as a justification. While the depth and breadth of specific controls and governance may vary based upon firm size, a program must exist for all firms, and the policies and practices must be followed. Size is irrelevant. Because of the nature of the data to which CPAs have access, every firm is a target. 

Information security is a technology problem – As with Obama’s observation about the Internet, technology and automation resources available to CPAs are both a boon to efficiency and a looming risk. Taking this dichotomy further, while technology is part of the cyber risk problem, it may also be part of the cyber risk solution. But it is not the whole solution. It’s common to hear, “I’ve installed a firewall, updated the antivirus software, and automated patching.” While these are good practices, if a breach occurs without a broader information security program in place, a firm, even a small one, may fail the “due-care” test and introduce additional regulatory and tort risk. The proper mitigation of information security risks requires a structured, holistic, and documented approach that incorporates people and processes in addition to technology. 

Moving to the cloud will eliminate data breach concerns – The proliferation of cloud service providers has enabled CPAs to mitigate many operational issues, including mobility, software maintenance and support, data backups, and disaster recovery. However, signing on with a service provider does little to alleviate the risk and impact to a firm following a data breach. Data loss risks cannot be outsourced. A firm’s clients trust the firm to protect their sensitive information, regardless of any third-party relationship, and the firm has a regulatory and ethical obligation to protect that data. While cloud service providers offer tremendous operational benefits, they also have a unique set of cyber risks that must be properly researched, understood, and, if necessary, mitigated. 

My technology team has it covered – Cybersecurity too often is delegated as a technology team problem. Consequently, the technology team assumes primary responsibility for information security. This can be dangerous. While there is a cybersecurity role for the tech team, they should not be solely responsible for protecting client assets or the firm’s reputation. Ceding these responsibilities to technology violates two basic control principles: segregation of duties and conflict of interest. Information technology (IT) teams are measured by uptime and speed of the applications and services they support. If a control decision is to be made that might affect their most visible metric, would they decide in favor of protecting assets? Also, cybersecurity is more than a technology problem. It’s people, process, and technology. Protecting a firm’s assets and reputation must be the responsibility of a firm principal. 

Cyber Threats

A threat vector is the route or path that a malicious attack takes to get past your defenses. A high percentage of computer attacks come from social engineering – such as phishing and spear phishing that trick people into surrendering something they wouldn’t do voluntarily – and compromised websites that contain malicious content. However, other methods of attack are equally capable of causing harm and it would be a mistake to overlook them. 

Social engineering – Social engineering is getting someone to do something they wouldn’t do knowingly. Phishing and spear phishing have been around long enough for everyone to be aware of the risk, yet the attacks are still effective. This is largely due to advances the attackers have made with generating e-mails that look genuine. In recent years, accountants have been receiving highly customized spear phishing e-mails that appear to be sent from potential clients. These e-mails usually have an attachment that contains malicious code. One such phishing e-mail states, “I’m looking for an accountant to do my taxes and have attached last year’s returns.” An unsuspecting recipient would click on the attachment and become infected. The level of customization doesn’t stop there. Hackers are using firm websites, social media, and compromised e-mail accounts to identify firm clients, then attack the firm by sending an e-mail that pretends to come from an existing client. In these cases, emulating the banking practice of “know your customer” is the best defense. If an e-mail is unexpected, give the client or potential client a call to confirm its legitimacy. Vishing is a form of social engineering using the phone. A well-publicized vishing attack is where the caller pretends to be the IRS and notifies the victim that he or she owes back taxes. Other vishing attackers pretend to be vendors notifying the victim they have identified a problem and offer remote support if the victim visits a certain website.

Compromised websites – Also known as a water cooler or drive-by attack, this passive attack infects a victim’s computer upon visiting a legitimate website that contains malicious content. A surprisingly large number of trusted websites have become points of attack because of their advertisements. Known as “malvertising,” websites sell ad space and transfer control of that real estate to the ad brokers, with no control over the ad or the safety of the content. Hackers either purchase ads or insert malware in existing content. Any website that has advertisements is susceptible. Some of the most common are news, travel, and financial websites. Social media sites are also known to pass malware in videos, photos, and links to stories. If your firm’s acceptable use policy permits browsing to non-work-related websites, consider a revision to restrict Web access to only work-related sites. If that kind of restriction isn’t feasible, consider using a virtual browser that can protect the physical computer from website attacks.

