Cybercrime and the CPA

IMGCAP(1)]Cybercrime is now the second most reported economic crime worldwide and has negatively affected at least a third of all U.S. companies.

According to a recent IBM-sponsored study by the Michigan-based Ponemon Institute, the average total cost of a data breach in 2015 was $6.5 million, with an average cost per lost or stolen record of $217. The more records lost, the higher the cost of the data breach, according to the same report.

But does this actually mean anything for today’s CPA? And are CPAs even well-positioned enough to have any effect on the cyber security of the organizations they serve? The answer to both questions is “yes”. CPAs are ideally positioned to help manage this particularly insidious form of corporate crime.

Can You Deal with a Cyber Assault?
But is your organization equipped to deal with a major cyber assault? Unfortunately, most companies are simply not prepared for such attacks, and others don’t even understand the risks they face.

Today’s increasingly sophisticated corporate criminals can penetrate a company’s databases in a variety of ways, using viruses, malware, stolen devices, denial of services, botnets, phishing or even insiders with questionable intentions.

The people behind the cyber-attacks can come in many guises. For instance, a company under attack might be dealing with a single, independent hacker, or a coordinated, but small-scale group of individuals with access to a company’s databases. Or, the IT interloper might be a large-scale criminal organization, probably located in a foreign country and virtually untouchable.

But, as varied as the methods of infiltration might be, the forms of cybercrime that should be of greatest concern to CPAs are corporate account takeovers, and the theft of sensitive data and intellectual property.

Corporate Account Takeover: Not a Nice CAT
With the unfortunate acronym CAT, this type of cybercrime is anything but fluffy or cute. In fact, it’s one of the fastest-growing forms of attack that we know about—and remarkably hard to detect.

A CAT occurs when a company’s banking credentials are remotely commandeered and money is removed from the organization’s bank account. CATs come in a variety of disguises, although electronic funds transfer fraud seems to be a particular favorite.

The steps required for a corporate account takeover are difficult for all but the most adept IT professionals to accomplish, but they usually entail the theft of someone’s login credentials, often via malicious programs masquerading as legitimate email attachments, undetected downloads from apparently innocuous websites, or even file transfers that appear to come from friends or colleagues.
CPAs should be aware that treasurers, controllers, and especially CFOs and CAOs, are “high-value targets,” especially since they can be readily identified, as the target is usually the supervisor routinely engaged in managing the company’s online banking transactions. Unfortunately, individuals are seldom aware they are being targeted—until it’s too late. And if that weren’t bad enough, many companies are not aware of the fact that they are wholly liable for all the losses they incur. Misappropriation of

Sensitive Data
A lot of companies these days have become the overseers of their own data warehouses, storing everything from customer intelligence to trade secrets, as well as often unencrypted business information. And because they have become repositories of such sensitive materials they are a magnet for cybercriminals, who regard them as easy pickings, which they often are.

As with corporate account takeovers, the initial security breach can be accomplished through the theft of an individual’s login information.

The cost to companies that become the casualties of such attacks can be high, especially if you factor in all the collateral damage, such as the loss of public trust and shareholder confidence, loss of business, the inevitable lawsuits that follow, and the expenditures that come with deploying new, improved security systems.

Intellectual Property Theft
We should also mention another common form of data misappropriation—intellectual property theft—which can be the source of considerable profit for cyber-criminals, who are usually quite specific when it comes to identifying the IP properties they want to steal. Like almost all cyber-assaults, these are not crimes of opportunity.

How CPAs Can Help Prevent Cybercrime
Given the dramatic increase in every kind of cybercrime during the last few years, it’s important that CPAs alert their clients to the dangers their companies face. Of course, no one expects a CPA to be an expert on all aspect of IT security, but it is important that you become as well-informed as possible on today’s IT security technologies.

For those clients who have the resources, the following safety measure ought to be in place:

1. Firewalls to protect network computers from external attack
2. Up-to-date antivirus software
3. Updated operating systems and key business applications
4. Encryption of key data
5. Data backup systems
6. A disaster recovery plan

However, be prepared for the fact that some of your clients may baulk at the suggestion they set up such systems. But this shouldn’t stop you from (gently, but persistently) reminding your clients that they, like you, have to be vigilant when it comes to possible cyberattacks. Only by taking the necessary measures can your clients protect themselves.

Still, even with the appropriate defenses in place, it’s worth pointing out that preventing cyberattacks is the responsibility of the entire company, from the top down. Everyone has a vital part to play in the defense of the enterprise. The problem is that many companies simply don’t understand the gravity of the risks they face, nor are they able to foresee or properly manage cyber-assaults when they occur.
That’s why your role―as an independent, unbiased CPA is so vital. You are, in fact, one of your client’s first lines of defense.

Eric A. Kreuter, Ph.D., CPA, CFE, is a partner at Marks Paneth LLP.

For reprint and licensing requests for this article, click here.
Technology Data security
MORE FROM ACCOUNTING TODAY