25 posts categorized "Cybersecurity" Feed

Finance pros, meet your new accountability: Cybersecurity

If you’re a finance professional or run a business, you may have a new responsibility these days: cybersecurity oversight. The Association of International Certified Professional Accountants (the Association) recently conducted a survey of financial executives. Seventy-three percent of respondents said their teams are taking on more responsibility for mitigating cybersecurity risks. An additional 15% said they have become the person primarily responsible for cybersecurity.

Continue reading "Finance pros, meet your new accountability: Cybersecurity" »

If you’re hacked, what’s your cybersecurity liability?

Cybersecurity liabilityCybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will reach $6 trillion by 2021. Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s your liability?

That’s a big question we hear from firms regardless of whether or not they’ve been attacked. There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state rules. Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

Meanwhile, federal circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Continue reading "If you’re hacked, what’s your cybersecurity liability?" »

Five movies that (kind of) predicted cybercrimes

HackersEquifax. The Securities and Exchange Commission. Whole Foods. These are just a few of the hacking incidents that have made the news in recent weeks. Although organizations are becoming increasingly concerned about their cybersecurity in the wake of current reports, Hollywood has been warning us for years about the importance of keeping our data safe. The following five movies are not only entertaining, they also acted as a crystal ball of sorts by giving us a glimpse into the possibility of today’s cyber events.

Movie: “The Net” (1995)

Lesson: Your personal data is your most important possession.

“The Net” warns of what can happen when your data falls into the wrong hands. When systems analyst Angela Bennett receives a disk from a colleague, she inadvertently sets off a chain of events that leads to her social security number being reassigned to another name, her home being sold out from under her and an arrest for a litany of crimes she didn’t commit—not to mention the mysterious deaths of people around her who know about the disk.

Continue reading "Five movies that (kind of) predicted cybercrimes" »

CPA life hacks to keep from getting hacked

Hacker 2I love that my bank, credit cards and insurance companies all have intuitive websites and mobile apps where I can easily pay bills and check my balances. But between Whole Foods, Equifax and Yahoo, I – like many other consumers – am becoming increasingly concerned with what organizations are doing to protect sensitive information.

Even as we become more dependent on IT systems for everything from ordering our groceries to tracking our fitness, cyberattacks are becoming more organized, profitable and persistent. For CPAs, this means growing concerns about both protecting client data and helping clients protect sensitive information.

In honor of Cybersecurity Awareness Month, here are three ways CPAs can remain proactive when it comes to cybersecurity.

Continue reading "CPA life hacks to keep from getting hacked " »

Surviving the Equifax Data Breach

HackedOdds are, you or someone you know were impacted by the Equifax data breach. The breach, which is estimated to have impacted 143 million Americans – nearly half the US population – is considered one of largest data breaches in history. Adding insult to financial injury, Equifax has put the onus on consumers to do their own research about whether or not they need to worry.

But don’t panic just yet—we’ve got steps you can take to help protect yourself. Let’s start with the basics:

What is Equifax? And why do they have my information?

Equifax is one of three major U.S. consumer credit agencies, and if you have ever purchased anything of note, like a car or a house, or rented an apartment, or have had any reason to request a credit report, these agencies have your information.

Continue reading "Surviving the Equifax Data Breach" »

Getting Ready for Assurance Has Its Benefits

Cyber

 

In recent months, sweeping global cyberattacks have taken thousands of businesses offline, compromising valuable data and blocking access to critical services and information assets. If it wasn’t clear before, it is now: cybersecurity is a business imperative with direct implications for overall company value. Prior to this spring, and without a common language or benchmark for cybersecurity, how do you quantify and communicate your cybersecurity risk in a meaningful way?

Enter the AICPA’s cybersecurity risk management reporting framework. Unveiled in April, the framework is intended to standardize the way organizations define their cybersecurity objectives and report against those standards in a format that works for all stakeholders.

