While big cybersecurity events dominate the news — most recently the Colonial Pipeline and JBS breaches — cybercriminals are also targeting smaller businesses, and small to midsized accounting firms need to be aware of how to protect themselves.
Cybercriminals often use social engineering to get into systems. These phishing attacks can take the form of bogus emails from “colleagues” enticing users to pass along sensitive information, or hand over passwords.
One of the most important things firms can do to avoid becoming the target of a breach is employee training, said Roman Kepczyk, director of firm technology strategy for Right Networks, during a session at the AICPA Engage 2021 conference this week in Las Vegas.
“What I see at firms when discussing these threats, sometimes, is partners and staff just roll their eyes — it's led to what we call breach fatigue,” he said during his session at the conference. “And so what I encourage my firms to do is random pop-up training and sessions, which can be done with products like KnowBe4, a phishing testing company that does random spot testing and training on different cyber topics so awareness remains top of mind.”
The stresses, confusion and workplace changes related to the ongoing COVID-19 pandemic have naturally led to spikes in cybercrime, because companies and individuals are desperate, tired, and therefore easy targets to be tricked. Other high-spike times are holidays, like Christmas or Thanksgiving, for the same reasons.
Even though it seems simple, staying on top of the little things can make a significant difference to data safety at a firm, Kepczyk explained. Make sure staff don’t stick passwords onto their laptops, or leave their computer programs or even office doors propped open, for example. He warned against stepping away from your screen even for a minute without locking it, recounting a case where firm staff got emails from the managing partner telling them not to come in the following week — which turned out to be a prank from someone who had come in after hours and noticed the managing partner’s computer had been left open.
“We also recommend that you reboot your computer daily,” he said. “At many of our firms, we have some people using older computers that have old hard disks, so when they’re rebooted, it can take minutes to turn on, especially with updates and all that. And so people get in the habit of just putting it to sleep. Our recommendation from a security perspective is to disallow any of that at all. Just get everyone on a [solid state drive] and make sure they reboot every single day to get in there.”
As for policies like BYOD — bring your own device — Kepczyk said you might as well “bring your own disaster.”
“You don’t know what’s on that computer, how old it is, or if it’s already been compromised, especially if it’s shared with family members,” he said. “One of the key things to make sure of is that all your office and even personal applications are set for automatic updates, to keep security up to date.”
Kepczyk also recommended using software like password managers to enable using unique passwords for each application and program, which decreases the risk of breaches. He also suggested disallowing the usage of USB flash drives for data transfer, and using portal software instead.
Another way smaller firms can find themselves the target of an attack is if the software they are using is compromised, and that is used as a vector for ransomware or some other weapon to enter into the firm’s systems. Last year, for instance, IT management software developer SolarWinds’ Orion software experienced a breach by Russian hackers, and Deloitte was one of the user organizations affected — though any of SolarWinds’ 18,000 customers could have been affected by the malicious spyware.
“The AICPA has really done a good job of trying to promote security out there, and they’ve created a bunch of resources that are very useful,” Kepczyk said. “This is written in very plain English and is straightforward. It has a lot of tools and tips, so I recommend checking it out.”
The AICPA cybersecurity checklist can be viewed
