Cybersecurity for CPAs: Technically legal but still frowned upon

As accounting firms are increasingly targeted with cyberattacks, cybersecurity has become essential for every professional. Between data breaches, phishing attacks and malware, criminals are going after the sensitive financial data held by accountants. Modern accountants, then, must take their cyber defenses seriously for the sake of themselves and their clients.

With this in mind, we present the latest edition of our monthly series, Cybersecurity for CPAs. This regular feature will bring you the best cybersecurity stories from Accounting Today, as well as lessons drawn from real-life cybersecurity incidents, plus stats and charts to help you better understand the current landscape. It's our hope that readers will be able to use the news and insights offered in this feature to make their own firms safer in an increasingly dangerous world.

Technically allowed, but frowned upon 

data-privacy-three.jpg
photon_photo - Fotolia
This month's real life tale from the cybersecurity frontlines shows that just because a policy has not been technically violated does not mean that a cyber incident can't lead to hugely negative repercussions for a CPA firm, as one practice recently learned.

Our story begins with an accountant, as many stories here do, who eventually left their firm for unknown reasons — maybe a better job offer, maybe a move to another city, maybe a fireable offense. Regardless, the salient point is this: the employee left with a substantial amount of the firm's data, downloaded to an external hard drive. Of note, however, is that doing so did not technically violate any policy or rule with the former employer. A later investigation found he had not circumvented any technical controls, and he had not broken any laws. In his mind, he believed he had a legitimate claim to the work product he had contributed to during his tenure as a CPA. 

This absence of essential policies and protections led to a significant data compromise that, while not directly resulting in harm, is nonetheless disturbing for what could have happened. This meant that when the CPA firm contacted the clients whose data was taken, they didn't take this absence as any consolation. Instead they were incensed that their accountants could let such a thing happen, especially when doing so didn't violate internal policies. The firm wound up losing several clients due to the incident, costing them not just their reputations but $4 million worth of fees as well. 

This real life tale is brought to you by Tennessee-based accounting firm LBMC, which clarified that they were not the accounting firm in the story; the subject was a previous client the firm had helped in the past. Van Steel, who leads the firm's cybersecurity practice, said the story underscores the necessity of robust cybersecurity policies and practices. To avoid situations like this, he said, firms need clearly defined data ownership, regular data protection training, data loss prevention tools, effective monitoring and control of data, and internal data tracking to identify breaches without relying on third-party specialists. 

Top cybersecurity stories from September

TIGTA says IRS must improve cybersecurity log management: The Treasury Inspector General for Tax Administration said the IRS, while generally diligent in its use of the Cyber Security Assessment and Management application (run by the Department of Justice and used by other federal agencies), could improve its reviews of suspicious activity in the logs and encourage more internal controls.

FTC warns prep companies about misusing customer data: The Federal Trade Commission says five large tax preparation companies could face civil penalties if they use or disclose data collected for tax prep for such unrelated purposes as advertising without getting the consumers' consent first.

Helping clients recover from tax scams: Tax scams are big business for somebody — millions of dollars, if not billions, big. Sooner or later every tax preparer is probably going to have a client who gets taken (if the preparers themselves aren't the victims first). The worst scam practitioners have seen? And how to help a client recover?
Percent of apps that request permissions not needed for their functionality:

* Android: 87%
* iOS: 60%

Source: Nord VPN
MORE FROM ACCOUNTING TODAY