Insider threats – Whether intentional or accidental, insiders can cause significant harm. Unfortunately, managers often overlook the threat because they want to believe their staff are incapable of engaging in a cyber attack. Insider threats go beyond employees: it may include consultants, office cleaners, facilities staff, or IT service providers. Using previous breaches and personality studies on the types of individuals who intentionally steal, disclose, or manipulate digital assets, it has become clear that it is difficult to identify the bad guys in advance. Malicious insider threats are, by nature, deceptive and manipulative.5 Behavior analysis tools, which can detect anomalous activity, are entering the marketplace, but they are cost-prohibitive for all but the largest firms. Defensive strategies for insider threats include background checks on all employees and contractors, documented information protection and use policies with annual signed acknowledgement, awareness training, and Internet activity and asset access logging/monitoring. 

Malicious media – While it may seem like an old-style threat, malware transmission via USB drive or CD is still an attack vector risk. In fact, newly purchased USB drives have been found to contain malware installed somewhere in the manufacturing or distribution process. The prudent defense is to not accept any media from clients, but rather require the use of a secure portal.

Impacts and Options

Ransomware has been a growing concern during the past few years, with the WannaCry variant getting a lot of media attention this year. If infected by ransomware, a victim’s computer files are held hostage by encryption until a payment, usually in Bitcoins, is delivered. In addition to losing access to applications and data, the hackers create a sense of urgency by displaying a countdown clock with an escalating payment and the threat of total loss if payment is not made by the deadline. But the sting doesn’t end there. Even if the ransom is paid and access returned, the victim has to assume a data loss occurred and execute personal data loss procedures.

The best recovery defense against ransomware is to have good, recent, and complete off-line backups and the means to restore those backups to a fresh computer. Off-line is critical because recent variants of ransomware look for attached or cloud-based backup drives to encrypt backup data as well. Having documented incident-response procedures for sensitive personal information data loss will reduce recovery stress. Planning and preparation is critical, and the key to a successful recovery is to test the plan.

A denial of service (DoS) attack disrupts Internet services by overloading networks to the point where services are inaccessible. It’s improbable that a DoS attack would be directed against a small or medium-size accounting firm, but highly probable that an attack may impact Internet or cloud services used by the firm.

Most DoS attacks last less than 24 hours. Larger firms with concerns of directed DoS attacks can use subscriber services that proactively block DoS attackers. All firms should have operational backup plans for when Internet service is unavailable. 

As trusted advisers, CPAs have electronic access to their clients’ most valuable data, so credential theft is a huge concern. Regardless if it’s sensitive personally identifiable information, corporate financials, or strategic plans, protecting access to that information is critical to protecting the client. Stolen credentials are one of the easiest means of access, while, at the same time, one of the hardest to detect. The three most common types of credential theft are keyboard loggers that record a victim’s keystrokes, malicious access to electronic or paper password lists, and, lastly, brute force guessing or password cracking.

Protecting credentials from theft requires multiple controls and practices. Start with what not to do as the most basic control. Don’t write down IDs and passwords, either electronically or on paper where others may have access. Don’t use the same credentials for multiple applications or websites just in case one set of credentials is compromised. A good practice is to use a reputable commercial password vault, preferably one that can generate long, complex passwords and automatically populate credentials.

The impact of losing client information, especially privacy-related data, stings well beyond the loss of client trust. State and regulatory requirements mandate certain steps to be taken to mitigate client risk, including notification procedures and continuous credit reporting. These are potentially low-impact compared with the legal consequences if proper steps have not been taken and due care cannot be proved.

Establish a Cybersecurity Program

A written information security program is the foundation of any cybersecurity measure. Putting the program in writing ensures consistency of execution and provides documentation in support of due care.

Start with policies – A policy twist on an old phrase is to document what you do and do what is documented. Policies define management expectations for behavior, but also provide evidence toward due care. Even the smallest firms need cybersecurity policies. At a minimum, firms should consider the following:
  • Acceptable use policy – This would define both acceptable and prohibited use of digital assets, including use of firm and client data; applications; appropriate use of e-mail, Web, and other Internet services; use of personal devices for work; and what may or may not be posted on social media.
  • Data retention and disposal policy – Applying to both digital and paper records, this would define what data is retained, where and how it is stored, how long the data is held, and the proper disposal procedures.
  • Data protection policy – This would describe the controls and expected behaviors management requires to protect client data, including but not limited to authorization and access controls, encryption requirements, data loss prevention/detection tools, mobile device security, and activity logging.
  • Clean desk policy – This would ensure all work papers, digital media, and any item of a sensitive nature are secured whenever not in use or while away from the desk. 
Identify a stakeholder responsible for the governance of the program – For single-member firms, this step is easy; for larger firms, the stakeholder should be either a firm member or someone in a role with direct access to leadership. Do not assign this responsibility to the IT person or technology service provider. This creates a potential conflict of interest and failed segregation of duties (previously detailed). Also, IT personnel frequently require elevated privileges to perform their functions. This alone is good reason to separate IT teams from access to and protection of client data. 

