Cybersecurity for CPAs: Delayed reactions

As accounting firms are increasingly targeted for cyber attacks, cybersecurity has become essential for any professional. Between data breaches, phishing attacks and malware, criminals are increasingly going after the sensitive financial data held by accountants. The modern accountant, then, must take their cyber defenses seriously for the sake of themselves and their clients.

With this in mind, we present the first of our new monthly series, Cybersecurity for CPAs. This regular feature will bring you the best cybersecurity stories from Accounting Today, as well as lessons drawn from real-life cybersecurity incidents, plus stats and charts to help you better understand the current landscape. It's our hope that readers will be able to use the news and insights offered in this feature to make their own firms safer in an increasingly dangerous world.

Cybersecurity Tales: Delayed reactions

Even when a cyber incident is detected, the full consequences of the intrusion may not make themselves felt until much later, as evidenced by an accounting firm that learned this lesson the hard way. 

Our story begins with a managing partner at a regional accounting firm specializing in audits. One day, a staff member called him and asked whether he really was requesting that she download a file from a linked hosting service. He had not, and so they alerted the firm's outsourced IT vendor to look into the matter. 

Money bomb - minefield image
The vendor ran a scan of the system and found no viruses or other threats. All normal there. But something else was very curious. Whenever the managing partner logged into his email system from the remote network or a local server, all was well. But if he logged into the same account via the web, suddenly there was a rule set up about its file-sharing service that he was sure he did not make himself. When he tried to log into the account's file-sharing service, it failed. Eventually the vendor was able to reset his password and delete the rule. Afterward, they set up a dual authentication process for the account. Other staff followed his lead and also set up dual authentication for their accounts. 

Lesson learned and crisis averted, right? No. Ten months later, the firm determined there had been a privacy breach involving 19,000 individuals. Investigators needed to undertake the arduous process of pulling thousands of items to identify the population of those potentially impacted, so they could determine who to send breach-notification letters to. 

The analysis eventually revealed that virtually all the compromised data was connected to a single audit client; the eight files involving the client dated back to between 2009 and 2011. This included a large spreadsheet with people's names and personally identifiable information. What seemed to have happened was that old emails with this data had been left unencrypted in an account, meaning they were available for any hacker to access. This was at least partially due to the firm not having a policy regarding the retention of sensitive emails. 

Ultimately, though the firm notified all the individuals potentially impacted by this breach, the damage had already been done. Which was why, a short time later, the firm was served with a class-action lawsuit from those whose personal, confidential information was leaked.

This real-life example was provided to us by professional liability insurer Camico, which had this to say about the situation:

"The dated, sensitive information should have been protected and secured, and then later carefully destroyed. The responsibility falls on the CPA firm, as their email account containing unencrypted, PII data needed to be safeguarded. Email accounts that have been compromised allow hackers to put rules on the account and send purported messages — such as from a CPA firm — asking for money or to click on a harmful link."

"Security such as authentication is critical for company accounts, only permitting authenticated users to gain access to protected resources," the insurer warned. "Email retention policies are vital for a firm — or any business — to save space on your email server and stay in compliance with federal and industry record-keeping regulations. Retaining emails for a longer amount of time than necessary exposes a company to security and legal risks and can compromise data assets."

The resolution of the lawsuit is uncertain at this time.

February's top cybersecurity stories

AI accelerates cybersecurity arms race: Researchers have discovered that ChatGPT can be used to produce sophisticated malware, bringing the arms race between cybercriminals and those seeking to thwart them into a dangerous new era. 

More than a third of orgs had accounting-related cyber incidents: A recent poll of C-suite and other executives from Big Four firm Deloitte found that 34.5% of organizations have experienced at least one "cyber event" targeting accounting and financial data over the past year.

CFO optimism on economy driving tech investments: A Grant Thornton survey of chief financial officers found that economic optimism is driving additional tech investment, particularly regarding cybersecurity: The survey found that 45% of CFOs ranked cybersecurity as one of their top three areas of focus, an 11 percentage point increase from the previous quarter.
MORE FROM ACCOUNTING TODAY