Cybersecurity attacks have become more widespread over the past year as demonstrated by the average cost for recovery more than doubling since 2020, increasing from $761,106 to $1.85 million, according to Business Insider.
Among the largest breaches of 2021:
- In February, a plant operator for the City of Oldsmar, Florida saw his cursor moving around his computer screen, opening various software functions that control water treatment and boosting the level of sodium hydroxide – or lye – in the water supply to 100 times higher than normal. The breach alarmed state and local officials around the country, exposing growing cybersecurity vulnerabilities that threaten public health as systems become more computerized and accessible via the internet.
- CNA Financial, one of the nation’s largest insurance firms, paid $40 million in March to regain control of its network after being hit by a sophisticated ransomware attack that disrupted employee and customer services for three days as the company shut down to prevent further compromise.
- Also in March, a mass cyber-attack impacted millions of Microsoft clients when hackers exploited the vulnerabilities in its popular Exchange Server. Using security loopholes, cybercriminals gained entry to the networks of corporate clients to inject malware and ransomware, and steal patented technical documents, trade secrets and other sensitive information. The victims included nine government agencies and 60,000 private companies, mostly small and mid-sized businesses.
Damages from a cyberattack or data breach go far beyond the impact to a company’s computer system to also include financial repercussions and harm to the company’s reputation. The American Institute of Certified Public Accountants (AICPA) warns that CPA firms are of particular interest to hackers because of “the treasure trove of client financial data housed within firm networks.”
So, how can you protect your firm against today’s growing cyber threats? Here are six steps to mitigate the risks:
Password policy and controls – Much like employees have an office key or card reader to access your physical space, proper password policies and procedures must be implemented to prevent unauthorized access to your digital space. A password policy should include the following: Use complex passwords. Set a minimum password length. Require regular password resets and send reminders to your employees. Restrict password reuse. To further make your firm less vulnerable to hacking, add multiple-step authentication to accounts requiring password access.
Be careful about what you download – When downloading Word documents, PDFs, photos and other files, make sure your firm has updated antivirus software and an effective firewall. Only use trusted download websites, rather than peer-to-peer systems, to obtain programs. If you must use file-sharing software, consider paying for the premium version that is not funded by advertising to reduce the risk of adware being installed.
Be cautious about clicking on unfamiliar links – Newsweek reported that more than 50% of people will click on an unknown link out of curiosity. Don’t be that person. Opening unknown links in emails (a cyber-scam known as “phishing”) or on unfamiliar websites puts you at risk of downloading malicious ransomware that can infect and restricts access to your computer or malware that allows cybercriminals to retrieve your passwords, access your files, and even switch off your anti-virus software.
Use HTTPS on all websites – A website that uses “HTTPS” at beginning of its URL instead of “HTTP” is safer and more secure because it uses a widely-adopted encryption protocol to ensure privacy and data security for communications over the Internet. Think “S” = Secure. Considered a standard practice for most websites today, it is also easily identifiable by the padlock icon.
Educate, educate, educate – Employees are the weakest link when it comes to cybersecurity. You can have the best IT infrastructure in the world, but your firm is still vulnerable if an employee inadvertently clicks on a malicious link or responds to a fraudulent email. Proactive and ongoing cybersecurity training should be part of every firm’s CPE curriculum. This includes providing annual updates on IT policies and educating employees on current social engineering threats designed to make them download malware that can compromises the firm’s security or inadvertently give out sensitive information.
Back up your data offsite – This is an important component of any business continuity and disaster recovery plan. What happens to your data in the event of a ransomware attack or natural disaster like a hurricane or fire? A fully managed cloud hosting service is an ideal solution. Not only does it provide a secure, reliable and remote connection to your IT infrastructure and data, but it also delivers the peace of mind that comes with knowing that damage to your company’s office or other cyber disruption will not impact the ability to access your protected data or your employees’ ability to do their jobs.
The AICPA further advises that it is “imperative that firm owners realize they have a fiduciary responsibility to protect the data clients have entrusted to them and that this information is being directly targeted by hackers.” If all of this seems overwhelming, consider hiring an outside consultant who can review your firm’s network security and provide direction and implementation support to achieve an optimum level of cybersecurity to protect your firm.
For more cybersecurity best practices, the AICPA offers this checklist on how CPAs should consider protecting their firms and client data.
As an endorsed program of the FICPA, Coaxis offers special member pricing for its CPA program package that provides secure, fully managed data hosting services. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or firstname.lastname@example.org.