IT security professionals can sometimes seem like the bad guys — even if it’s only to protect potential targets from the real villains.
After all, they send frequent messages to scare their colleagues and clients about the most recent cyberthreats, coordinate simulated phishing attacks against them, and can even shut off staff’s access to work networks if their cybersecurity proficiency is lacking.
Tennessee-based Top 100 Firm LBMC, for one, has used all these tactics, reports partner-in-charge of information security Mark Burnette.
“Every year, all firm employees have detailed information security training — we think that is so important,” Burnette said. “The training is available in the fall, and they have between the beginning of October to the end of December to complete the training. If an employee doesn’t complete it, their access is cut off — and that includes the owners of the firm. It’s part of our culture, to understand how important that is.”
The alternative to these measures is far worse.
Threats are constantly evolving as the bad actors get more sophisticated in their attacks. And accounting firms, with their very sensitive client information, are especially susceptible to data breaches, regardless of their size.
In a recent survey by Accounting Today’s parent company, Arizent, 73% of the accounting professional respondents said that their biggest operational concern with security was keeping up to date on the latest cybersecurity threats, while 64% cited identifying and selecting the right technology solutions/partners for security, and 32% were concerned with providing cybersecurity training to their existing staff.
“For a smaller organization like us, we preach to our employees, ‘Hey, one data breach could be the end, as a medium-sized regional CPA firm,’” said Dustin Kinn, director of IT at Camp Hill, Pennsylvania-based McKonly & Asbury, which has 87 employees. “One breach could affect all our jobs. Employees take that really seriously.”
“We tie that into the way the organization does business,” added the firm’s director of client engagement and growth, Robert Duffield. “For an accounting firm, the reputational risk is very important. If you don’t have a strong reputation, security of information — one change, one breach damages that, in a lot of cases, irreparably.”
Kevin Villanueva, a partner in the cybersecurity consulting practice at Seattle-based Top 100 Firm Moss Adams, agreed that for cybercriminals, size does not matter — a point he emphasizes with the practice’s range of clients.
“There might be a CEO, CFO who does not completely understand cyber risk in today’s world,” he shared. “They feel their organization is not going to be a target — they are too small or inconsequential to a cybercriminal. That’s exactly the type of thinking a cybercriminal is banking on. In our education about cyberthreats and risks today, we challenge clients and other organizations we have to contend with — those in the C-suite might think they’re too small, or not a big enough profile for a cybercriminal. Or they don’t have the spend to educate the workforce, to run periodic phishing attacks, and other things to bolster cybersecurity. That’s going to be an ongoing concern, we get that. But there’s little things they can do.”
As CPA and accounting firms are already experienced in securing sensitive client data internally, those with IT and data security practices are even more uniquely qualified to share the best practices — from the little things to the larger policies — that they advise their clients to employ in protecting their data.
(See
No more moats
Before detailing those best practices, security experts agree it’s best to evaluate how the pandemic and the shift to a more remote workforce has added some serious challenges to data security. As personal and professional lives blend, so too do personal and professional devices and data.
The home office, then, must stand up to the same security standards as the company workspace, as accounting firms have discovered in making the transition over the last few years.
“Many organizations were able to pivot and adapt in a timely manner because the infrastructure was already there,” said Trip Hillman, director of cybersecurity services at Houston-based Top 100 Firm Weaver. “VPNs were in a supporting capacity and routing was already utilized to create an edged network accessible to the remote workforce, which kind of legitimized the use of this technology. Now the organization is presenting to the outer world, and it really changes what the model looks like. We used to think of the perimeter of the organization as something to draw boundaries around, the castle-and-moat philosophy of security. Now, the castle walls extend out.”
The extension calls for corollaries to many firm policies.
At the start of the COVID-19 pandemic, McKonly & Asbury “really documented the procedure for working from home,” shared firm partner David Hammarberg. “Whether it was securing the room, making sure family members were not around, or making sure paper files were secure. It was informal before, and now it would have to be documented.”
Moss Adams hosted a webinar in the spring of 2020 addressing these new work-from-home concerns, and Houston-based McConnell & Jones had a similar adjustment period. “The security field has come up with [the concept] of ‘securing the human,’” M&J CIO Chris Williamson said. “People have always been the problem, or one of the main problems, and now with people working from home, the employee can be compromised, but everyone in the house can too. Let’s say they are looking at a health record — a kid or spouse could see it too. Or they are sitting at the dining room table or walking around the house all day … Technology-wise, all the threats are still the same.”
