Just as many cybersecurity experts predicted, there was a surge in cyberattacks against practices of all sizes during the height of the COVID-19 pandemic. Organizations that track cyberattacks reported an increase of 300% during these unprecedented times.

There were a multitude of reasons for the uptick. Some are more obvious, such as CPAs turning on remote access without fully understanding the ramifications of this action and the risks associated with it. Many IT companies rushed to provide access for remote employees without properly implementing and securing it—ultimately resulting in cyberattacks.

Identifying New Cyberattacks

Hackers are adopting some relatively new tactics that are impacting CPAs. The first, known as ransomware, is the theft of most or all of a practice’s data, then the encryption of it and a demand for payment. Most threat actors have shifted to this modality as a way of almost guaranteeing that a business will pay the ransom to get its data back. This attack typically happens when hackers gain access to a network through phishing, spear phishing, or malware deployment. The threat actors typically conduct surveillance on the network to understand the types of applications running and the location of data and backups. They will often deploy credential harvesting software to steal user names and passwords to devices and applications and then use that information to further exploit the system.

While conducting their surveillance, hackers will attempt to move laterally through the network as a way to gain access to more devices. They will often deploy numerous forms of malware to further exploit vulnerabilities. There have also been numerous cases in which the threat actors deploy multiple screen-sharing applications on a network as a way to gain remote access.

One practice recently requested our cybersecurity firm’s assistance after receiving an error message when attempting to access the management software. Upon further investigation by the practice’s IT company, it was determined that the database and backups were no longer on the network. The IT vendor found a note from the threat actors indicating that the system had been compromised and the data had been stolen.

Upon our initial investigation, it was determined that the threat actors did in fact steal the database and delete all backup copies. This practice thought it was properly protected by its IT company. They kept saying, “But we have a firewall” and “How could this happen?” What if this was your practice and all your critical data—such as financials, tax returns, and legal documents—were stolen? What would the impact be to your firm? For most, not only is it a public relations nightmare, but it is also a financial disaster.

Mitigating Chances of a Cyberattack

How can the accounting profession better mitigate the chances of a cyberattack? Hackers breach networks and devices through vulnerabilities—an “unlocked door or window” on a network that is available to exploit. Through these vulnerabilities, hackers gain access to devices and computers and then use them as a launching pad to gain access to other critical systems, such as servers and tax software. As of June 2020, there have been close to 40,000 documented high vulnerabilities identified. Many of these can be used to exploit a practice’s system.

To help limit this exposure, have the network environment audited and tested by an ethical hacker. An ethical hacker performs a penetration test that simulates an attack by a criminal to uncover breach points in the network. In addition, if an accounting firm or practice does not have a comprehensive cybersecurity awareness training program, it will be exposed to “click risk.” This is when hackers deliver bogus emails (known as phishing and spear phishing) to employees who deploy a malicious payload to the network. These emails are disguised to look like legitimate requests to fool the receiver into taking action.

CPA firms must shift their focus from simple preventative measures such as a firewall and antivirus software to a comprehensive, multilayered strategy that includes real-time vulnerability management, penetration testing, cybersecurity awareness training, and an independent security audit conducted by a dedicated cybersecurity firm.

What are the takeaways from the last few months? First, CPA practices must prioritize security because the theft of data can be devastating to a business. Threat actors have highly sophisticated operations that can actually cause exponential costs beyond their demands. A Jan. 15, 2020, CPO Magazine article cites Atlanta as an example. Although a ransomware attack demanded $50,000 in bitcoin, the true cost to the city was $2.3 million.

CPA practices must have a threat mitigation strategy that matches the hackers’ skills, which means you need more than just a firewall, antivirus software, and some “feel-good” pieces of security technology. 


Reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants.