Understanding the Top Cyber Threats and How to Prevent Them
by Scott Mahoney and Joe Riccie, CPA, Withum –
February 28, 2018
From a cost and compliance perspective, the potential implications that a cybersecurity breach has on a business – especially one within the accounting industry – creates risks that can’t be ignored. Businesses need to take an offensive approach to protect themselves.
Cybersecurity breaches are more costly in the United States than anywhere else in the world — with the average incident costing $7.45 million, according to a study performed by the Ponemon Institute in June 2017. This consists of four primary costs:
- Detection and escalation ($1.07 million)
- Notification ($0.69 million)
- Post response ($1.56 million)
- Lost business ($4.13 million)
In the accounting industry, confidential PII (Personally Identifiable Information) and PHI (Protected Health Information) data is prevalent and must be maintained for several years in order to support clients if they are audited or sued. What CPA firms do to protect that data is imperative, not only for clients, but for the firm itself.
Top Cybersecurity Threats
There are many types of cybersecurity threats out there, with more emerging each day. The most common types of threats that lead to incidents include:
- Ransomware and similar deception tactics — tactics that require the use of Businesses need to take tools to conceal, prevent or limit users from accessing their systems, files and an offensive approach to data. In such incidents, the perpetrator typically blackmails the victim, threatening that the content will be exposed or permanently blocked without the payment of a ransom.
- Social engineering — psychological manipulation of an individual(s), whereby the perpetrator masks their identity so that the individual performs a particular action or provides confidential information. Common types of social engineering include:
Password attacks — threat that occurs when a perpetrator attempts to gain access by cracking a user’s password. Password-cracker software is readily available to support perpetrators in testing hundreds of millions of passwords per second to attempt to gain access to their protected environments, applications or data.
Man in the Middle (MITM) — threat by which a perpetrator secretly intercepts communications between two parties by impersonating the party on each end of the communication to eavesdrop on the message or even alter the communication between the two parties. A means of identifying this threat is to closely inspect the website address as it is often misspelled or varies slightly from the intended party’s website (e.g., vvalmart.com).
Denial of Service (DoS) — targeted attack that aims to disrupt the availability of a system or network by sending high volumes of data or traffic until it becomes overloaded, thus inaccessible or disruptive to legitimate traffic.
- Phishing — sending emails that appear to be from a legitimate business source to a high volume of victims in an attempt to get the victims to provide confidential information, either via an emailed response or a link within the email.
- Spear phishing — the perpetrator sends a highly customized email in an attempt to obtain confidential information or an action by the victim (e.g. a masked request from the CFO to personnel requesting they process an immediate payment to the perpetrator).
- Baiting — leaving physical media that contains malware for a victim to unknowingly load into their computing environment.
- Tailgating — an attacker physically follows an authorized individual into a restricted area.
With so many mechanisms for a cybercriminal to use, the question is no longer how can a company eliminate the possibility of being breached but rather when it will happen and how the company can reduce the impact.
Due to the impact posed to consumers, regulations have been enacted to force organizations to proactively establish and maintain a cybersecurity program or face stiff financial penalties. To date there are a few regulations in place: the European Union’s regulation, General Data Protection Regulation (GDPR) and New York State Department of Financial Services Cybersecurity Regulations.
The AICPA has established System and Organization Controls (SOC) for Cybersecurity as a mechanism to aid organizations in demonstrating their cybersecurity practices to third parties and regulatory bodies. Requesting your clients to obtain a SOC for Cybersecurity report as part of their process of evaluating third-party vendors handling their confidential information may alleviate some of the risk associated with using third-party vendors.
How to Manage Risk
In the accounting industry, one of the primary objectives is to minimize risk — audit risk, risk of material misstatement or otherwise. Managing the risk associated with cybersecurity incidents, including those threats previously identified, involves the same concept. It starts by understanding the risks, and the first step in that process is to perform a data mapping exercise to identify what data you have, how it is used, where it is stored and how it is transmitted. Following that step, a risk assessment must be completed to identify the risks and determine what controls have been implemented to mitigate the identified risks. Simply relying on third parties to manage that risk is not sufficient. Many clients are quite surprised once they see the details of where data is stored and transmitted (i.e., who else in their vendor supply chain has access). Then there is a scramble to re-read vendor contracts and determine liability. When was the last time you checked in on your vendors and how much information they have?
Preparing for breaches is not an exact science. As technologies continue to advance and programs change, new threats will continue to arise. Although costly, implementing a cybersecurity program is not simply a sunk cost. It does have two significant advantages.
- It reduces the likelihood of a breach by enabling the organization to better protect themselves and limit their exposure from the occurrence of potential incidents.
- It can reduce costs. Another study performed by the Ponemon Institute using 2016 data found that organizations can reduce the costs associated with an incident by up to 35 percent through implementation of a cybersecurity program.
Scott M. Mahoney
Scott Mahoney is a senior manager with Withum and a team leader of the firm’s IT Audit, Security, Risk Management and Compliance services.
This article appeared in the March/April 2018 issue of New Jersey CPA magazine. Read the full issue.