[BreachExchange] The Showdown: Hackers vs. Accountants

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 14 20:26:21 EDT 2017 

https://www.hackread.com/showdown-hackers-vs-accountants/

A showdown between hackers and accountants is unlikely to have the same
action-packed appeal as the latest summer superhero blockbuster, but the
stakes in that real-life showdown are no less significant. Accounting firms
are at a heightened risk for cyber attacks because they hold large amounts
of their clients’ personal and financial data, they are privy to
confidential corporate information that has immense value to cyber
attackers, and they typically have fewer layers of cyber protection to
guard against theft of that information than the sources of that
information. These elements combine to create a perfect storm of cyber
attack exposure that can leave accountants as the losers in any ultimate
showdown.

A California CPA firm discovered this the hard way in August 2016 when it
discovered that hackers had breached its data systems and filed 45
fraudulent tax returns using their clients’ data. The firm contacted those
of its clients that might have been affected and implemented whatever
procedures it could to limit the damage, including offering complimentary
credit monitoring services to those clients.

The firm did not announce what costs and expenses it incurred as a result
of this event. Between actual expenditures and costs associated with
reputational losses, experts estimate that in 2016, a data breach cost an
average of $221 per compromised record. At that rate, the firm would have
lost almost $10,000 as a result of the hack. That might not be a
significant number to a larger CPA firm, but that magnitude of loss can
impact the viability of many smaller CPA firms.

Rather than waiting for the showdown to come to them, CPA firms can take
affirmative steps to protect themselves and their clients’ data to minimize
or even eliminate the prospects of these types of losses. Some of the more
common recommendations include:

1 Start at the top: If a CPA firm’s senior accountants and managers do not
demonstrate a commitment to implement cyber security measures, the rest of
the firm will likely not follow suit.

2 Make cyber security awareness a regular topic: Like all professionals,
accountants are charged with staying on top of new industry developments
that affect how they manage their clients’ finances. Cybersecurity should
be an integral part of an accountant’s continuing professional education
efforts.

3 Periodically test the system: An accounting firm’s employees will more
likely adhere to cyber security requirements if they know that their
compliance will be periodically tested. Rather than just implementing a
cyber protection policy, enact measures to confirm that it is being
followed.

4 Keep software and systems updated: Cyberattackers rely on flaws in
operating systems that become publicized on hacker bulletin boards and
across the Dark Web. Software developers issue patches and updates to close
those flaws. CPA firms should take steps to ensure that all patches and
updates are installed on their networks, computers, and mobile devices.

5 Enhance network login requirements and encryption: CPA firms should
implement dual-factor authentication and end-to-end encryption to improve
their technology defenses against cyber attacks.

The best laid and most robust cyber defense strategies will raise the bar
against a successful hacking attack, but it will not entirely prevent them.
When an attack does succeed in breaching a CPA firm’s cyber defenses, cyber
insurance for accountants can limit or eliminate the direct and third party
losses that the accounting firm might face.

Roughly two-thirds of the average $221 cost per compromised record comes
from reputational and client confidence losses that occur when an
accounting firm’s data and network are breached. An accounting firm that
carries cyber insurance will send a message to its clients that it takes
their data security seriously and that it is taking all precautions to
prevent a breach and to recover from a breach if one does occur. Thus,
cyber insurance for accountants provides assurances that losses will not
strangle the firm and that the firm’s reputation and very existence will
survive any showdown with hackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170814/4baf8871/attachment.html>

More information about the BreachExchange mailing list