5 Low- or No-Cost Ways for CPAs to Help Slam the Door on Cybercriminals

The AICPA is participating in National Cybersecurity Awareness Month with a series of blog posts to help CPAs understand the role they can play in addressing cybersecurity issues. This is our first post in this series.

October is National Cybersecurity Awareness Month, but fighting cybercrime is a year-round battle. As experienced keepers of confidential information, CPAs are uniquely positioned to support cybersecurity initiatives for their firms, clients, or employers. But cybersecurity is costly, and budgets are always limited, especially in the public and not-for-profit sectors. Consider these five simple steps CPAs can take to help protect data without breaking the bank.

1. Know email scams and warn others. People are increasingly the weak link in organizations’ cyber armor. You know not to give your checking account info to an unknown foreign government dignitary. But what if you get an email from your CEO instructing you to wire funds for a deal that you know is about to close? This scenario was all too real last year for a finance employee who was tricked into wiring $730,000 to a bank in China, according to an FBI report. Since the FBI started tracking business e-mail scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that were targeted. Total losses exceeded $740 million.

2. Maintain a strong connection with IT. CPAs and IT professionals have a common interest in protecting sensitive and confidential data. What we can learn from each other will likely surprise you. Of course CPAs can help IT design cybersecurity controls and develop reports—or—provide assurance on them. But beyond that, there are many low- and no-cost ways you can help prioritize which information and systems are most sensitive and balance cybersecurity against operational needs. Stay connected with your IT staff and encourage informal dialogue with them by holding regular discussions. Bring in lunch (or dinner) and make sure everyone is on the same page. Clear priorities help IT work more efficiently and save money in the long run.

3. Stay on top of free updates/upgrades. According to Amy Zegert, co-director and senior fellow for the Stanford Center for International Security and Cooperation, research shows there is on average one defect for every 2,500 lines of programming code—just regular human mistakes. Cyber criminals exploit these mistakes to break into systems. Software updates to correct these vulnerabilities are often overlooked by busy users. Most of the time, updates are free, so use them—on computers, smart phones and any other devices used for business purposes.

4. Adopt a stronger password policy. If your password can be found in a dictionary, it is not secure. If it’s the name of a child, pet, spouse, or car, it’s probably not secure either—unless you take some special precautions such as substituting numbers or special characters for letters. Despite the inconvenience, implementing and enforcing a good password policy is a free and simple way to protect data. Good policies should include guidelines for how often to change passwords, where to store passwords, and instructions for creating them.

5. Develop a plan—and practice it. Yes, this advice appears in every business article about cybersecurity, but its importance cannot be overstated. CPAs can help by developing and activating the business continuity plan—in this case “cyber incident response plan.” Small businesses can accomplish this using a local CPA firm. Small CPA firms can develop a reciprocal agreement with another CPA firm. You should already have answers to questions like: Who is the cybersecurity point person? and Who outside this office needs to be notified of the breach? Conducting practice exercises will help key people understand their role and help you work out any kinks. Update the plan as new threats arise. When it comes to cybercrime, you can never be over prepared.

Learn more about the role CPAs can play in the cybersecurity landscape and access news and information at the AICPA’s Cybersecurity Resource Center. In addition, you can find targeted resources for CPAs providing cybersecurity advisory services through the AICPA’s Information Management and Technology Assurance Section, including this free podcast on social engineering, a type of cybercrime.

The AICPA welcomes your feedback on proposed criteria that companies can use to communicate, and CPAs can use to report on, an entity’s cybersecurity risk management program. These criteria provide a way for businesses to demonstrate due care and build stakeholder confidence in their cybersecurity risk management programs. Comments are due Dec. 5, 2016.

Susan Pierce, CPA, CITP, CGMA, Associate Director-Info Management & Technology Assurance, American Institute of CPAs. 

Cybercrime courtesy of Shutterstock. 

Related articles

Remaining Competitive in the Context of an Evolving Profession – AICPA Insights

Accountants Play Critical Role in Establishing Global Transparency

Leveraging the AICPA | CIMA Competency and Learning Website for Your Development – AICPA Insights

Answers to 5 Common Cloud Questions for Not-for-Profits – AICPA Insights

     

Related Stories

• Are You Required to be Cyber Compliant?
• Update on Taxes and Terrorism: Why Clients’ Data Could Become Vulnerable
• 5 Cybersecurity Precautions for Small CPA Firms