Cybersecurity for CPAs: Don't stop adapting

There are accounting firms with mediocre cybersecurity, able to repel casual probes but helpless against dedicated adversaries. There are accounting firms with poor cybersecurity, where all but the most obvious attacks go undetected. And then there are the firms with virtually none at all. In this month's Cybersecurity for CPAs, we examine one such Illinois-based firm. 

It was a small firm, just three people, and had been operating since the 1980s. Despite its small size, it offered a wide variety of services, including tax prep, financial consulting, insurance and annuity guidance, and retirement planning, all of which tend to involve handling sensitive financial information. This information was stored not in a secure server somewhere, but instead on a single computer sitting in the office. An old one at that. While something like this may have been OK in the 1980s, when people were still getting used to the novelty of the fax machine, for the 21st century it was a dangerous setup, especially considering the sheer amount of client information held on the device. 

There was so much data that the firm's portal provider, complicating matters further, simply could not maintain the level of protection required for that amount of information. There were other issues, like lack of communication and support, that exacerbated the situation even more. The firm couldn't even cite budgetary reasons for keeping this provider around: the software was actually quite expensive. 

It was a picture of a firm that stayed right where it was while technology moved on around it, meaning the clients were becoming more vulnerable by the year. With such a paper thin defense, it likely would not be difficult for malicious actors to swoop in and steal the data for whatever nefarious reasons they had.

Luckily for the firm, this did not happen. A new employee who, despite having not previously worked in IT, immediately noticed the problem and quickly set about migrating the data to a secure cloud company with far more cybersecurity resources to protect this valuable information, paired with further training and software to bolster the firm's defenses. 

This real life tale was brought to you by accounting-focused cloud services provider Rightworks, which offers cybersecurity solutions among its many service and product offerings. The story emphasizes that cybersecurity is not a set and forget kind of thing, but something that must be actively maintained and updated. Cybercriminals are always evolving, and so too must the defenses against them.

Telling the IRS from the crooks — and how to fight back –  Lately a growing number of scams leverage the tax agency (or the threat of it), probably figuring that if you're going to make up muscle to threaten somebody, how can you do better?

New audit standards will add to compliance load – Internal auditors will be busy making sure companies are complying with new requirements from the Securities and Exchange Commission regarding cybersecurity and upcoming requirements on climate-related disclosures.

Business leaders worry about risks from economy and inflation – Cybersecurity threats ranked No. 3 in a recent survey of business decision makers. 

Percent of organizations who know or suspect they have lost sensitive data: 46%

... Because of lack of encryption: 33%
... Because of incorrect/insufficient policies: 28%
... Because of unsanctioned apps/services: 27%
... Because of encryption keys being to small: 25%
... Because of "shadow data:" 18%

Source: Fortanix