Is Your Cybersecurity Strategy Still Relevant?

The cybersecurity landscape is always changing: Between 2019 and 2020, ransomware attacks rose by 180 percent in North America alone, according to a 2021 report by cybersecurity firm SonicWall. The total global cost of damages from ransomware attacks is projected to exceed $20 billion in 2021, and total global cybercrime damages are predicted to soon cost the world $6 trillion annually.

For organizations and individuals, creating protections against ever-evolving, ever-multiplying, faceless criminals that can steal your identity or shut down your business remains a challenge. The meteoric rise of ransomware attacks is just one part of the rapid proliferation of cybercrime in the pandemic era, creating an environment where even recently developed cybersecurity risk management strategies may already be outdated.

Charles Seets Jr., partner and principal with EY, says the cyberthreat landscape will never stop evolving. “If we’re connected to the internet, we’re vulnerable, and threat actors know that,” he notes. “They’re operating relatively anonymously and often outside the reach of the law. It’s a complicated environment in which to defend ourselves.”

For CPAs and finance professionals, the threat is especially ominous: You hold the key to troves of very important, very private financial data. It’s therefore essential to do all you can to stay ahead of the cybercriminals for as long as possible.

Your Cybercrime Guide

The first step toward protecting yourself and your organization is understanding what you’re up against. Here’s a glossary of some of the most common cyberattacks:

Malware: This terms stands for malicious software, which includes spyware, ransomware, and viruses. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or opens an email attachment that opens the door. Once inside the system, malware can block access to key components of the network (ransomware), install malware or additional harmful software, covertly obtain information by transmitting data from the hard drive (spyware), disrupt certain components, and even render the entire system inoperable.

Phishing: Sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.

Man-in-the-middle (MitM) attack: Also known as eavesdropping attacks, MitMs occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can steal data. Unsecured public Wi-Fi is a common point of entry.

Denial-of-service attack: This kind of attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to function normally. Attackers can also use multiple compromised devices to launch this attack; this is known as a distributed-denial-of-service attack.

Zero-day exploit: This attack hits after a network vulnerability is announced but before a patch or solution is implemented, targeting the disclosed vulnerability during this window of time.

“If you’re not following breaches in the news and then conducting case studies and tabletop exercises about those cybercrime strategies, you’re not getting crisis-ready,” says Jonathan Marks, CPA, CFF, CITP, CGMA, CFE, partner and firm practice leader of global forensic, compliance, and integrity services for Baker Tilly US LLP. “If the smoke is ultimately a fire, what do you do? What’s the plan and protocol? If you need remediation, who do you call? These are all keys to avoiding a business interruption.”

It Could Happen to You

One of the biggest risks in cybercrime is the common belief that it won’t happen to your organization—a mindset called “perfect place syndrome.” But from the smallest nonprofit organizations to the largest corporations, criminals aren’t discriminating.

“Our increasing dependence on networks and the growing pools of personal financial information being stored online exposes individuals to privacy violations and institutions to huge liabilities when a data breach occurs—that’s when a breach occurs, not if,” Marks emphasizes.

Smaller organizations in particular shouldn’t fall victim to perfect place syndrome and slack off on cybersecurity. “Small businesses might not be able to afford the best technology or an in-house IT team, but everyone can take certain steps and measures,” Marks says. “Outsource some of your infrastructure. Get someone to help you.”

“Experts have been saying for years that cyberattacks will increase in number and sophistication despite what we do to protect ourselves,” says Donny Shimamoto, CPA, CITP, CGMA, founder and managing director of IntrapriseTechKnowlogies LLC. “Advances in technology make it even easier for criminals. It’s going to continue to evolve.” The only choice organizations have is to evolve faster.

The Layers of Defense

There’s no single best cybersecurity strategy, but all organizations should shore up both their technological and human defenses. Shimamoto compares good cybersecurity strategy to an onion: multiple layers of protection that deter criminals as they encounter obstacle after obstacle. A firewall, the outermost layer, will check emails and attachments for phishing links and viruses. These days, antivirus software can actually detect if a virus is starting to encrypt files and if so, roll the virus back.

Too often, however, organizations rely solely or primarily on technological protections, incorrectly thinking a firewall and antivirus software are enough, while leaving the humans within the organization uneducated and unprepared.

One of the most critical layers to cybersecurity is training people to spot red flags. It sounds simple, and yet a survey of more than 1,000 IT professionals by automation company Ivanti revealed that 74 percent of companies have fallen prey to a phishing attack in the past year. More than one in three respondents said that a lack of technology and understanding among employees was the main cause for the increase in successful phishing attacks.

“Whether we want to admit it or not, our own employees are constantly and inadvertently opening the door to cyberthreats,” Seets says.

Even organizations that train employees on cybersecurity likely aren’t doing it frequently enough. Shimamoto notes that the rapid and constant evolution of cybercrime makes quarterly or even monthly mini-training sessions necessary to keep awareness high. After all, one of the most effective protective measures against cybercrime is not the latest technological gadget but training all employees to have good cyber hygiene.

Cyber hygiene is a term for our daily technological habits, from browsing Instagram on our phones to opening work emails in our offices. Having good cyber hygiene means following best practices for cybersecurity, paving the way for not only more secure information streams, but also a more effective response and recovery after a breach.

Good cyber hygiene practices for all organizations include:

• Knowing where critical data is stored and housed.
• Building and maintaining a secure network, including a firewall and strong password requirements.
• Encrypting data.
• Maintaining a vulnerability management program that includes regularly updating antivirus software and other types of preventive software.
• Utilizing controls to restrict data access based on roles and identification.
• Having an information and security policy that covers employees, contractors, and third parties.
• Implementing software patches and updates as soon as they’re released.

Organizations must use technological protections effectively while also keeping their employees educated on what cybercriminals’ latest schemes are. Balancing technology with the human element is the best way for organizations to keep their cybersecurity strategies relevant and effective.

Beyond IT

If Shimamoto could offer one piece of advice, it would be to think about cybersecurity as a business issue rather than just an IT responsibility. “This is really about your business, your customers, and your employees,” he says. “The impact of a cyberbreach reaches far beyond the scope of IT.”

While there may be fines and regulatory matters to address after a breach, the biggest loss at stake is trust, Seets says: “Trust is fundamental to any organization regardless of size. We need to inspire trust in our customers, regulators, insurers, and employees. If we can’t trust each other, it’s going to be more difficult to do business going forward.”

Starting now, any new services or products should have a cybersecurity risk management approach built in from the outset. “Anything a company intends to do proactively, whether that’s a new product or service, entering a new market, executing a transaction, or upgrading technology, has to incorporate cybersecurity in development and buildout,” Seets explains. “It’s difficult to bolt cybersecurity on after the fact, and threat actors will take advantage of that. Those who can infuse security at the beginning stand a better chance of executing a successful rollout.”

As cybercrime continues to mature, and criminals become bolder, everyone must chip in to protect themselves and their organizations against cybercrime, and CPAs can play a special role in the cybersecurity world.

“This isn’t just about IT risk—it’s about enterprise risk, and all of us connected to the enterprise play a part,” Seets says. “CPAs understand systems, processes, and controls. We can lean into the conversation and contribute to corporate America raising its cybersecurity game in a collective effort to defend what we’ve created.”

Natalie Rooney is a freelance writer based in Eagle, Colo. A former vice president of communications for the Ohio Society of CPAs, she has been writing for state CPA societies for more than 20 years.