This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?
Too often, accounting practices do not grasp the extent of cyberthreats their organizations face or the impact they would have. Simply assuming “I will be fine” is a broken mindset. Would your organization survive financially or reputationally from a hack that stole client data? Can you afford to close your doors for two to three weeks or more while a cyberattack is investigated and remediation is performed?
By Gary Salman
Too often, the owners or executives of accounting practices do not grasp the extent of cyberthreats that their organizations face or the impact an attack would have on them. Unfortunately, many firms operate with the “I will be fine” mindset and go on to prioritize other operational concerns over cybersecurity. I call this the “broken mindset.”
The moment a firm connects to the internet, risk goes up. I hear many firms say, “All my data is in the cloud so I don’t need to worry about this” or “I have multiple local and cloud backups, so if I get hit with ransomware it will be easy to recover.” But that’s one facet. Cybersecurity is not just about recovery, it is also about protecting highly confidential, personally identifiable information from theft. In 75% of the cases we have worked, the threat actor stole most or all of the victim’s data and either threatened to release or did release the data. Write down all the confidential/proprietary/protected information you store both locally and in the cloud. Then write down what the impact would be from a financial, reputational, and compliance standpoint in the event this data was stolen and published on the dark web. Would your organization survive financially, reputationally, and operationally from this type of an event? Can you afford to close your doors for two to three weeks while a cyberattack is investigated and remediation performed?
Many solutions are available to help prevent the theft and/or encryption of your data. Here are 10 ways to help minimize the chance of a successful attack against your firm.
Password management tools create and manage strong passwords for every application you use and website you visit. These tools, which often only cost a few dollars per month, generate unique passwords. When you visit a website for the first time, the password manager will ask you if you would like it to generate a unique password. If you say yes, it will insert it for you and store it. When you revisit the site, the password manager will automatically insert the stored password. Password managers also allow you to rescind access to websites and applications upon termination of an employee. Since the employee may not be able see the generated password, there is a lower likelihood of them accessing these apps post-termination. If you opt not to use a password manager, make sure you create unique passwords for every website and application which include a combination of numbers, letters, and special characters of a minimum of 14 characters in length.
Multifactor authentication (MFA) or two-factor authentication (2FA) are powerful tools that use either SMS text messaging or a security app such as Google Authenticator to validate a login. These technologies work by sending you a message with a code or requiring you to confirm a login attempt. If a hacker steals your username and password and tries to log into one of your accounts, MFA or 2FA should block access since they most likely cannot access your text messages or phone. This technology should be used on things such as email, virtual private networks, bank accounts, cloud-based software, financial institution access, accounting software, and more.
Tools such as Microsoft BitLocker can help protect data at rest. BitLocker encrypts all the data on your hard drive, so in the event a device is lost or stolen, a criminal cannot access the contents of the hard drive. If the computer is powered up, logged in, and an unauthorized individual gains access to your device, the data will not be encrypted by BitLocker so you run the risk of data access or loss.
Consider two forms of backup: online and offline. Online backups are typically done in the cloud, where all your data is replicated to the cloud on a daily basis. On at least a weekly basis, however, all your data should be copied to an external hard drive and the drive physically disconnected from the network. In many cases, threat actors who gain access to cloud technology can either erase or encrypt the backups being stored there. Keep in mind, neither of these technologies will prevent the theft of your data, so you may still be forced to pay the ransom to prevent a leak of the information.
A security risk assessment (SRA) conducted by a credentialed security expert helps an organization identify and understand where it has operational risk. SRA complexity is often determined by the size of the organization, the type of data stored, and risk tolerance. An SRA is designed to uncover where you have risk in your attack surface that may enable the execution of a cyberattack. Upon completion of an SRA, the assessor will provide the organization with detailed findings and a recommendation report.
Cybersecurity awareness training is a crucial component of a cybersecurity plan. It trains and empowers your employees to identify and mitigate attacks that occur through things such as phishing, spear phishing, vishing, business email compromise, and so on. The programs should be ongoing and facilitated by a third-party company that understands the latest threats and trends and has an ongoing training program to address them.
If hackers cannot exploit your network through your employees, they will hit you through your technology. Devices, software, computers, and firewalls all have vulnerabilities (think of these as “unlocked doors and windows” on your network) that hackers can potentially exploit. Firewalls should be scanned at least monthly and computers scanned daily. The results of the vulnerability scans should be risk-prioritized and provided to you and your IT company so decisions can be made on how to best mitigate those risks.
A penetration test is when an ethical hacker assumes the role of a criminal and attempts to breach your network and/or data. This is a much more advanced set of tests than vulnerability management. It can help expose weaknesses in your environment and/or employees, and must be conducted on at least an annual basis.
Extended detection and response (XDR) software is the next generation of “anti-virus” technology to help organizations minimize exposure to cyberevents. It typically uses artificial intelligence and machine learning to pick up indicators of compromise such as hacking tools, malicious code, malware, ransomware, worms, Trojans, and so on. It learns your environment and is designed to act on its own by killing malicious code and isolating computers. Many insurance companies have started to require the implementation of this technology on networks as a condition of binding insurance.
One of the biggest mistakes I see firms make is relying on a generalist, such as an IT company or managed service provider (MSP) for security. Most IT companies and MSPs do not have the same level of credentialed individuals and tools to properly secure networks from the advanced threats that are destroying businesses. They specialize in building and maintaining networks, not cybersecurity. Seek out a dedicated cybersecurity company who can provide you with a second set of eyes and tools to ensure that your network is being properly secured. You should never have your IT company auditing their own security measures.
Gary Salman is chief executive officer of Black Talon Security LLC in Katonah, N.Y. He can be reached at gary@blacktalonsecurity.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.