News coverage about the recent ransomware attacks against Colonial Pipeline, a major U.S. fuel distributor, and JBS, the world’s largest meat supplier, has propelled the conversation about cybersecurity to a new level of urgency. As one expert put it: “They went after our gas and they went after our hot dogs. No one is out of bounds here. Everyone is in play.” This includes CPA firms, which are especially rich targets for cybercriminals as one-stop conduits to the personal and protected information that all of their clients have entrusted to them.
The importance of strong cybersecurity protections has been a topic of broad discussion for years. But up until now, far too many companies have been slow to adapt, either because the threat seemed distant or the cost too high.
What makes these recent attacks different?
Previous high-profile cyberattacks focused on stealing data. The Yahoo data beach, revealed in 2016, was the largest in history, compromising the names, email addresses, dates of birth and telephone numbers of 3 billion user accounts. One year later, the Equifax data breach exposed the personal information of approximately 147 million people, including credit card, Social Security and driver’s license numbers.
Conversely, these recent ransomware attacks represent a shift in focus, from stealing data to disrupting operations. The Colonial Pipeline attack led to fuel shortages across the East Coast and the JBS cyber-hack hampered meat production in North America and Australia.
In addition to gas and groceries, local television stations were also a target in recent weeks. Cox Media Group was the victim of a reported ransomware attack that crippled streaming services, including Hulu, and obstructed other broadcast operations at stations in 20 markets cross the U.S.
How did it happen?
The cyberattack that took down Colonial Pipeline was the result of a single compromised password discovered on the dark web, according to Bloomberg News. The hackers gained entry through an unused virtual private network (VPN) account, which had allowed employees to remotely access the company’s computer network. The account did not require multifactor authentication – a basic cybersecurity tool – allowing the hackers to breach Colonial’s network using just a compromised username and password.
In the case of JBS, the ransomware attacked was launched by a group of bad actors known for gaining access into large corporations through a combination of email phishing, which tricks employees into entering a password or clicking on a malicious link, and exploiting a company’s delay in patching software, essentially leaving an open window into their systems.
What now? How to Protect Your Firm
Coaxis President and CEO Christophe Réglat serves as a member of the FBI’s Counter-Intelligence Task Force where he conducts cybersecurity training alongside the Bureau. Now, more than ever, he urges CPA firms to take ransomware crime seriously and protect the trust that clients have placed in them by ensuring that their cyber defenses are a match for current and evolving threats.
Here are three ways to start preparing now:
1. Cyber Insurance
Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organizations from the consequences of cyberattacks and hacking threats, explains the business technology new website ZDNet. Having a cyber insurance policy can help minimize business disruption during a cyber incident and its aftermath, as well as potentially cover some of the financial costs related to dealing with the attack and recovering from it.
Unfortunately, with the growing frequency and range of ransomware attacks, cyber insurance is becoming more expensive and harder to get. According to a CNN report, 2020 premiums rose 22% over the previous year and are expected to increase even further in 2021.
Additionally, companies are now subjected to much more rigorous scrutiny of their existing cyber security measures before they can get approved for a plan. For instance, AIG gives prospective clients a list of 25 questions specific to their protections against ransomware, which include details about how often they test employees against email phishing attacks and how long they take to deploy critical security patches.
To learn more, read the FICPA blog post Is Cybersecurity Insurance Enough?
2. Business Continuity Plan
Every CPA firm needs a business continuity and IT recovery plan in place before disaster strikes and disrupts its ability to continue normal business operations. Whether it’s a ransomware attack or a hurricane, once catastrophe strikes, it’s too late to start planning. And, not having a plan can result in the loss of revenue, the loss of clients – or worse – the loss of your business.
A proactive business continuity plan ensures that your firm’s critical services can be delivered and essential operations continue to function. A key element is identifying in advance the resources that need to be in place and the steps your business needs to take during and immediately following a disaster.
Elements of a business continuity plan include:
- Business impact analysis that identifies the services your firm absolutely has to deliver without interruption.
- Recovery strategies (plans and tactics) to restore information and resume business operations following a disaster.
- Written plan detailing business continuity and IT disaster recovery procedures.
- Testing the plan regularly to detect shortcomings and where it needs to be fine-tuned.
- Training employees on how to protect the company’s IT environment and access it remotely, if necessary.
To learn more, read “Hurricane season is here. Do you have a business continuity plan in place?” from the Summer 2018 edition of Florida CPA Today.
3. Cyber Security Risk Assessment
With nearly all financial firms relying on information technology to store, process and transmit information, it is essential to protect these infrastructures from unauthorized access. And yet, firms often fail to understand their vulnerability to attack. Understandable, as cybersecurity risks are not always obvious.
To learn more, read A CPA’s Guide to Understanding and Managing Your Cybersecurity Risk. It includes a link for FICPA members to complete a questionnaire about your firm’s IT posture – including both processes and people – to receive a free cybersecurity risk assessment from Coaxis, an endorsed program of the FICPA.
Recorded Future, a security firm that tracks ransomware attacks, estimates there were 65,000 successful attacks last year, or one every eight minutes. As businesses automate their core operations, the risk of more consequential ransomware attacks only grows. These three actions are a good starting point to defend your firm against ransomware attacks and other cybercrimes.
Coaxis offers special member pricing for its CPA program package. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or firstname.lastname@example.org.