Continue reading "Getting Ready for Assurance Has Its Benefits" »

Most Passwords Are Easy to Guess. Do This Instead.

Password2You’re doing your passwords all wrong.

So says the developer of the guidelines most internet users have been following for 15 years, anyway. Passwords that L00K l!ke tHi$ are actually much more susceptible to hacking than most people realize, says Bill Burr, former manager of the National Institute of Standards and Technology (NIST) and author of the NIST’s 2003 recommendations for password management.

In an interview with The Wall Street Journal, Burr said that his previous advice to use numbers, symbols and randomized capitalization resulted in people creating passwords that are easy for computers to predict.

A more secure option is to use four random words, such as “that purple monkey dishwasher.” Such a phrase is actually much more complicated for computers to guess, The Wall Street Journal reports. (Cartoonist Randall Munroe explained the math in a comic six years ago.)

Some password advice remains relevant, however: avoid using birthdays or anniversaries, your kids’ names or your address, as all of this information is easy for hackers to locate. Additionally, use different passwords for each of your accounts and avoid storing them where they can be easily seen or stolen.

Continue reading "Most Passwords Are Easy to Guess. Do This Instead." »

ICYMI: Protect Clients from Petya Cyberattack

RansomwareJust as people are starting to recover from last month’s devastating WannaCry ransomware attack, Petya, another malware worm, is shutting down networks across the globe. No one is immune, international businesses and governments alike have been hit by this new attack. Unlike WannaCry, which spread via the internet, Petya spreads through computer networks and shuts down entire hard drives.

It is imperative that you not only take proper precautions yourself, but also help your clients fortify their defenses against cyberattacks. You can learn more about how to do so with these recent AICPA resources:

Continue reading "ICYMI: Protect Clients from Petya Cyberattack" »

4 Steps to Fortifying Your Cybersecurity

Cybersecurity 4Small businesses are “unprepared or poorly prepared for a cyberattack” according to 75% of the 307 insurance and risk management advisors surveyed through the Advisen and Experian 2017 Cyber Risk Preparedness and Response Survey. Unfortunately, no organization is immune to cyberthreats. These days, most companies should have some basic form of cybersecurity program in place. If yours doesn’t, or if you need a refresher, here are four steps you can take to establish a stronger foundation.

Step 1: Create a Comprehensive Set of Cybersecurity Policies

What resources does your organization have that are at risk? Think beyond the obvious. On-site computer systems, laptops, tablets and mobile phones are immediate suspects, but bring your own devices (BYOD) and wearable technology such as smartwatches can also be compromised. Determine what controls you need in place to ensure information is kept secure. Set your rules for communicating, working with, copying and distributing sensitive data; and document those rules and make sure everyone in the organization receives a copy. Necessary policies typically include an IT policy, information security program (including a risk assessment), employee acceptable usage policy, business continuity and disaster recovery plan, and an incident response plan. 

Continue reading "4 Steps to Fortifying Your Cybersecurity" »

The One Vulnerability Cyber Thieves Are Desperate to Exploit

PasswordCybersecurity attacks are becoming more pervasive and seemingly effortless to pull off.  Cybercriminals who can execute a successful attack are seizing credit card numbers, bank account information and even Social Security numbers. A 2016 study conducted by the Ponemon Institute found that the average cost of a data breach is $4 million. You can strengthen your organization’s cybersecurity risk management plan by addressing this one vulnerability: weak passwords.

The capture or reuse of passwords, or “static credentials” as they are often referred to in the IT industry, is standard practice for organized crime groups and state-affiliated attackers alike, according to the Verizon 2016 Data Breach Investigations Report, whose list of contributors represents a “who’s who” of cybersecurity expertise worldwide, from both the private and public sectors. Likewise, passwords are used against all kinds of targets, from the largest organizations to individuals.

A common misperception is that cyber attackers have become so sophisticated that something as simple as a password is no longer effective. The tendency is to think that if federal agencies and multi-national corporations can be breached, there’s nothing individuals can do to protect themselves. This could not be further from the truth. Individuals have the most power in preventing attacks that exploit passwords, which is why a policy on passwords should be a key component of your firm or organization’s cybersecurity risk management program.

Continue reading "The One Vulnerability Cyber Thieves Are Desperate to Exploit" »

It’s Time to Speak the Same Language on Cybersecurity

Cybersecurity 3Recent massive ransomware attacks on organizations around the world demonstrate how disruptive—and in some cases destructive—cyberattacks can be. The “WannaCry” malware incident is just the latest alarm on the ever-urgent call for companies to immediately address and manage their cybersecurity risks. Every organization is susceptible to cyber assaults, making a clearly defined, flexible and robust risk management program essential to a business’s ongoing success.

Addressing an Increasing Market Need

With cyberattacks on the rise, organizations are not only reinforcing their ability to prevent attacks, but also taking steps to demonstrate that they are doing all they can to detect, respond to, mitigate and recover from attacks on a timely basis. Customers, investors, boards of directors and even government officials want to know more about what companies are doing to address cybersecurity.

Continue reading "It’s Time to Speak the Same Language on Cybersecurity" »

5 Emerging Services Set to Transform the Accounting Profession

Shutterstock_515980906What’s on the horizon? How are changes in the business marketplace creating new opportunities for the accounting profession? What are the implications of up-and-coming technologies like blockchain?  These, among a host of other emerging trends were discussed recently at the AICPA’s Assurance Services Executive Committee (ASEC) meeting. The committee, composed of the profession’s leaders in assurance and advisory services, engaged in an insightful discussion about issues that are gaining traction internationally and in the United States.

In addition to discussing ideas for potential future projects, the committee also spoke about the projects they have currently underway that facilitate new opportunities for practitioners to provide value-added services to clients. These include five emerging service opportunities:

Continue reading "5 Emerging Services Set to Transform the Accounting Profession" »

5 Data Backup Gaps and How to Fix Them

World Backup DayMarch 31 is World Backup Day. Why March 31? Because you don’t want to be an April fool according to World Backup Day’s organizers.

Human error, equipment failure and theft are just a few ways your organization could be at risk of data loss. Today, no firm or company can afford to be without a cybersecurity risk management program. If you’re like most CPAs, this is not news to you. In fact, if you’re somewhat of a data backup fanatic, you might already be paying for secure offsite storage of paper files as well as digital backups. Still, experts say even the most diligent often have gaps in their backup practices. Let’s look at some of the most common considerations and how to address them.

  1. Do you know exactly how to retrieve your backups? For starters, knowing the person in your office who you think knows how to retrieve your backups doesn’t count. Knowing the name of one of your cloud backup vendors is not enough. Retrieval is an often underdeveloped but equally important aspect of backup planning (see #5 below). Unfortunately, there’s no single, all-encompassing solution for backing up your systems. Even in a small firm, you’ll likely need three or four different backup systems. Tax preparation, bookkeeping and auditing software packages often have integrated, cloud-based backup options. There’s the information on your office network and server(s)—here you can choose a cloud-based solution or an onsite backup system that updates each night. Then you have your desktop and laptop PCs. And, finally, you have smart phones, tablets, watches, etc. Organize your retrieval information for ALL systems and test it—like a fire drill. If your test goes off without a hitch, you can skip the rest of this post.

Continue reading "5 Data Backup Gaps and How to Fix Them" »

7 Benefits of Cybersecurity Penetration Testing

Shutterstock_388491619Security breaches are prevalent in today’s business environment and reports indicate that these threats are not going away any time soon. As a result, organizations need to take steps to safeguard their confidential data and other sensitive information. Smaller-sized organizations like small businesses and not-for-profit entities are particularly vulnerable. A recent study by Symantec found that 43 percent of phishing campaigns affected small businesses in 2016, a significant uptick compared to 2011 when just 18 percent of attacks targeted small businesses.

