Understanding and Preventing Cyber Threats

Cybersecurity breaches are costlier in the United States than anywhere else in the world — $7.45 million per average incident, according to a June 2017 Ponemon Institute study. This consists of four primary costs: detection and escalation ($1.07 million), notification ($0.69 million), post response ($1.56 million), and lost business ($4.13 million).

From a cost and compliance perspective, the potential implications of a cybersecurity breach — especially one within the accounting and finance industry — creates business risks that can’t be ignored. Within firms, confidential personally identifiable information (PII) and protected health information (PHI) data is prevalent in many cases and must be maintained for several years to support clients if they are audited or sued. What firms do to protect this data is imperative, not only for clients, but for the firm itself.

TOP THREATS

There are many types of cybersecurity threats out there, with more seemingly emerging each day. Here are the most common types of threats that lead to costly incidents:

1. Ransomware — tactics that conceal, prevent, or limit users from accessing their systems, files, and data. In such incidents, the perpetrator typically blackmails the victim, threatening to expose or permanently block content without a ransom payment.

2. Social engineering — the psychological manipulation of an individual, whereby the perpetrator masks their identity so that the individual performs an action or provides confidential information. Common types of social engineering include:

• Phishing: sending emails that appear to be from a legitimate business source to a high volume of victims in attempt to get the victims to provide confidential information, either via an emailed response or a link within the email.

• Spear phishing: the perpetrator sends a highly customized email in attempt to obtain confidential information or an action by the victim (e.g. a masked request from the CFO to personnel requesting they process an immediate payment to the perpetrator).

• Baiting: leaving physical media that contains malware for a victim to unknowingly load into their computing environment.

• Tailgating: an attacker physically follows an authorized individual into a restricted area.

3. Password attacks — threats that occur when a perpetrator attempts to crack or obtain a user’s password. Password-cracker software is readily available to support perpetrators in testing hundreds of millions of passwords per second to attempt to gain access to their protected environments, applications, or data.

4. Man in the Middle (MITM) — a threat by which a perpetrator secretly intercepts communications between two parties by impersonating the party on each end of the communication to eavesdrop on the message or even alter the communication. A means of identifying this threat is to closely inspect the website address as it is often misspelled or varies slightly from the intended party’s website (e.g., vvalmart.com).

5. Denial of Service (DoS) — a targeted attack that aims to disrupt the availability of a system or network by sending high volumes of data or traffic until it becomes overloaded, thus blocking or disrupting legitimate traffic.

With so many mechanisms for cybercriminals to use, the question is no longer how a company can eliminate the possibility of being breached but rather when it will happen and how the company can reduce the impact.

MANAGING RISK

In the accounting and finance industry, one of the primary objectives is to minimize risk — audit risk, risk of material misstatement or otherwise. Managing risks associated with cybersecurity incidents, including the threats previously identified, involves the same concept. It starts by understanding the risks, and the first step in that process is to perform a data mapping exercise to identify what data you have, how it is used, where it is stored, and how it is transmitted.

Following that step, a risk assessment must be completed to identify the risks and determine what controls have been implemented to mitigate them. Simply relying on third parties to manage that risk is not sufficient. Many clients are quite surprised once they see the details of where data is stored and transmitted (i.e., who else in their vendor supply chain has access). Then there is a scramble to re-read vendor contracts and determine liability. When was the last time you checked in on your vendors and how much information they have?

As the AICPA states: “Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events.”

In response, the AICPA is developing a comprehensive cybersecurity risk management reporting framework for use by CPAs, third parties, and organizations as part of its System and Organization Controls (SOC) for Cybersecurity engagement. The aim is to assist organizations in establishing and communicating their cybersecurity risk management programs. This information can help CPAs, senior management, boards of directors, analysts, investors, business partners, and regulatory bodies gain a better understanding of an organization’s efforts — which is becoming increasingly important considering regulations have been enacted by governments around the world to force organizations to proactively establish and maintain cybersecurity programs or face stiff financial penalties.

Although costly, implementing a cybersecurity program is not simply a sunk cost. It does have two significant advantages: It reduces the likelihood of a breach by enabling organizations to better protect themselves and limit their exposure from the occurrence of potential incidents, and it can reduce costs. Another Ponemon Institute study using 2016 data found that organizations can reduce incident costs by up to 35 percent through implementation of a cybersecurity program.

Still, preparing for breaches is not an exact science. As technologies continue to advance and programs change, new threats will continue to arise. It’s time to go on the offensive.

This article originally appeared in the March/April 2018 issue of New Jersey CPA magazine.