Accounting firms, like all other industries, are susceptible to data breaches. Thankfully, certified public accountants (CPAs) can dodge data breaches by examining common hacker tactics. Some of the largest reported data breaches from the past few years reveal many of those methodologies:
- For example, in 2013, Target stores lost control of credit card and contact information for more than 110 million customers. How? Hackers accessed the company’s point of sale (POS) payment card systems through one of Target’s third-party HVAC vendors.
- A few months after the Target breach, another group of hackers gained “root” privileges to JPMorgan Chase’s servers. The group potentially compromised the banking and financial records of more than 76 million individuals and seven million businesses!
- In 2011, hackers exploited weak and inconsistent security controls in Sony’s PlayStation network to steal information in more than 77 million online accounts.
- The wealth of information held by healthcare organizations make them even more susceptible to hacking attacks. In 2015, an employee of a subsidiary to the health insurance company, Anthem, clicked on a link in a phishing email. That link inserted malware into Anthem’s system and gave hackers access to more than 78 million patient records. This exposed Anthem to losses of more than $100 million.
- Further, in 2017, the accounting firm, Deloitte, disclosed that hackers had acquired an administrator password to its information systems networks, and that the single password gave hackers access to virtually all of the firm’s email accounts.
These examples reveal that hacking methodologies can be anything from sophisticated, to brute-force driven. And in a few cases, to nothing more than random luck. CPAs can implement at least five strategies to avoid a data breach that can compromise either the CPA firm’s own data, or the data and financial information of the firm’s clients:
- Treat data breach prevention as a job function and responsibility of every principal and employee of the firm. Cybersecurity can be managed by one person or information technology department, but all personnel from the CPA firm’s chairman on down need to utilize intelligent data security practices, including strong passwords, not clicking on links in email messages from unknown sources, and avoiding use of public Wi-Fi networks. A good data breach prevention education program will instill a sense of cybersecurity awareness into the firm’s employees.
- Maintain basic security practices. Many of the more publicized data breaches from the past several years could have been prevented if the targets of those breaches had updated their systems and software, or had audited those systems for security holes or weaknesses. It just goes to show that the basics matter.
- Get insurance to cover losses and liabilities associated with the data breach. Cyber insurance for accountants gives CPAs the resources they need to quickly recover direct losses and to reimburse clients for identity theft protection and other third-party liabilities. A rapid recovery from and response to a data breach will also go a long way toward helping CPAs and their firms to maintain their reputations. And what is more important to the industry than integrity and professionalism? In the current business environment in which data breaches are a constant threat, cyber insurance is an absolute necessity.
- Appreciate the risks that third-party vendors might create. As Target came to realize, strong internal cybersecurity practices do not extend to vendors and trading partners that might tie into internal information systems networks. Hackers are increasingly using small- and medium-sized businesses as stepping stones to break into larger corporate networks. CPAs should look for solutions to protect their own and their clients’ networks from third-party vendors that have lax cybersecurity practices.
- Prepare a data breach response plan and test the plan periodically. Even the strongest data breach prevention measures will not withstand every hacking technique. If a CPA firm’s networks are compromised, the firm should be ready to implement a response plan that includes notifications to clients and regulatory authorities and measures to stem losses and recover list data and systems.
Follow these suggestions and you’ll be prepared to avert the threat of data breach.