Even organizations with limited resources have affordable and effective options for protecting valuable data. I recommend penetration testing, a type of cybersecurity vulnerability assessment, to my clients working in the not-for-profit sector. Many of my not-for-profit clients feel compelled to conduct cybersecurity penetration testing when they consider how accepting online donations may create vulnerabilities for not only for themselves but also for their donors. Potential donors may feel more comfortable donating online once they hear that the organization has safeguards in place to protect their information. Penetration testing is performed by an outside, third party and can be tailored to the needs, or concerns of the organizations.

Continue reading "7 Benefits of Cybersecurity Penetration Testing" »

3 Steps to Mitigate and Respond to a Security Breach in the Cloud

The AICPA is participating in National Cybersecurity Awareness Month with a series of blog posts to help CPAs understand the role they can play in addressing cybersecurity issues. This is our second post in this series. Our first post discussed low- and no-cost ways to protect data.

Cloud securityMuch like their counterparts who run growing companies in virtually every industry, many accounting firm executives have their heads in the cloud. They have implemented, or are considering, cloud computing options for everything from data storage and networking to task automation and product delivery. Some firm executives see an additional opportunity: offering consulting services to help clients understand and use the cloud.

It’s clear that cloud computing provides proven advantages over on-premises options, such as savings, convenience and flexibility. However, the cloud also presents some unique challenges, including often complex deployment options, operational issues and substantial security concerns. Below you’ll find three steps to take to address cloud computing security.

Step One: Know the Risks

The first way to mitigate a security breach is to understand and prioritize the risks related to using cloud services. For accounting firms and their clients that use a cloud service provider (CSP), cloud-based solutions present the same risks as traditional information security, plus the risks associated with managing and governing a third-party service provider.

Continue reading "3 Steps to Mitigate and Respond to a Security Breach in the Cloud" »

5 Low- or No-Cost Ways for CPAs to Help Slam the Door on Cybercriminals

CybercrimeThe AICPA is participating in National Cybersecurity Awareness Month with a series of blog posts to help CPAs understand the role they can play in addressing cybersecurity issues. This is our first post in this series.

October is National Cybersecurity Awareness Month, but fighting cybercrime is a year-round battle. As experienced keepers of confidential information, CPAs are uniquely positioned to support cybersecurity initiatives for their firms, clients, or employers. But cybersecurity is costly, and budgets are always limited, especially in the public and not-for-profit sectors. Consider these five simple steps CPAs can take to help protect data without breaking the bank.

  1. Know email scams and warn others. People are increasingly the weak link in organizations’ cyber armor. You know not to give your checking account info to an unknown foreign government dignitary. But what if you get an email from your CEO instructing you to wire funds for a deal that you know is about to close? This scenario was all too real last year for a finance employee who was tricked into wiring $730,000 to a bank in China, according to an FBI report. Since the FBI started tracking business e-mail scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that were targeted. Total losses exceeded $740 million.

Continue reading "5 Low- or No-Cost Ways for CPAs to Help Slam the Door on Cybercriminals" »

Introducing a New Framework for Reporting on Cybersecurity Risk Management

Cybersecurity 2The list of companies is growing. Businesses, organizations and governmental entities have suffered damaging publicity—and faced lawsuits—due to data breaches, forcing them to make cybersecurity a priority. It’s not surprising to hear, then, that 95% of CGMA designation holders said their companies were concerned about cyberattacks, according to an AICPA survey. Organizations and their stakeholders are not only seeking ways to address current and potential threats but also to gain assurance and communicate about the efficacy of their own efforts to identify and manage the potential effects of cybersecurity risks.

Stepping up to help our fellow CPAs meet businesses’ and clients’ needs, the AICPA is proposing a way for businesses to demonstrate due care and build stakeholder confidence in their cybersecurity risk management efforts. The Cybersecurity Working Group of the AICPA’s Assurance Services Executive Committee (ASEC), in collaboration with the AICPA’s Auditing Standards Board, is developing criteria and guidance that companies can use to communicate, and we can use to report on entity cybersecurity risk management efforts.

