Cybercrime is on the rise, and accountants are in a position to help their clients take steps to prevent it.
In a panel discussion last week at Pace University, co-sponsored by the Association of Chartered Certified Accountants, academics, law enforcement officials and security experts discussed the growing threat. Vincent Tophoff, senior technical manager at the International Federation of Accountants, discussed the need for risk management and how easy it is for the “good guys” to turn into the “bad guys” and how important it is to turn them back into “good guys.”
“Believe it or not, accountants are people like you and me, and we make the same mistakes and we have the same issues,” he said. “Also at accountancy firms, I think it’s important if you talk about cyber risk with people, it’s good to give them a sort of baseline understanding and continue to emphasize it. But I notice that when people talk about risk, they seem to separate risk management from their daily activities. We’ll have a meeting for 50 minutes, and then in the last five minutes we’ll talk about risk, whereas I think that risk should be an integral part of all decision making and everything you do. It’s a little bit like driving a car. Safety is an issue all the time you’re driving. The same, I think, applies with risk management and taking care of cyber risk. It’s not something that you do only on the afternoon when we have our cyber risk meeting. It’s something you need to integrate in the 40 or 60 hours that you’re working, with every decision you take, with every action you take. You should take into account what are the sources of risk that might affect you and how do you mitigate those risks.”
Cybercrime has been reaching epidemic proportions. “There are only two types of companies: those that have been hacked and those that are being hacked again,” said Judge Robert G.M. Keating, vice president for strategic initiatives at Pace University. “There’s no question that cybercrime is one of the biggest threats to our nation’s security. In 2012, cybercriminals victimized 556 million people around the world, and consumers lost $110 billion. As opportunity grows, it will only get worse.”
He pointed to the growing use of portable devices like smart phones and tablets and their vulnerability to cybercrime, and credited the ACCA with helping raise the visibility of this issue. “We’ve grown very dependent on our digital world,” said Keating. “It’s created prosperity, transparency and freedoms that we couldn’t have imagined a few years ago. But it’s also created threats that we couldn’t have imagined earlier. These require an army of experts to defend us.”
David Szuchman, Executive Assistant District Attorney and Chief of the Investigation Division in the Manhattan District Attorney’s Office, discussed the rising caseload related to cybercrime. “At the Manhattan District Attorney’s Office, we are keenly aware of the value of prosecuting and investigating cybercrime,” he said. “Nearly every case handled by our office has a cybercrime element. When you think about that, that has changed dramatically over the last 10 years. Every rape, homicide, burglary has a cyber-element to it, and that’s even before you start talking about the true cybercrime cases of hacking, intrusion, malware and peer-to-peer crimes such as the child pornography crimes that we also prosecute on a regular basis. And as technology becomes more sophisticated, so do the criminals who actually use it, and they take advantage of unsuspecting victims in so many different ways.”
He noted that while New York has seen a tremendous plunge in violent crime in recent years, thanks to the efforts of the New York City Police Department, the District Attorney’s offices, and other law enforcement agencies, there has not been a corresponding decrease in cybercrimes such as identity theft.
“Identity theft is the fastest-growing crime that exists in the country and certainly in New York City today,” said Szuchman. “Our office sees about 200 to 300 new identity theft cases per month.” When Cyrus Vance took over as Manhattan DA, he created a Cybercrime and Identity Theft Bureau to deal directly with the challenge.
Pace University associate dean and director of special programs and projects Jonathan Hill asked the panel what keeps them up at night. “What makes me not sleep at night is everything is so global and instantaneous,” responded Charles F. Gilgen, supervisory special agent at the Federal Bureau of Investigation. “We have the ability to communicate in fractions of seconds, so if somebody says something or does something, it goes out on the Net and we can’t pull it back in. It’s the same thing in corporate America. You send one email and you can’t pull that back in. It may be something you had no idea you were doing. You get an email asking you to open up an attachment and you’ve got problems. To me, the ease with which people can penetrate your systems is very sobering. You can’t be completely vigilant every second of the day. You get an email from a friend, or someone who you think is a friend, and you open it up. You don’t even think about it. It’s something that has happened to everybody.”
Bernadette Gleason, North America eCrime Laboratory Manager at Citigroup, sees a danger from devices such as smartphone cameras, which can be an insider threat. “Bringing cell phones into the office, such as smartphones with picture-taking ability, taking pictures of screens and customer accounts, that’s definitely a very real threat and has to be mitigated,” she said. “When you bring your own device, and you’re allowing people to bring their own computers onto the network, if they’re infected, that’s an issue. Also, when you use your laptop at home, and you’re not using it for company business, you go out and do whatever, who knows if you’ve been infected? Then you come back to work, you can infect the network.”
She also sees a danger from USB devices, which can introduce infected files to a company network, and recommends that employees learn how to be aware of such risks.
Robert A. Zandoli, senior vice president and global chief information security officer at AIG, agreed that employees can introduce such risks onto a network. “The weakest part of any security program is people,” he said. “When I think about what are the agents that I worry about the most, I’ve heard about malicious insiders, but I also think about the accidental insider. The accidental insider is someone who sends a bunch of PII [personally identifiable information] to the wrong email address because you don’t have the appropriate controls. I worry about the hacktivist, the nation state or electronic crime. There are many reasons why one of these agents will target a company, target an agency, but they target it in many ways, and the weakest link is people. I believe security awareness is the strongest tool, and a consistent and continuous program so that when someone does travel with that device overseas or to someplace like China where they monitor everything, they know what they’re in for. I believe that people are the Achilles heels of corporations because they will make that mistake or they will be that malicious insider.”