Reduce your cyber risk by following the cyber risk triangle and building a cybersecurity program.

Do you realize you have a target on your back?

Cybercrime costs the global economy an estimated $450 billion in 2016. Unfortunately, the outlook for the future isn’t any better—with the estimated cost rising to $2.1 trillion by 2019. Cyber risk is not something you can ignore.

As a public accountant, you hold a treasure trove of information for bad actors. Just imagine the impact of a hacker gaining access to your firm’s tax software which contains the personally identifiable information (PII) on all of your clients—names, addresses, and Social Security numbers for individuals, their spouses, and dependents. With most people e-filing their taxes, you probably have the routing number and account information on file for at least one of bank account per client, too.

And it’s not just the tax software. Your human resources department maintains PII on all of your employees. You probably pay them via ACH, so you also have a least one bank account on file for most employees.

The depth and quantity of valuable data you have can make you, and all CPA firms, a desirable target for bad actors.

How CPA Firms Can Protect Themselves

If Deloitte, a recognized leader in cybersecurity services, can be breached, then how are smaller CPA firms supposed to stop a cyber breach? There is both good news and bad.

First, the bad. The bottom line is there is no such thing as a secure network. If your network is externally connected to the internet, it can be breached. Just like there is a fraud triangle, there is also a cyber triangle. A bad actor with the right combination of skill, time and resources will eventually breach any network if they have the motivation and desire to do so.

On the positive side, 99 percent of cyber-attacks can be prevented if you have a strong cybersecurity program in place. The goal of a cyber risk program should be reducing the attack vector. Let’s look at how that concept works in relation to the cyber triangle.

Think of your business as a target; similar to one you might see at a shooting range. It doesn’t take a lot of skill to hit the target. Novices can often hit some part of the target in a round of shooting, but it takes real skill to hit center and hit it consistently. The goal of your cyber risk program should be to reduce the attack vector so that only the skilled marksmen (hackers) could potentially hurt you.

Build a Cybersecurity Program
When it comes to developing an effective cybersecurity program, you need to: 1) know your environment, 2) protect your assets (and client data), and 3) prepare your organization.

Step 1: Know your environment

Start with the basics. Determine what devices are connected to your network (e.g., servers, desktops, laptops, mobile devices, etc.). Recognize what sensitive data you have and, more importantly, where is it stored. And identify what key software and business applications you use. These are all areas where you have a risk.

As you work your way through this process, use the following tips summarized from the Center for Internet Security’s Implementation Guide for Small and Medium Size Businesses:

  • Identify and classify the data on your network. Know where it is on your network and how it travels within the network from entry to exit.
  • Create and maintain an inventory of all software and hardware on your network. For help with identification, consider:
    • A network scanner (commercial or open source); a good option for larger organizations.
    • Keeping an inventory list of your hardware assets (e.g., computers, servers, laptops, printers, phones, etc.) and critical data on a spreadsheet. Update it whenever there are new devices or data added. This is easiest for smaller organizations to do.
    • Cost-effective solutions such as Nmap, ZenMap, and Spiceworks which can identify devices and software on your network.
  • Inventory the applications that are running on your system and the web services or cloud solutions your organization uses.
  • Manually check the install/uninstall features of the operating system to get a list of software that has been installed on the system.
  • Periodically check to see what software is running on your systems using available inventory or auditing tools.

What should you be looking for? Rogue software and devices within your environment; they can pose significant risks that must be mitigated. Also, unpatched software and hardware. This is a common way for malware and viruses to infiltrate and attack your systems.

Understanding the network environment allows your firm to implement policies and procedures around configuration and patch management, as well as, physical and logical access controls. These policies and procedures will limit the likelihood and impact of cyber events.

Step 2: Protect your assets

Once you have a handle on the network architecture and the key data that resides on it, you can begin to implement procedures to protect it. In this phase you want to focus on: 1) asset configuration and change management procedures and 2) cyber training and awareness.

Asset Configuration and Patch-Management. Bad actors take advantage of either insecure configurations or vulnerabilities in the applications that are running on the system. To protect your firm, you need to ensure that your operating system and applications, especially web browsers, are up-to-date and securely configured. In addition, you should identify and leverage the security and anti-malware functions that may be built-in to your operating system to help secure your environment.

With so many devices connected to your network, you want to create a security baseline for each. When each device has the same security settings, that consistency reduces the risk of cyber attacks. This can be accomplished with Microsoft’s System Center Configuration Manager (SCCM), which provides remote patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

Once again, here are some tips from the Center for Internet Security to help you review your:

System configuration

  • Periodically run Microsoft Baseline Security Analyzer to identify which patches are missing for Windows products and what configuration changes need to be made.
  • Use a commercial software scanner such as Nessus to perform vulnerability scans on both external and internal IP addresses and servers to identify vulnerabilities and additional configurations to enhance security.
  • Ensure that your browsers and all plugins are up-to-date. Consider using a browser that automatically updates itself, like Google Chrome.
  • Verify that all workstations and laptops are installed with the most recent anti-malware software updates.
  • Separate corporate from personal networks. In the world of Bring Your Own Device (BYOD) and “access from anywhere,” it is important to limit the access between personal devices and the corporate network. Allow approved personal devices to connect only through a separate staff or guest network.