Continue reading "Introducing a New Framework for Reporting on Cybersecurity Risk Management " »

Seizing Opportunity Like a Rapping Founding Father

HamiltonWhen hip hop music first became popular, very few people would have thought that the music could be a great way to tell the story of America’s Founding Fathers. Yet, the wildly popular Broadway musical “Hamilton,” which won 11 Tony Awards, merges the historical narrative of the nation's first Secretary of the Treasury with hip hop music and lyrics, and proves that it’s possible to successfully create something fresh by offering a new take on a familiar subject.

Alexander Hamilton, the man whose life inspired the musical, started his career as an accounting clerk in the West Indies, then went to colonial America, where he would eventually lay the groundwork for the United States financial system. The musical came to life because Lin-Manuel Miranda, its creator and the man who originated the role of Hamilton, saw an opportunity and seized it by utilizing his musical talents to tell a 240-year-old story and delight unsuspecting audiences.

What does that have to do with CPAs? A lot, actually. Every day, CPAs use their knowledge and talents to meet a wide spectrum of client needs, often in ways that weren’t initially envisioned 50 or 20 or even five years ago. If you’d like to set the stage for new options in your career or practice, here are several opportunities that mesh well with CPAs’ core competencies and experience.   

Continue reading "Seizing Opportunity Like a Rapping Founding Father" »

Are You Cybersecurity Ready?

Cyber compliance

 

The interconnected digital world has been referred to as the wild, wild West. Hackers are eagerly looking to exploit the weakest line of code in mobile devices, applications and operating systems. And those are just a few of the types of technology at risk in today’s environment.

You’ve probably heard the old adage, “you don’t bring a knife to a gun fight.” Cybersecurity is no exception. In a cyber “gunfight,” only the most prepared organizations can survive a security breach. To assist organizations in preparing for cyber incidents, the Department of Justice’s (DOJ) Cybersecurity Unit released Best Practices for Victim Response and Reporting of Cyber Incidents, out lining steps to take before, during and after a cyber attack or network breach. 

The DOJ document provides best practices and indicates that organizations connected to the Web should evaluate cybersecurity readiness by preparing prior to, in response to and for recovery from an intrusion.  

Continue reading "Are You Cybersecurity Ready?" »

4 Cybersecurity Pitfalls to Avoid

HackerYou might break out in a cold sweat at just the thought of criminals on the other side of the world stealing your clients’ or customers’ account information. After all, if some of the largest corporations and agencies of the federal government can’t prevent their systems from being breached, what can a Main Street CPA firm or medium-sized business possibly do against such a threat?

Reality is that as a CPA you can probably do more than you think. At a minimum, as a trusted business adviser, you should help your clients or employer avoid these common pitfalls:

  1. Classifying cybersecurity as an IT issue. Although IT has a support role involving intrusion detection and prevention, cybersecurity involves much more than IT. Today’s hackers increasingly focus their attacks on human rather than technical vulnerabilities. Cybersecurity is an enterprise risk management (ERM) issue. With some specialized training, CPAs are uniquely qualified to systematically assess and report on cybersecurity risks and implement controls to mitigate those risks.

Continue reading "4 Cybersecurity Pitfalls to Avoid" »

Answers to 5 Common Cloud Questions for Not-for-Profits


CloudWith cybersecurity in recent news headlines, more clients are coming to us for advice on accounting software solutions. Cloud systems, especially, have increased in popularity among businesses in the private sector and not-for-profits alike. Organizations with decentralized operations, or with many remote workers that need access to information, can benefit the most from using a cloud system.

Here are the most common questions we encounter in our practices.

Q: What (and where) is the cloud?

