Understanding and Preventing Cyber Threats
Accounting and finance firms need to go on the offensive to stay safe from today’s cyber criminals.
By SCOTT MAHONEY AND JOE RICCIE, CPA |
Cybersecurity breaches are costlier in the United States than
anywhere else in the world — $7.45 million per average incident,
according to a June 2017 Ponemon Institute study. This consists of
four primary costs: detection and escalation ($1.07 million),
notification ($0.69 million), post response ($1.56 million), and lost
business ($4.13 million).
From a cost and compliance perspective, the potential implications
of a cybersecurity breach — especially one within the accounting
and finance industry — creates business risks that can’t be ignored.
Within firms, confidential personally identifiable information (PII)
and protected health information (PHI) data is prevalent in many
cases and must be maintained for several years to support clients if
they are audited or sued. What firms do to protect this data is
imperative, not only for clients, but for the firm itself.
There are many types of cybersecurity threats out there, with more
seemingly emerging each day. Here are the most common types of
threats that lead to costly incidents:
1. Ransomware — tactics that conceal, prevent, or limit users from
accessing their systems, files, and data. In such incidents, the
perpetrator typically blackmails the victim, threatening to expose
or permanently block content without a ransom payment.
2. Social engineering — the psychological manipulation of an
individual, whereby the perpetrator masks their identity so that
the individual performs an action or provides confidential
information. Common types of social engineering include:
• Phishing: sending emails that appear to be from a legitimate
business source to a high volume of victims in attempt to get
the victims to provide confidential information, either via an
emailed response or a link within the email.
• Spear phishing: the perpetrator sends a highly customized
email in attempt to obtain confidential information or an
action by the victim (e.g. a masked request from the CFO to
personnel requesting they process an immediate payment to
• Baiting: leaving physical media that contains malware for a
victim to unknowingly load into their computing environment.
• Tailgating: an attacker physically follows an authorized
individual into a restricted area.
3. Password attacks — threats that occur when a perpetrator
attempts to crack or obtain a user’s password. Password-cracker
software is readily available to support perpetrators in testing
hundreds of millions of passwords per second to attempt to gain
access to their protected environments, applications, or data.
4. Man in the Middle (MITM) — a threat by which a perpetrator
secretly intercepts communications between two parties by
impersonating the party on each end of the communication to
eavesdrop on the message or even alter the communication. A
means of identifying this threat is to closely inspect the website
address as it is often misspelled or varies slightly from the
intended party’s website (e.g., vvalmart.com).
5. Denial of Service (DoS) — a targeted attack that aims to disrupt
the availability of a system or network by sending high volumes
of data or traffic until it becomes overloaded, thus blocking or
disrupting legitimate traffic.
With so many mechanisms for cybercriminals to use, the question
is no longer how a company can eliminate the possibility of being
breached but rather when it will happen and how the company
can reduce the impact.
In the accounting and finance industry, one of the primary objectives
is to minimize risk — audit risk, risk of material misstatement or
otherwise. Managing risks associated with cybersecurity incidents,
including the threats previously identified, involves the same
concept. It starts by understanding the risks, and the first step in that
process is to perform a data mapping exercise to identify what data
you have, how it is used, where it is stored, and how it is transmitted.
Following that step, a risk assessment must be completed to identify
the risks and determine what controls have been implemented to
mitigate them. Simply relying on third parties to manage that risk is
not sufficient. Many clients are quite surprised once they see the
details of where data is stored and transmitted (i.e., who else in their
vendor supply chain has access). Then there is a scramble to re-read
vendor contracts and determine liability. When was the last time you
checked in on your vendors and how much information they have?
As the AICPA states: “Organizations are under increasing pressure to
demonstrate that they are managing cybersecurity threats, and that
they have effective processes and controls in place to detect, respond
to, mitigate, and recover from breaches and other security events.”
In response, the AICPA is developing a comprehensive cybersecurity
risk management reporting framework for use by CPAs, third
parties, and organizations as part of its System and Organization
Controls (SOC) for Cybersecurity engagement. The aim is to assist
organizations in establishing and communicating their cybersecurity
risk management programs. This information can help CPAs, senior
management, boards of directors, analysts, investors, business
partners, and regulatory bodies gain a better understanding of an
organization’s efforts — which is becoming increasingly important
considering regulations have been enacted by governments around
the world to force organizations to proactively establish and maintain
cybersecurity programs or face stiff financial penalties.
Although costly, implementing a cybersecurity program is not
simply a sunk cost. It does have two significant advantages:
It reduces the likelihood of a breach by enabling organizations
to better protect themselves and limit their exposure from
the occurrence of potential incidents, and it can reduce costs.
Another Ponemon Institute study using 2016 data found that
organizations can reduce incident costs by up to 35 percent
through implementation of a cybersecurity program.
Still, preparing for breaches is not an exact science. As technologies
continue to advance and programs change, new threats will
continue to arise. It’s time to go on the offensive.
This article originally appeared in the March/April 2018 issue of
New Jersey CPA magazine.