Cybersecurity for CPAs: Delayed reactions

Accounting Today March 13th, 2023

Accounting firms are increasingly targeted for cyber-attacks, and cybersecurity has become essential for any professional. Between data breaches, phishing attacks, and malware, criminals are increasingly going after the sensitive financial data held by accountants. The modern accountant, then, must take their cyber defenses seriously for the sake of themselves and their clients.

With this in mind, we present the first of our new monthly series, Cybersecurity for CPAs. This regular feature will bring you the best cybersecurity stories from Accounting Today, as well as lessons are drawn from real-life cybersecurity incidents, plus stats and charts to help you better understand the current landscape. It’s our hope that readers will be able to use the news and insights offered in this feature to make their own firms safer in an increasingly dangerous world.

Cybersecurity Tales: Delayed Reactions
Even when a cyber incident is detected, the full consequences of the intrusion may not make themselves felt until much later, as evidenced by an accounting firm that learned this lesson the hard way.

Our story begins with a managing partner at a regional accounting firm specializing in audits. One day, a staff member called him and asked whether he really was requesting that she download a file from a linked hosting service. He had not, and so they alerted the firm’s outsourced IT vendor to look into the matter.

The vendor ran a scan of the system and found no viruses or other threats. All normal there. But something else was very curious. Whenever the managing partner logged into his email system from the remote network or a local server, all was well. But if he logged into the same account via the web, suddenly there was a rule set up about its file-sharing service that he was sure he did not make himself. When he tried to log into the account’s file-sharing service, it failed. Eventually, the vendor was able to reset his password and delete the rule. Afterward, they set up a dual authentication process for the account. Other staff followed his lead and also set up dual authentication for their accounts.

Lesson learned, and crisis averted, right? No. Ten months later, the firm determined there had been a privacy breach involving 19,000 individuals. Investigators needed to undertake the arduous process of pulling thousands of items to identify the population of those potentially impacted, so they could determine whom to send breach-notification letters.

The analysis eventually revealed that virtually all the compromised data was connected to a single audit client; the eight files involving the client dated back to between 2009 and 2011. This included a large spreadsheet with people’s names and personally identifiable information. What seemed to have happened was that old emails with this data had been left unencrypted in an account, meaning they were available for any hacker to access. This was at least partially due to the firm not having a policy regarding the retention of sensitive emails.

Ultimately, though the firm notified all the individuals potentially impacted by this breach, the damage had already been done. This was why, a short time later, the firm was served with a class-action lawsuit from those whose personal, confidential information was leaked.

This real-life example was provided to us by professional liability insurer Camico, which had this to say about the situation:

“The dated, sensitive information should have been protected and secured and then later carefully destroyed. The responsibility falls on the CPA firm, as their email account containing unencrypted PII data needed to be safeguarded. Email accounts that have been compromised allow hackers to put rules on the account and send purported messages — such as from a CPA firm — asking for money or to click on a harmful link.”

“Security such as authentication is critical for company accounts, only permitting authenticated users to gain access to protected resources,” the insurer warned. “Email retention policies are vital for a firm — or any business — to save space on your email server and stay in compliance with federal and industry record-keeping regulations. Retaining emails for a longer amount of time than necessary exposes a company to security and legal risks and can compromise data assets.”

The resolution of the lawsuit is uncertain at this time.

LibertyID provides 360 fully managed identity fraud concierge restoration services to its subscribers. We are experts in resolving all 31+ forms of identity fraud.

LibertyID Business Solutions provides business regulatory compliance tools, including fraud remediation, pre-breach preparation, ISP protocols, post-breach regulatory response, customer, and employee identity fraud restoration management, employee training, and third-party vendor assessment.