There were, however, a few emerging threats in the early stages of remote work as companies adjusted to new methods of virtual collaboration, Williamson added: “At the beginning of the pandemic, we implemented all these weird-sounding apps that we needed quickly and maybe we were not sure what they did. It increased the threat landscape, but now it has calmed down as we figured out how it’s going to work and cut down on the bloat.”
Williamson recommends some simple and common-sense practices for the home office, including using a screen protector, taking confidential calls in a private space or outside, and arranging a desk in front of a wall to limit viewing of the computer screen.
The goal of “securing the human” can hit a crisis point with a major organizational change, such as a company acquisition, cautioned Kyle Morris, an IT advisory services senior manager at Weaver.
“The acquired company might operate independently for a few years,” he said. “But the executives want data to be shared through the company, so temporary bridges are being established, and there are two separate companies with a lot of interconnections.”
The new, full threat landscape of the combined companies and their collective data might not immediately emerge. “Through a discovery exercise, [the acquirer] might see the expanding inventory,” Morris explained. “And it’s not the organization trying to be deceitful — they just don’t know the right steps, and may not go through the cleanup in their day to day.”
Another potential vulnerability, one that’s becoming more common in the age of the Great Resignation, arises with a security professional leaving the company.
When an IT professional departs, they often take a significant amount of tribal knowledge with them, explained Morris, leaving the organization to scramble to understand which devices have been issued to whom, and how far its security perimeter really extends.
“Another scenario I’ve seen recently, an unfortunate one, is organizations putting all their keys, all their eggs, in one person’s basket, so [security] is concentrated under one individual,” Morris continued. “With the remote workforce, the great migration of talent, and the ability for people to change jobs really rapidly in the current environment as the desire for talent is high, the key, fundamental people in IT are at risk of leaving. You may have three to five people in an IT department but one critical lynchpin of an individual has all the access, everything written down … That’s a large risk that goes unidentified, and I’ve seen it be very crippling for an organization to recover after that individual leaves. It can affect all the way up to moderate-trading large organizations; it’s not just a small organization type thing.”
Assessing (before) the damage
Overall, CPA firms have seen an increase in client demand for IT data security services, with 73% of the 2022 Top 100 Firms identifying that niche as a top area of growth in Accounting Today’s Top 100 Firms report.
The first step for any security function, whether internal or client-facing, is conducting a risk assessment. Or for smaller organizations without an IT department or outsourced professionals, Burnette recommends it as a second step, after appointing someone to champion these efforts internally.
“Designate somebody within the management layer to have responsibility for orchestrating a cybersecurity program,” he said. “If you don’t do that, a lot of times you find some heroic efforts some folks might try, without a coordinated approach, and it will be difficult for a company to cover all bases, or difficult for a company to make budget and investment decisions. Designate someone to lead the cybersecurity efforts.”
With a leader or expert consultant in place, inventory can begin, Burnette said.
“Step two, be able to account for the nature and types of sensitive data you store, process and transmit,” he continued. “Sit down and interview business leaders to understand the types of things the business does, the various business operations, identify the nature and type of data being used in operations. Inventorying that data gives a starting point for security efforts. That’s what you want to secure — sensitive data is where all the risk is.”
Weaver also emphasizes this critical first step in its client work, according to Morris. “Operationally, still one of the biggest hurdles is the inventory,” he shared. “What do we have and where is it at? Organizations struggle in identifying assets and where they are. It makes it difficult when we come in to right-size the organization. That’s still No. 1 on the [Center for Internet Security’s] CIS controls and it’s the largest hurdle for multiple organizations to get through, to maintain an accurate inventory.”
Finding the framework
The aforementioned Center for Internet Security’s Critical Security Controls is one of several frameworks that IT professionals recommend for organizations to apply to their data security efforts. These are especially crucial for organizations outside of industries that are not already guided by strict regulations, such as financial institutions, health care providers and government agencies.
Other tools IT experts recommend to clients include the National Institute of Standards and Technology’s Cybersecurity Framework and the MITRE ATT&CK technique, a global knowledge base of adversary tactics and techniques.
The five core functions of the NIST framework are:
- Identify;
- Protect;
- Detect;
- Respond; and,
- Recover.
“I personally see our client base coming back and doing holistic security using the NIST Framework…. It’s a good baseline for assessing cybersecurity holistically across the organization,” shared Hillman. “You use something like that, and you’re addressing not just regulatory compliance matters, but you have really good security across the board. The largest shift we’ve seen is organizations saying even [for example], the marketing system we have, a one-off database we do research in, maybe that was scoped out in prior audits, but it can pose a lot of risks and we need to assess that.”
Security experts stress the importance of due diligence when it comes to any third-party providers, including software vendors and cloud-computing platforms.
