Cybersecurity for CPAs: When you are the data breach

As accounting firms are increasingly targeted with cyberattacks, cybersecurity has become essential for every professional. Between data breaches, phishing attacks and malware, criminals are increasingly going after the sensitive financial data held by accountants. The modern accountant, then, must take their cyber defenses seriously for the sake of themselves and their clients.

With this in mind, we present the latest edition of our monthly series, Cybersecurity for CPAs. This regular feature will bring you the best cybersecurity stories from Accounting Today, as well as lessons drawn from real-life cybersecurity incidents, plus stats and charts to help you better understand the current landscape. It's our hope that readers will be able to use the news and insights offered in this feature to make their own firms safer in an increasingly dangerous world.

Cybersecurity Tales: When you are the data breach

p19bdvj6uh1im614v8fvg1kmh1jsie.jpg
Accountants losing track of their own data is irresponsible. Accountants losing track of their client's data is a blunder that can threaten the entire firm if not addressed quickly. This was the lesson learned by "Mark," a senior associate at a respected CPA firm, as he worked on an audit for "XYZ Corp." 

During initial discussions with the audit clients, Mark became uneasy about data requirements — though he considered asking for less information, he feared that might give the impression his analysis wouldn't be thorough. So, he instead reluctantly accepted the more extensive data dump provided by XYZ Corporation in the form of a USB drive.

Despite his reservations about the overwhelming amount of information, Mark justified his acceptance of the drive by convincing himself that having access to all the HR data would enable him to provide a more comprehensive analysis — even if it went beyond the audit's scope. 

Unfortunately, Mark later misplaced the USB drive after leaving the client's office, a realization made worse by the fact that not only did it contain data pertaining to terminated employees and access revocation, but it also held a wealth of personal information, including Social Security numbers, addresses and other highly sensitive details belonging to current employees. The consequences of losing such valuable data, he knew, were tremendous. 

Mark desperately retraced his steps, searching every nook and cranny, but to no avail, all while his mind raced with thoughts of compromised security, identity theft, as well as the potential legal ramifications to which he had inadvertently exposed himself and XYZ Corporation. 

Filled with a mixture of guilt, regret and fear, Mark pivoted and made a firm decision to confront the situation head-on. He immediately reported the data breach to his supervisor, laying bare the full extent of the incident and accepting full responsibility for his oversight. His boss was disappointed but recognized the gravity of the situation and assured Mark it would be addressed with the utmost seriousness and transparency, starting with activating an incident response team to mitigate the impact of the breach. 

Mark's firm promptly notified the affected individuals, extending guidance and support to protect their personal information. The firm also engaged the services of a reputable cybersecurity company to conduct a thorough investigation, identify vulnerabilities and establish safeguards to prevent similar incidents in the future. Meanwhile, XYZ Corporation instituted strict protocols to ensure secure data sharing and handling during audits, and diligently educated their employees on data privacy and cybersecurity best practices. 

This real-life account came from Schellman, a Top 100 CPA firm specializing in IT audit and cybersecurity. Schellman CEO Avani Desai noted that the incident underscores the importance of implementing robust security measures such as encryption, access controls and secure storage at every stage of the audit process. It is important to not compromise when it comes to the security and privacy of client data, even if it means asking for less than initially offered.

June's top cybersecurity stories

Remote workers exhibit higher cybersecurity awareness than those on-site: A study says remote workers possess more conscientiousness about cybersecurity than their on-site counterparts.

PwC probes security incident tied to Russian-speaking Clop cyber gang: A criminal hacking gang has added more names to its lists of alleged victims from a recent campaign that exploited a vulnerability in a popular file-transfer product. 

Three-quarters of AI apps are sending data to third parties: As artificial intelligence becomes increasingly mainstreamed, AI-based smartphone apps — especially chatbots — have proliferated. But a recent report has found the vast majority of these apps aren't entirely private as they send user data to third parties.

Cybersecurity stat shot

Funding raised by cybersecurity vendors in Q2 2023: $1.9 billion over 97 rounds
Decline versus Q2 2022: 55%
Year-to-date funding raised by cybersecurity vendors: $4.8 billion over 172 rounds

Source: Pinpoint Research Group
MORE FROM ACCOUNTING TODAY