A: When we talk about the cloud, it just refers to a system or application that is hosted somewhere outside of your office—usually accessed over the Internet. The term “cloud” comes from the shape used to represent the Internet on network diagrams. 

Some people may also be familiar with the term Software as a Service (SaaS).  The “as a Service” (aaS) suffix also refers to the cloud. There are several flavors of this: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and more keep coming up as additional services are delivered via the cloud.

Another term also often associated with the cloud is “hosted solutions.” This can be software, servers, or even desktop services. Unlike the “as a Service” model, which would be considered “pure” cloud and accessible directly from the Internet in a web browser, hosted solutions usually require a VPN network connection or specially configured client software to access.  However, for most intents and purposes, we can consider hosted solutions as part of the “cloud.”

Continue reading "Answers to 5 Common Cloud Questions for Not-for-Profits" »

Update on Taxes and Terrorism: Why Clients’ Data Could Become Vulnerable

Data breachSince this article was initially published in December 2015, the FBI has attempted to compel Apple, Inc. to defeat its own encryption for the purposes of accessing the information on the iPhone of Syed Rizwan Farook, perpetrator of the mass shootings in San Bernardino in December of last year. Apple has thus far refused to obey a federal court order to provide access to the phone, based in part on a first-amendment argument that code-writing constitutes free speech. A federal court in California will hear arguments on March 22, but promises from both the Justice Department and Apple, Inc. to appeal any decision against their respective cases mean the dispute is unlikely to conclude at that time. The case is certain to have far-reaching implications for the nature of digital security both here in the United States and abroad.

Continue reading "Update on Taxes and Terrorism: Why Clients’ Data Could Become Vulnerable" »

5 Cybersecurity Precautions for Small CPA Firms

Cybersecurity small firmsWith busy season off to another running start, it’s important to remember that cyber attackers are busy too. With readily monetizable information on hand that can be sold easily on the black market, your practice is an especially attractive target for attackers.

Frequent news reports of breaches at large organizations and government entities might lead you to believe you don’t stand a chance if targeted. Fortunately, this is not the case. The following basic precautions can significantly reduce your risk and mitigate damage if you experience a cybersecurity incident.

  1. Locate, classify and separate information by risk level. The highest risk information for most firms is going to be financial account information such as bank routing and account numbers, credit and debit card numbers, and usernames and passwords for online account access. This information should be protected with a high level of security and stored separately from other client records. Because industry safeguards typically require names of authorized users, billing addresses, employer identification numbers and Social Security numbers to gain access to accounts, a system that stores information used to authenticate account numbers separately from the numbers themselves can mitigate losses should a security breach occur.

Continue reading "5 Cybersecurity Precautions for Small CPA Firms" »

CPAs Well-Positioned to Help Manage Cybersecurity Risk

CybersecurityCybersecurity is becoming a critical issue as consumers increasingly entrust their most confidential information – including Social Security numbers, tax identification numbers and financial information – to companies that store this data electronically. As companies look for third-party assessment and verification of their cybersecurity risk management program, CPAs are well-positioned to provide these services – and the more comprehensive definition of attest that many states have adopted ensures that only CPAs can provide cybersecurity attest services in accordance with the AICPA’s high standards.

Attest services are those services that are limited to licensed CPAs and can only be performed by licensees through CPA firms. They include audits, reviews of financial statements and examinations of prospective financial information.

Continue reading "CPAs Well-Positioned to Help Manage Cybersecurity Risk " »

Are You Prepared for a Cybersecurity Attack?

Cybersecurity 1Is your firm or organization prepared to respond to a cybersecurity attack? What about your clients? A cybersecurity breach could occur at any time. No organization is too small to come under attack, so it is best to be prepared. When a breach occurs, companies without a plan may waste valuable time trying to organize a core team and put a strategy in place. Below are steps that you should consider as you develop a cybersecurity response plan.

Continue reading "Are You Prepared for a Cybersecurity Attack?" »

Subscribe

Subscribe in a reader

Enter your Email:
Preview