“Some less-sophisticated clients think, ‘It’s not my issue because I’m transferring risk to a third party,’” explained Moss Adams’ Villanueva. “But you still have an obligation with the sensitive information you are dealing with, an obligation to make sure that data is significantly protected.”
Organizations should integrate one of these proven frameworks into their companywide security policy. But policies are only effective with awareness and accountability.
“There are a lot of informal policies and procedures that need to be turned into formal policies,” said Hammarberg. “The important part is having them reviewed annually — if they are not reviewed annually, it’s not going to do anyone any good. A lot of companies have policies and procedures on their drive and they are not distributed … . I like the procedure of having employees sign off on them annually; it gives them more responsibility and they take it more seriously if they sign off on it.”
Starting at the end
Along with the expert-recommended inventory stage, the NIST CSF’s first step of identifying risk includes taking stock of the most threatening variable to any security plan. Asked about the biggest ongoing threat to an organization’s data security, most experts have two words: end user. In other words, humans.
“The biggest area of vulnerability in organizations are at endpoints, and by endpoint I mean the device an end user interacts with, typically a laptop, desktop, even a mobile device,” explained Burnette. “Since the user interaction is there, there’s an opportunity for a bad actor to get the user to do something or take actions to provide information a bad actor could use.”
The IT practice of mobile device management, or monitoring and securing mobile devices across an enterprise, has evolved into unified endpoint management, which more widely controls all the endpoints across an organization, including all devices as well as users, apps, content and data. This has become especially critical in today’s remote-work environment.
“From a CPA standpoint, globally, we are seeing CPA firms hire outside the state, and we used to wipe phones because they were personal, but now it’s gotten to the point we need to wipe laptops,” shared McKonly & Asbury’s Hammarberg. “That’s new since the pandemic started. It was an issue back in the day but it came to light with the remote workforce scattered across the country, with employee versus company-owned devices.”
The trend is just as evident in other client industries.
“There’s been a large push to silo off company data on devices and wipe that,” added Kinn. “Which is a lot nicer than wiping the whole phone.”
McConnell & Jones relies on an app for that — cloud-based mobile-device management service Microsoft InTune. “What we’ve done, and recommend to clients, is we did mobile app management control,” said Williamson. “It came out a couple of years ago, a service Microsoft provides. We only manage Microsoft apps for use at work … . Which means you can have your [personal] phone, all your Microsoft apps, and you can log in with your employee information and the app becomes protected, you can’t copy-paste from it, and you can have your personal account, and have management of both accounts.”
Security experts agree on the critical importance of multifactor authentication, and that it should be table stakes for every organization.
“Everyone should have multifactor authentication now,” said Hammarberg. “It’s a big thing for external communications, that we’ve been pushing to external access and now we’re pushing more to internal access … . You’ve really got to think about internal these days, especially with a remote workforce.”
“Implement multifactor authentication as much as possible, at a minimum,” Williamson said. “At various levels, anything is better than nothing. And things you can’t implement multifactor for, have a strong, robust password policy.”
Other recommended processes and tools include data encryption, permissions-based access to data, a backup strategy that includes multiple copies secured in different ways, and a disaster recovery plan.
Operator error
These tools of protection are only as secure as their operators, which goes back to the human part of the equation. As such, security education and training is the core element of any security program.
Most organizations, at a very baseline level, conduct annual security training, usually via vendor-issued online modules. Organizations with an IT function also depend on department heads to send out information on the latest cyberthreats.
But this is the very least organizations can do, according to experts in accounting IT security divisions, who regularly conduct SOC 1 and SOC 2 audits, implement disaster-recovery and business-continuity plans, and engage in penetration testing, or ethical hacking, for their clients.
“There should be annual security awareness training at a minimum,” said Moss Adams’ Villanueva. “It doesn’t have to be a big spend for a small company. Educate your workforce about cyberthreats and the risks that are prevalent today. Employees are going to be your first line of defense. If they recognize they have a strange email, they know to let IT know about this, to be the eyes and ears of the organization on what can be potential cyberthreats.”
Many organizations, including most accounting firms with technology practices, also test employees beyond awareness training and recommend the same to their clients.
“We supplement the annual security awareness training with quarterly phishing attack testing,” Villanueva continued. “Vendors simulate this by sending fake emails that look legitimate, look like they’re coming from internal IT to a set of employees to see if they are susceptible to certain attacks. These days, a lot of attacks, and ransomware, are typically triggered by an unsuspecting individual clicking on a link embedded in the email of someone they seemingly know, a legitimate source, but it triggers the execution of malicious code, and it could be ransomware code.”
A very common weapon of choice for cybercriminals, phishing emails purport to be from a trusted or known source but lure users to click a link that is often ransomware, or malicious software that infects the computer and restricts access until a ransom is paid to unlock it.
