CPAs must take steps to mitigate cybersecurity risk
Rapid evolution of malware and other cyberattacks demands a strong response.
April 29, 2013
Cloud computing and mobile devices are among the developing technologies opening new communication doors for individuals and organizations. Many of these doors lead to great progress and opportunity. Others, however, could lead to big problems with cybercrime.
For CPAs, it’s important to understand the implications of a complex and rapidly evolving universe of cybersecurity threats. Steve Ursillo Jr., CPA/CITP, CGMA, will cover the cyberthreat landscape in a session he is presenting June 10 at the 2013 Practitioners Symposium and Tech+ Conference in Partnership with the Association for Accounting Marketing Summit. Ursillo is a partner and director of technology and assurance services with Sparrow, Johnson & Ursillo, an accounting and technology consulting firm based in Rhode Island.
CPA Insider spoke with Ursillo, who offered a number of observations regarding the current cybersecurity climate and what CPAs should be doing to protect themselves and their data.
The threats are growing
CPAs, their organizations, and their clients should be aware that their data and computing resources are exposed to a growing web of cybercriminals and malicious software designed to penetrate cybersecurity defenses. Ursillo cited several key factors in explaining why the cybersecurity landscape is more treacherous than ever.
They have the technology
Advances in software, particularly in the areas of malware and data scraping and compilation, have increased the number and intensified the effectiveness of cyberattacks. On the data front, cybercriminals now have access to tools that can scour the internet collecting information on people and organizations from myriad websites and social media networks, Ursillo said. The tools can then compile that information into a centralized source.
For example, these applications could scrape your username, name, and email from one website, and your username, email, personal address, and financial information from another site. In addition, cybercriminals scouring social networking sites could scrape Facebook to find your birthday, likes and dislikes, and where you hang out. In addition, facial recognition technology can find photos of you online and potentially link you to other sites. “It’s a mini big data concept on your individual profile,” Ursillo said. “So what happens is all that information comes together, and now the hacker has a pretty good profile of a particular individual.”
Once that profile is in hand, cybercriminals can use that information to forge fake identities or use the information for targeted social engineering attacks.
The criminals are organized
Cyberspace has seen a massive invasion of sophisticated, easy-to-use malware. One reason for that is the increased role of organized crime in cybercriminal activities. Software developers now have a market for applications that allow nonprogrammers to create malware, Ursillo said. Organized crime associates are willing to pay for malware creation kits, which are available in storefront-style marketplaces online. The kits allow criminals to create sophisticated malware using essentially a point-and-click approach, Ursillo said. This is particularly dangerous, because the crime organizations bring an in-depth understanding of digital cash flow, business transaction trails, and other processes—knowledge that can be used to design both the malware and the strategy for penetrating the cybersecurity perimeter and stealing cash in electronic transit.
Bring your own target
The rapid rise of mobile devices has created a sea teeming with potential entryways to computer networks, confidential data, and, ultimately, easy money. Hackers are now targeting smartphones and other mobile devices, Ursillo said, to get their foot in the door. For instance, cybercriminals use text messages that link to infected websites to compromise a phone and, ultimately, a computer network. “It’s like the Wild, Wild West,” Ursillo said.
How to defend against cyberthreats
Individuals and organizations don’t have to wait for the cavalry to fight back against cyberoutlaws. There are several steps they can take to mitigate the risk of a devastating cybersecurity breach. Here are three of them:
In the end, awareness is the No. 1 key to protecting data and computing resources from cybercriminals. The threats are evolving. CPAs must keep pace.
Jeff Drew is a CPA Insider senior editor.