Inside the Mind of a Hacker

Knowing the Motivations Can Help You Mitigate the Risk of a Breach

By Stan Sterna, JD and Nick Graf, CISSP, CEH, CIPT

Successfully avoiding a cyber threat means first understanding the mindset and motivation of cybercriminals.  Not all hackers are teenagers hanging out in their parents’ basements, simply looking for something to do.  Many are disgruntled, unemployed “coders” or nation state-sponsored paramilitary groups lurking on the deep web hawking their skills, exchanging tradecraft and selling stolen data.  Some are involved in traditional hacking methods, such as breaking into networks to steal and corrupt data. Still others manipulate users through phishing expeditions and social engineering to receive access into a system. Regardless of their motives -- from mischievous, to malicious, to moneymaking schemes – cybercriminals can seriously threaten your firm’s continued success and profitability.

What can you do to thwart cybercriminals?

The best defense to a data breach is to implement procedures to minimize the threat. Understand the nature of the data in your possession and establish methods for how to discover a breach.  Having a robust internal reporting process and incident response plan is key.  With CPA firms, hackers tend to focus their efforts on mobile devices, which are vulnerable to malware when not patched properly, and can be easily lost exposing unencrypted data. They also target remote access to internal systems for the mobile workforce.  We recommend the following Best Practices to stay a step ahead of the hackers:

  • Ensure full disk encryption on all laptops, desktops, mobile devices, and external storage
  • Utilize multi-factor (or at least two-factor) authentication for remote login
  • Establish robust cloud/vendor management controls
  • Conduct regular security awareness training for all employees
  • Extend internal security controls to embedded devices like internet connected web cameras, HVAC, and door badge access systems
  • Document and test incident response plans
  • Establish a formal data retention policy – including secure deletion of data
  • Ensure physical security of hardware
  • Conduct annual penetration tests, and remediate identified issues 

Since each state has its own breach notification laws, the timing to execute remedial measures is critical.  Apply the law as the facts are discovered, and be cognizant of the applicable breach reporting deadlines.  Under most breach statutes, one must comply with the rules even if no theft or damage occurred.  When necessary, consider hiring vendors that have expertise in implementing a breach response plan that sets forth timely notification, forensic analysis of how the breach occurred, client credit monitoring and other regulatory compliance measures.

An inadequate breach response can be devastating to an accounting practice.

Not only does it result in reputational harm, but can result in higher out-of-pocket expenses, including heavy fines, and more. From a hacker’s perspective, just because a firm has been breached once does not mean that it cannot be breached again; in fact, a breach history can make a firm a more appealing target. The likelihood of repeat attacks is a real risk.

To further help insulate your firm from exposure, purchase appropriate cyber liability coverage.

Remember that your existing coverage may not adequately cover a data security breach and the necessary response.  Accordingly, consult with your insurance agent or broker when assessing your cyber coverage. Read the general terms and conditions of the policy and understand how it applies to first party risks (i.e., business interruption and data restoration) as well as to third party risks (i.e., network damage, privacy injury, event expenses, regulatory proceedings and extortion).

Cybercrimes are constantly evolving, as hackers routinely alter their mode of attack to avoid detection.  As a result, CPAs need to stay abreast of the latest threats and take measures to avoid them. In the meantime, firm employees should be fully trained in security awareness. Most of all, recognize that statistically, you have a greater chance of being hacked than not. Having adequate data security measures in place can make all the difference between being just another victim of a cyber breach or a bulwark against data fraud.

1 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), Ponemon Institute LLC and Keeper Security.

2 NetDiligence 2015 Cyber Claims Study.

3 Ponemon Institute© Research Report, 2015 Cost of Data Breach Study: United States (based on 2015 reported breaches).


About the Authors:

Stanley D. Sterna, JD, serves as Vice President in the Professional Firms Division of Affinity Insurance Services, Inc. (Aon Affinity). As a Claim and Risk Management Consultant, Stan provides quality control, claim/litigation management, and risk control expertise to many of the country's largest accounting firms. He also advises clients on broader enterprise risks including cyber liability. He supports business planning, client relations, and sales/marketing initiatives for the AICPA Professional Liability Program and Aon Affinity’s business partners. Aon Affinity has been the endorsed administrator of the AICPA Professional Liability Insurance Program since 1974.  To learn more about the AICPA Program, visit

Nick Graf serves as Consulting Director of Information Security for CNA’s Risk Control unit. Nick has more than a decade of information security experience and specializes in data leakage prevention, security policies, incident response, data breach and security awareness.  He has presented courses on privacy, big data, the cloud and healthcare risks, and has also written and contributed to articles regarding information risks, social engineering, mobile device security, phishing and personal password management.


This article is provided for general information purposes only and is not intended to provide individualized business, risk management or legal advice.