You wake from a deep sleep to a loud ring on your cell. Bleary-eyed, you scramble for the light and collect your thoughts, looking to see who is calling at this hour. Your colleague, who regularly begins work before the sun rises exclaims, “John, our servers have been compromised.” Your heart races, you can’t believe what she is saying. “Did I hear you correctly Sarah or am I still dreaming?” You heard correctly. You are now a victim of cybercrime. Thankfully, you developed an emergency plan last summer. To avoid further damage, you must move quickly to put your plan into action.
In this hybrid digital age, where work from home and remote locations are commonplace and communicating with all sorts of connected mobile devices is the norm, cybercrime has become a new reality. Cyber criminals are increasingly bold and cagey, using everchanging strategies to make their way into businesses of all sizes.
To raise awareness of this growing problem and increase online safety, National Cyber Security Alliance and the U.S. Department of Homeland Security (DHS) designated October as Cybersecurity Awareness Month (previously National Cybersecurity Awareness Month). Now in its 18th year, this is the perfect time to examine potential threats and actions that your firm can take to be more secure online.
Cybercrime can no longer be ignored
Each of us and our firms are at risk of a cyberattack and the results can be devastating, especially if we are not prepared to act quickly. As a business leader, knowledge and preparedness are your first lines of defense.
Ransomware, the fastest growing cybercrime, is expected to attack a business, consumer or device every 2 seconds by 2031, up from 11 seconds in 2021
85% of breaches involved a human element - 36% involved phishing, 11% more than last year
98% of US executives say their organization experienced one or more cyber incident in the past year
43% of cyber-attacks target small businesses
Top cyber threats US executives are most concerned about include:
unintended actions of well-meaning employees (28%)
ransomware, phishing and malware (27%)
third-party and contractor risks or other supply chain deficiencies (20%)
Despite rapidly growing attacks, cybersecurity fell out of the top 10 issues in the recent 2021 PCPS CPA Firm Top Issues Survey (with the exception of firms with 10 or fewer professionals). Looking forward, practices should not lose sight of this critical area. Many could be at risk due to the seemingly overnight move to a remote environment and the rapid shift to a hybrid workforce.
Rather than work in fear, be purposeful in your actions to foil cyber criminals. While it may not be possible to avoid an attack all together in this increasingly aggressive space, pre-emptive initiatives and diligence can go a long way to increase online safety for you, your colleagues and your clients.
Empower your team to fight cybercrime
With countless connected devices, including laptops, tablets and cellphones being used in the office and remotely, any member of your firm can open the door to a predator without intention. Cybersecurity Awareness Month’s 2021 theme, Do Your Part. Be Cyber Smart, reminds us how important it is for everyone to be involved in combating cybercrime. Work to bring this mindset into you firm.
Engage and empower your entire team to fight cybersecurity
Talk about potential dangers that each person faces when they are online
Challenge them to be the eyes and ears of potential threats, whether they are in the office or working remotely
Together, you will have a greater chance of success in making your firm more secure.
Incorporate cybersecurity into your firm’s culture and training
Rather than simply a push during October, make cybersecurity a part of your firm’s regular narrative and agenda throughout the year. Help everyone understand how to fight cybercrime and encourage cyber related courses when your team is making choices about their CPE so they can make good decisions that will be essential to creating a cybersmart culture. Provide frequent internal training to address items such as:
What is the proper way to access wi-fi or logon to the firm’s network when working from home or in public spaces?
How to identify phishing emails?
What is social engineering and how to detect it?
How to recognize potentially dangerous URL extensions?
Also consider attending the Digital CPA Conference 2021, December 5-8, online or in Nashville, TN (PCPS members save $200) to gain insights and learn new strategies to fight cybercrime.
Identify and strengthen your firm’s most vulnerable areas
To fight cybercrime, you must identify areas where your firm is most likely to be attacked.
Are there software or other online procedures that you implemented hastily during the COVID-19 pandemic that could put the firm at risk?
Do you encrypt emails containing sensitive information?
Do you have internet-facing links to vendors, third-party providers or suppliers that could cause compromise?
If you need help identifying and securing your firm’s weak entry points and backdoor routes to sensitive information, reach out to a cybersecurity professional.
Get serious about passwords, patches and two-part authentication
Cybercriminals prey on easy targets. Increasing your protection in these three areas can go a long way to stop a breach in your firm.
Create more complex passwords - upper and lower case, numbers, letters and symbols
Different passwords for different accounts that change regularly
Keep all computers, mobile devices and software updated with the latest patches
Encourage team members to turn off devices overnight so they can run automatic updates
Add an extra layer of security to all devices with two-part authentication
Plan for an attack
Breaches and attacks happen when we least expect them. Early in the morning, as in Sarah and John’s firm or during holidays, when most people are not around to notice. Fortunately, as in this case, Sarah was there to discover the intrusion and act quickly according to the firm’s plan. To get started with your plan:
Outline exactly what to do in case of an attack – include roles and responsibilities
Identify who to contact and what messages to communicate
Address incident response (information asset protection) and disaster recovery (business continuity)
Consider how to respond if you are held for ransom
To learn more about developing your own plan, visit the Private Companies Practice Section’s Where is your firm in the cybersecurity journey? resource, exclusively available to PCPS members.
Consider cyber insurance
For added coverage, cyber insurance can provide a combination of options to help guard the firm against data breaches, downtime, reputational harm and client loss. You can select cyber insurance as a part of your AICPA Professional Liability Insurance. Don’t forget to ask for the Private Companies Practice Section (PCPS) member discount to receive a 5.5% premium credit of up to $400 for the CPA Value Plan and $600 for the Premier Plan.
In this age of cybercrime, you and your team’s preparedness and diligence will go a long way to make your firm more secure.