Insider threats to CPA firms’ data: An employee gone rogue
Much has been published about the risks and costs associated with data security breaches and failing to protect a client’s confidential data. Indeed, CPA firms are privy to a wealth of personally identifiable information of their clients and employees, making them an easy target of cyber criminals. Coupled with the increased use of technology in the delivery of services and storage of data, heightened data security risk has become the new normal.
Headlines related to data breaches often refer to external bad actors as the source of the breach or loss. As such, many organizations, when designing their security policy, only address risks originating beyond their four walls. However, external bad actors are not the only threats to data security. Consider the following:
A CPA firm’s longtime employee suddenly resigned in the midst of busy season without giving notice, leaving her laptop in the office. In a panic to complete in-progress work, you gain access to the laptop, and discover that client invoices were issued without your knowledge with collections directed to a bank account not affiliated with the firm. In addition, files containing client information were transferred to an external server. What should the firm do?
Insider Threat: More common than you think
Insider threat is defined by the CERT Division of Carnegie Mellon University (“CERT”) as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.” In other words, it’s the threat of loss arising from risks that exist from within. Unfortunately, the risk of insider threat is not an anomaly. According to Crowd Research Partners’ 2018 Insider Threat Report, 90% of organizations feel vulnerable to insider threats, including the risk presented by a disgruntled employee.
Identifying and addressing the risk of disgruntled employees
Disgruntled employees often have access to internal systems and, depending on the circumstance, the motivation to cause damage. As such, firms must be able to identify disgruntled employees and address the associated risks in order to safeguard confidential data.
Disgruntled employees may exhibit behavior that is inconsistent with the firm’s values including:
- Lack of participation and collaboration with others in the workplace.
- Lack of motivation.
- Repeated tardiness or absenteeism.
- Decrease in performance quality.
If dialogue and customary performance management processes prove to be ineffective, selectively monitoring the employee’s activity may be necessary. Monitoring software may be used to monitor the employee’s activity within the firm’s key systems in order to detect unauthorized or inappropriate actions. Prior to implementation of employee monitoring, exercise caution by consulting with an employment practices attorney to understand any legal implications or notification requirements.
Preventive data security measures
Having the ability to identify and address risks posed by a disgruntled employee is important, but implementing safeguards through the firm’s data security practices, such as the application of least privilege and access controls, are just as critical in reducing the risks of insider threat.
Apply the Principle of Least Privilege
According to the National Institute of Standards and Technology’s Computer Security Resource Center, least privilege is “the principle that security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” In simple terms, an employee’s access to systems, data and other resources should be limited to and commensurate with fulfilling their job responsibilities only – nothing more. Not every partner or employee requires access to confidential information of clients or engagements they do not support.
For example, a member of a client’s audit team would not require access to the client’s tax engagement files. A manager providing employee benefit plan consulting services would not need access to the firm’s entire portfolio of employee benefit plan consulting engagements.
Implement and routinely review access controls
Employees at smaller CPA firms commonly “wear multiple hats” to support the practice. In these situations, it may be difficult or seem impractical to separate duties between each employee. Nevertheless, access controls should be implemented to aid the firm in restricting unauthorized access to the firm’s data.
When granting access to employees, CPA firms should consider an individual employee’s job responsibilities to determine the level of required system and physical access, and document the approval. For example, a staff accountant who supports the firm’s bill pay services should only be granted access and authorized to prepare checks, but not access to disburse payment. This task should be granted to a member of the firm with higher authority. To standardize access provisioning, firms can predefine the level of system and physical access authorized for each role to minimize variability of access from employee to employee.
According to the CERT Division of Carnegie Mellon University , internal breaches often coincide with employee resignations or terminations, where continued access may be used to steal firm data. Therefore, removing the access of terminated employees to key systems or resources in a timely manner is critical. In addition, third parties (i.e. cloud application vendors) should be notified of employee changes to ensure that access to such applications are also disabled or removed.
Passwords to shared or generic accounts (to systems, social media accounts, etc.) that were known by multiple employees should also be changed to ensure that such resources can no longer be used by the former employee.
Employee access should be reviewed at least annually for each user to determine whether their access to systems or resources is appropriate. Employees with super user or administrator access should be reviewed more frequently due to elevated risks associated with this level of access. Alternatively, if an access review is not feasible due to the firm’s size, consider performing periodic reviews of system activity (i.e. cash disbursements from a banking platform) which can aid in identifying inappropriate or unauthorized activities.
Memorialize controls in policies and procedures
Implementing access controls to protect the firm’s data and being diligent in managing disgruntled employees represents crucial safeguards for the firm. However, the value of defining the responsibilities of all firm personnel in protecting confidential data should not be dismissed.
Policies and procedures are often used by firms to define and document the firm’s expectations when it comes to access management. These protocols address how access is provisioned or de-provisioned, the firm’s password policy and the frequency of access reviews.
All firm personnel should understand that they hold positions of trust in obtaining access to the firm’s proprietary, confidential information. Confidentiality policies help define responsibilities in protecting confidential information and the potential consequences of violating the firm’s trust. Confidentiality policies often accompany computer use policies, which define restrictions enforced by the firm to prevent removal of confidential data. Common measures include prohibiting the use of removable media (i.e. USB drives, CDs), or using unauthorized personal devices to view firm data. Firms should also consider requiring firm personnel to periodically review the firm’s confidentiality policy and confirm their commitment to compliance.
Devising a course of action which specifically addresses the risk of loss from insider threat may seem daunting to many CPA firms. However, addressing and implementing the aforementioned measures may help mitigate this risk while providing a sound foundation for the firm’s general security framework.
Jamie Yoo is a risk control consultant at CNA. For more information about this article, contact email@example.com.
This information is produced and presented by CNA, which is solely responsible for its content.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations.
Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites.
To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy.
Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
“CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2019 CNA. All rights reserved.