Removable media and encryption

  • Limit the use of removable media (e.g., USBs, CDs and DVDs) to those with an approved business need. Considering your business operations, ensure any removable media is encrypted.
  • Use encryption for secure remote management of your devices and to pass sensitive information.
  • Encrypt hard drives, laptops and mobile devices that contain sensitive information.
  • Require the use of strong, unique passwords or pass-phrases and multi-factor authentication when possible.
  • Require everyone to use “screen lock” on their mobile devices.
  • Make sure all employees keep their devices and software updated and current.

Multi-factor authentication and remote access

  • Limit employee remote access to those who need it.
  • Use secure connections such as VPNs to access the network remotely.
  • Require the use of multi-factor authentication where available, especially for remotely accessing your internal network or email.

You also want to control administrative accounts. That means limiting the number of individuals with administrator privileges to a very small number. General users should not be administrators. Remember, anyone with administrator rights will have the ability to make system changes. Unique, strong passwords are imperative on these accounts. You also want to make sure your administrators have separate accounts for non-administrative functions like reading email, accessing the Internet and composing documents.

Cybersecurity Training and Awareness. Cybersecurity is not just about technology, it’s also about processes and people. Having security tools and software alone isn’t sufficient. Most cyber-attacks incorporate a human element; over 90 percent are due to human error. Securing your firm requires that your employees practice strong cybersecurity behaviors, too.

Phishing is the most common attack method. Be sure your employees can identify common and obvious indicators of a phishing attack. These can include someone creating a strong sense of urgency, asking for very sensitive or private information, using confusing or technical terms and asking the employee to ignore or bypass security procedures. Also, be careful to check the spelling, overall content and grammar of the email. Messages with obvious mistakes are good indicator of a phishing scam.

Best practices for internal cyber awareness include:

  • An Information Security Policy. Require all employees to sign this policy upon hire.
  • Information Security Training. Conduct on an annual basis to reinforce the firm’s security policies and inform employee’s how you protect their data, as well as that of your clients.
  • Monthly or Quarterly Updates. Share recent cyber trends and firm security procedures, especially updates or changes. You can also share free materials like the SANS OUCH! newsletter and MS-ISAC’s monthly cyber-tip newsletters. The National Cyber Security Alliance’s website,, is another good resource.
  • A Focus on Common Sense. This is ultimately your best defense. If something seems odd, suspicious, or too good to be true, it is most likely an attack.
Step 3: Prepare your organization

An important part of any cybersecurity program is response planning. This should incorporate business continuity, disaster recovery and incident response planning. Creating and maintaining backups is one of the best ways to secure your data, recover after an incident and get your business back in operation. With the rise in ransomware attacks, where your files are encrypted and held for ransom, this is especially crucial.

A robust response plan, complemented by current and maintained backups, is the best protection when dealing with a cyber incident. When it comes to backups, be sure to:

  • Perform daily and weekly backups of all critical systems (as identified in step 1), preferably through an automated tool/process.
  • Periodically test critical system backups by trying to restore a system using a backup.
  • Ensure that at least one backup destination is not accessible through the network. This will help protect against ransomware attacks since those backup files will not be accessible to the malware.

Preparing for an Incident. Creating an incident response plan is not an easy task. Larger firm may have the internal IT resources for this, but it’s typically most efficient to engage a third party to help draft your plan. Many insurance companies offer incident response assistance as part of either a cyber insurance policy or as an add-on service. Essentially, the insurance company assists in coordinating and covering the costs of a cyber-breach (i.e., breach notification, forensics, data recovery, credit monitoring, etc.), which makes it an attractive offer for smaller firms.

For those willing to brave preparing an incident response plan on your own, here are some things to consider:

  • Identify the Incident Lead. Know who in your firm who will serve as the lead in case of an incident, mostly likely the IT director.
  • Have a Contact List. Include contact information for your IT staff and any third-party organizations. Also for those individuals whose assistance may be needed like legal counsel, insurance agents (if you carry cyber-risk coverage) and security consultants.
  • Notification Details. Familiarize yourself with your state’s data breach notification laws. Decide how you’ll prepare to notify any affected individuals whose personal information was involved in a breach.
  • Cyber Insurance. No incident response plan is complete without cyber insurance. There are two main types of cyber insurance: cyber liability and cyber breach expense. Both are important, but it’s imperative you understand the differences and have the right coverage. Consider working with legal counsel or a cybersecurity expert when considering your cyber related coverage. It’s equally important to understand your insurance provisions and disclaimers. As more and more incidents are reported, carriers are continuously looking for reasons to limit claim amounts. Some policies have windows for notifying the insurance carrier of a breach to ensure the claim is fully covered.

The Need Will Only Increase
As the world becomes more and more connected and automated, the importance of cybersecurity will only increase as new threats and vulnerabilities are identified. Once your firm has started to prepare and implement its’ cybersecurity program, it is important to perform a cyber risk assessment. By assessing the state of your cyber program and controls in place, leadership can use those results to prioritize and make better decisions about IT infrastructure and security.

Your firm’s client data is very enticing to a bad actor. You may not be able to prevent all cyber attacks, but you can definitely make the target on your back much smaller.

This article is reprinted with permission from the Virginia Society of CPAs. It first ran in the January / February 2018 edition of Disclosures and can also be found online here.