Be sure to conduct a threat impact and likelihood assessment – Based on assets, size, structure, policies, and controls, each firm’s risks will differ. This simplified risk model may be used to direct efforts and resources by broadly identifying possible attacks and impacts, and using existing controls to determine the likelihood of a successful attack. Remember, the loss of sensitive client information may result in secondary impacts, including legal, regulatory, or reputational damage.

Conduct a data privacy assessment – While many firms may have a good handle on the sensitive data in their custody, it is quite common to lose track of where all the copies of that data are stored, who has access, and which protective and detective controls are in place. Know where all client data resides, including backups. If you are using cloud services, know how your provider replicates their data centers, understand the controls in place, and determine if they are sufficient. A privacy risk assessment will catalog all copies of sensitive data and provide a documented profile that helps management identify gaps in privacy protection.

Annual privacy and cybersecurity training should be required of all staff – This should include a review of regulations, firm policies, privacy definitions, an overview of the current threat landscape, and procedures for handling sensitive information. Continuous awareness training should include phishing and vishing awareness and testing. This type of training is offered by several vendors and has proven to be effective in reducing successful attacks.

Review your cloud provider contracts – Does the contract specify where and how your data will be replicated? Will all copies remain in the United States? What happens to client data following contract termination? Will the provider provide an attestation of destruction? What controls are in place to protect your data? What are their breach notification obligations and timeframes? Remember, you cannot outsource cyber risk.

Be sure to develop incident response and business continuity plans – Cybersecurity experts believe it is no longer a question of if an organization will experience a breach or a service disruption, but rather when. A documented, tested plan is key to quickly resuming operations. Preparation is critical for smaller firms where in-house resources may not exist and external resources are cost- prohibitive. Customized plans should address identified threats and likely scenarios. At a minimum, accounting firms should have plans for ransomware and DoS attacks.

The best approach for managing cyber risk is framework-based – Managing a cyber program with an ad hoc approach introduces risk. Has the firm executed due care in protecting client data? Have all areas of risk been considered? Several frameworks exist that provide an acceptable model to develop and operate a written information security program. The Center for Internet Security offers the Critical Security Controls. If implemented completely and correctly, it purports to reduce risk from over 85 percent of malware attacks.6 The National Institute of Standards and Technology Cybersecurity Framework7 was originally developed to address critical infrastructure, but its components work well with any size organization. 

Remember to conduct regular vulnerability assessments – Automated vulnerability scanners may be used internally and externally to identify known weaknesses and to suggest steps toward remediation.
 
An effective cyber risk program requires ongoing monitoring and maintenance. For most accounting firms, work on technology and cyber defenses are support functions that fall outside of billable hours. If performing these critical tasks efficiently and effectively are beyond a firm’s capabilities, consider hiring an expert to assist with all or a portion of the process.  

1 President Barack Obama, “Remarks by the President,” The Cybersecurity and Consumer Protection Summit, Stanford University Stanford, California (Feb. 13, 2015).
2 Government Publishing Office, Electronic Code of Federal Regulations, CFR Part 314. 
3 Internal Revenue Service, Publication 4557,
Safeguarding Taxpayer Data
4 Internal Revenue Service, “Protect Your Clients; Protect Yourself.” 
5 David Upton and Sadie Creese, “The Danger from Within,”
Harvard Business Review (Sept. 2014). 
6 The Center for Internet Security. 
https://learn.cisecurity.org/20-controls-download?hsCtaTracking=295cee7f-76e0-4175-a236-5c98e86ca4ba%7C37c8238e-c4b1-4039-9f15-1578e2a0ae60
7 https://www.nist.gov/cyberframework




Dorothy C. Borchardt, CPA, is owner of Dorothy C. Borchardt, CPA, in West Chester, Pa. She can be reached at db@db-cpa.com.

Paul Borchardt is owner and principal of IronGate Cyber Risk LLC in West Chester. He can be reached at pborchardt@irongatecr.com.
Read It Your Way

digital edition

Read the latest edition of the Pennsylvania CPA Journal via the web, digital edition, or mobile app. 

Read Now
Member Benefit

The Pennsylvania CPA Journal is a PICPA member benefit.f Receive quarterly editions of the Journal delivered to your doorstep.

Join
JournalMobileApp_160x160
CPA Now