A more recent addition to its security training, McKonly & Asbury conducts phishing tests monthly because real attacks aren’t designed to take down just the targeted individual but their whole organization.
St. Louis-based Top 100 Firm Anders also conducts regular phishing tests, shared chief information officer Theresa Stearns, to supplement the series of two-to-four-minute cybersecurity videos that employees are required to complete throughout the year. Anders outsources much of its security function, including its monitoring system, endpoint protection solution and vulnerability scans.
If Stearns and her team notice an employee falling prey to too many phishing simulations, they will follow up with them to see if they need additional training.
As with any cyberattacks, more sophisticated versions of phishing are always emerging, including voice-based attacks that have become a familiar cellphone nuisance.
“Voice-based pretexting, or phishing, is someone saying they are from Microsoft, and they are sensing strange activity and want to run some tests,” Villanueva explained. “That’s a typical phishing attack scenario, where they want you to give up login credentials to your network or computer under the guise of a help IT desk or someone from Microsoft or another company. It’s because technical defenses, firewall technologies and alerting technologies have really advanced over the last several years. Cybercriminals are looking for what’s the path of least resistance. More often, that’s going to be the human factor.”
Extra insurance
For CPA firms, with all their many points of vulnerability, the right cyber insurance coverage is critical.
“We tell people to verify and make sure they have the right insurance data coverage, make sure how much data they have and the value of that data,” Stearns advised. “Talk to the insurance companies and make sure what your coverage is.”
Accounting firms need to get clarity on these details, agreed John Raspante, director of risk management at professional liability insurance specialists McGowanPro, and in his experience, firms often do not.
“One of the sensitivities, the issues with cybersecurity policies, is that a professional liability policy typically has in it a sublimit for cyber,” he explained. “The problem with that is if you have a million dollars in your coverage for a professional policy, you do not have a million dollars in cyber, you have a sublimit of, say, $50,000. CPA firms are under the impression they have the full policy but there are limits, so be careful, read those policies and understand a sublimit.”
Adding an extension to a policy means limited coverage, and thus limited protection, Raspante warned.
“I recommend you get a stand-alone policy just for cyber,” he advised. “The problem with that is there are more premiums to contend with in a separate policy. But what I’ve done for a lot of CPA firms in that dilemma is I’ve said to them to work on lowering professional liability premiums, and with that savings, buy a stand-alone policy. The logic is that we are seeing more cyber perils than professional liability perils.”
Cyber insurance policies can be more complicated to understand than more widely used insurance types, Raspante cautioned: “Another problem with them is, when you buy homeowners’ insurance, a policy for a million dollars, you are basically covered for a million dollars for anything that can happen to the home — a flood, fire, a tree falls. A loss is a loss, and up to the policy limits for loss. With cyber, you might get a million-dollar policy but you might have a half million for cyber extortion — someone holding hardware hostage — and $50,000 for wire fraud. The sublimits make policies very difficult to read and understand, because you might think you have a million dollars in coverage, but you read the policy and you’re only covered $250,000 for credit monitoring. Within the policy, there’s potentially dozens of sublimits that make these policies extremely difficult to understand, so assure yourself what you are really covered on and to what extent. It’s a different animal than most policies.”
There are a few ways CPA firms can begin considering their coverage, Raspante continued.
“It depends on the number of documents, to determine the amount of coverage,” he said. “Say the cost of a breach per document is somewhere in the range of $250 to $300. Technically, figure out how many companies in the database can be breached, multiply it out, and come up with the limit that way. Look at the nature of your services. If you do more work in tax, or with clinics or hospitals, there is more sensitive data, come up with the limit that way. I never like to oversell on limits. The majority of claims will settle at the limit. At the same time, you could get a catastrophic claim that exceeds the limit. It’s always a tough balance.”
Friendlier function
Even as insurance and IT professionals must constantly warn organizations and their people about the next big danger around the corner, many are trying to make the education more palatable.
Anders, for example, hosted a firmwide “Family Feud” game during Cybersecurity Awareness Month in October, encouraging employees to answer questions about the latest threats and best practices.
And McConnell & Jones’ Williamson is aiming to make his mass communications on cybersecurity issues less one-sided. “The problem with security, in general, is we’re always the ‘no’ people,” he acknowledged. “We don’t want to be the ‘no’ people. We try to come to a middle ground, and it can be hard to stress the underlying [security] issues. We have training programs, emails, reminders to talk to people. Me, personally, I have an open-door policy. If my [online chat] bubble is green, text me, email me, whatever. I always want to talk about it. I can talk for hours. It’s the newer, more friendly security function.”
