Jeff Drew
CPAs must take steps to mitigate cybersecurity risk

Rapid evolution of malware and other cyberattacks demands a strong response.

April 29, 2013
By Jeff Drew

Cloud computing and mobile devices are among the developing technologies opening new communication doors for individuals and organizations. Many of these doors lead to great progress and opportunity. Others, however, could lead to big problems with cybercrime.

For CPAs, it’s important to understand the implications of a complex and rapidly evolving universe of cybersecurity threats. Steve Ursillo Jr., CPA/CITP, CGMA, will cover the cyberthreat landscape in a session he is presenting June 10 at the 2013 Practitioners Symposium and Tech+ Conference in Partnership with the Association for Accounting Marketing Summit. Ursillo is a partner and director of technology and assurance services with Sparrow, Johnson & Ursillo, an accounting and technology consulting firm based in Rhode Island.

CPA Insider spoke with Ursillo, who offered a number of observations regarding the current cybersecurity climate and what CPAs should be doing to protect themselves and their data.

The threats are growing

CPAs, their organizations, and their clients should be aware that their data and computing resources are exposed to a growing web of cybercriminals and malicious software designed to penetrate cybersecurity defenses. Ursillo cited several key factors in explaining why the cybersecurity landscape is more treacherous than ever.

They have the technology

Advances in software, particularly in the areas of malware and data scraping and compilation, have increased the number and intensified the effectiveness of cyberattacks. On the data front, cybercriminals now have access to tools that can scour the internet collecting information on people and organizations from myriad websites and social media networks, Ursillo said. The tools can then compile that information into a centralized source.

For example, these applications could scrape your username, name, and email from one website, and your username, email, personal address, and financial information from another site. In addition, cybercriminals scouring social networking sites could scrape Facebook to find your birthday, likes and dislikes, and where you hang out. In addition, facial recognition technology can find photos of you online and potentially link you to other sites. “It’s a mini big data concept on your individual profile,” Ursillo said.  “So what happens is all that information comes together, and now the hacker has a pretty good profile of a particular individual.”

Once that profile is in hand, cybercriminals can use that information to forge fake identities or use the information for targeted social engineering attacks.

The criminals are organized

Cyberspace has seen a massive invasion of sophisticated, easy-to-use malware. One reason for that is the increased role of organized crime in cybercriminal activities. Software developers now have a market for applications that allow nonprogrammers to create malware, Ursillo said. Organized crime associates are willing to pay for malware creation kits, which are available in storefront-style marketplaces online. The kits allow criminals to create sophisticated malware using essentially a point-and-click approach, Ursillo said. This is particularly dangerous, because the crime organizations bring an in-depth understanding of digital cash flow, business transaction trails, and other processes—knowledge that can be used to design both the malware and the strategy for penetrating the cybersecurity perimeter and stealing cash in electronic transit.

Bring your own target

The rapid rise of mobile devices has created a sea teeming with potential entryways to computer networks, confidential data, and, ultimately, easy money. Hackers are now targeting smartphones and other mobile devices, Ursillo said, to get their foot in the door. For instance, cybercriminals use text messages that link to infected websites to compromise a phone and, ultimately, a computer network. “It’s like the Wild, Wild West,” Ursillo said.

How to defend against cyberthreats

Individuals and organizations don’t have to wait for the cavalry to fight back against cyberoutlaws. There are several steps they can take to mitigate the risk of a devastating cybersecurity breach. Here are three of them:

  1. Understand the flow of confidential data and enforce security procedures. This is particularly important for CPAs, who must deal with regulatory and legal issues regarding confidential client data. If using a cloud provider, CPAs always must know where their data is, how it’s being protected, who has access to it, and how it could be destroyed.
  2. Understand which data is sensitive, not only as a single element but also in combination with other types of data. For example, you may have a piece of information that is not very sensitive by itself, but combined with other information, it is something that is very sensitive, Ursillo said.
  3. Have procedures and technology in place to detect and respond to cybersecurity breaches. “It’s a matter of when, not if, you will be attacked,” Ursillo said. It is essential that organizations have “strong plans in effect to detect and identify the nature of a breach,” he said.

In the end, awareness is the No. 1 key to protecting data and computing resources from cybercriminals. The threats are evolving. CPAs must keep pace.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Jeff Drew is a CPA Insider senior editor.