Kristen Hughes, Associate Director — Advisory Services & Credentialing, Association of International Certified Professional Accountants
Cyber breaches have become more common threats for businesses. The pandemic accelerated the digitalization of many companies and a shift to remote working. That increased first-quarter cybercrime
273% in 2020 compared to 2019. The new and innovative ways hackers found to steal company data cost U.S. businesses an average of
$8.64 million per breach. Even more startling: small businesses were victims of
nearly a third of all cyberattacks.
What new trends, patterns and hacks can we expect next? How can CPA firms protect their practice and their clients from cyberattacks?
Jim Bourke, CPA, CITP, CFF, CGMA, a cybersecurity expert and Managing Director of Advisory Services at
Withum, shares three cybercrime trends.
Trend 1: Remote work makes companies more vulnerable to cyberattacks.
More people across the globe are working remotely than ever before. “That creates a massive amount of opportunities for cyberthieves,” Bourke says. “We’re going to see a continued proliferation of cybersecurity breaches.”
Most IT teams are well versed in protecting office networks against data breaches. However, they likely didn’t anticipate that most of their staffs would eventually work remotely part- or full-time.
Bourke says that the shift created a new level of complexity.
“All it takes is one staff person to give away the keys to the kingdom and let a potential cyberthief in,” he says. However, firms can reexamine the controls and security protocols they have in place to mitigate the risk.
Trend 2: Organizations are educating employees about how to minimize security risks while working remotely.
More companies are instructing their staffs about how to prevent these risks while working remotely. IT departments should cover topics such as how to secure home networks. For example, he says, “Most people never change the password for their home wireless router, which is a major point of vulnerability. Anyone who passes through your house could gain access to anything that your laptop is connected to while you’re on that network.”
Hackers may also target the common technologies such as Microsoft Office, Skype or Zoom.
"This technology is not new, but we’re using a lot more of it,” Bourke says. “We're seeing a major increase in phishing attacks around trying to steal credentials for these programs.”
Firms should be proactive to ensure that employees know
how to identify these types of attacks.
Trend 3: CPAs are essential partners in identifying and addressing cybersecurity risks.
CPAs regularly work with financial information and understand the vulnerabilities associated with storing and handling confidential data. Bourke says that the required education for CPAs—whether for their accounting degrees or as part of continuing education throughout their careers—uniquely prepares them for a cybersecurity role. “The best team to help clients with respect to cybersecurity awareness and remediation is a team made up of CPAs and IT professionals,” he says.
CPAs can serve multiple roles in preventing cybercrime—such as identifying potential threats, developing safety protocols and evaluating risk management plans—within their firms or for clients. However, if your firm doesn’t have cybersecurity expertise, you can connect clients with experts who can help them put together effective cybersecurity risk management programs. If your firm wants to expand its cybersecurity knowledge, consider
training your staff or partnering with a firm that has this expertise.
Increase your firm’s knowledge.
Cyberattacks are becoming more prevalent. CPAs play an important role in protecting clients from risks, and it's better to proactively address threats.
We’ve developed some resources, including articles, podcasts, reports and webcasts, in our
Cybersecurity Resource Center to expand your firm’s knowledge. We also offer
cybersecurity certificates to help you learn more about how to prepare for these threats.
If you want to take it a step further, consider the AICPA’s
Certified Information Technology Professional (CITP®) credential for your staff. The CITP credential illustrates proficiency in assessing, detecting and managing cyber risk. Having a CITP on staff will help boost client confidence and enhance your firm’s credibility as a cybersecurity service provider.
Ultimately, cybercrime is not only a risk to your (and your clients’) data but to your firm’s reputation. But, with proper training, you can be prepared to mitigate these potential risks.