Lisa Traina
The top 5 cybersecurity risks for CPAs

These threats are the ones that should be keeping accountants and their employers up at night.

June 15, 2015
by Lisa Traina, CPA/CITP, CGMA

Do you remember the story of the little Dutch boy who put his finger in a leaking dike, a small effort that helped prevent a huge disaster? What would have happened if the little boy had not acted? Even worse, what if there had been many more holes—ones no one realized were even there? The results could have been disastrous.

That’s the situation facing many, if not most, organizations of all types, including accounting firms, businesses, and other entities that employ CPAs. It’s a problem I personally see almost every day. My company does information technology security reviews for organizations. No matter what type of entity they are or what industry they are in, a first-time review of their IT defenses usually reveals 40 or more security holes that need to be patched.

So what can you do to protect yourself and your organization? The first thing is to understand the problem. To help with that, here are the top five cybersecurity risks CPAs and their organizations face.

1. Ignorance

You might think that most business leaders are well aware of the threat posed by cybercriminals. After all, high-profile breaches at Sony, Target, and innumerable other organizations have generated a flood of media coverage and social media chatter. Despite that, I continually see evidence that far too many business professionals still don’t grasp the size and severity of the threat.

Consider this example: During a recent presentation for a group of bank directors, I explained that even if a business has a “good IT guy,” its risk for a cyberattack or breach isn’t small. Immediately after the presentation, I overheard several attendees agreeing that because their banks had strong IT departments, they were not as at risk as other organizations. Even if that’s true, it still doesn’t mean their banks are at low risk of attack.

One of the toughest mindsets to overcome is one that believes the organization either has nothing worth stealing or is too small to be targeted—or both. Wrong. Everyone is at risk. A recent study conducted by cybersecurity company FireEye found that 97% of organizations already have been breached. Yes, 97%.

Still think you’re too small to be a target? Consider this: Every organization has a bank account, and from China or Russia, all IP addresses look the same. Hackers usually target anyone with a vulnerability in their IT systems. And when they do pick a target, hackers sometimes choose small organizations solely to gain access to other organizations.

The bottom line is that you don’t know what you don’t know. If you don’t realize you are at risk, you are not likely to take steps to identify and subsequently mitigate the risk.

2. Passwords

Passwords continue to be a major security risk for organizations. The Verizon RISK team’s 2013 Data Breach Investigations Report found that 76% of corporate network breaches directly resulted from lost or stolen credentials. And many of those credentials are in the form of easily hacked passwords.

SlashData’s annual “Worst Passwords” report found that the most frequently used passwords of 2014 were “123456” and “password.” “Baseball” came in at No. 8. Let’s face it, that’s a problem. And not only do people use simple, weak passwords, but they often use the same one for everything, further magnifying the risk. A breach exposing passwords on a social networking site might seem unrelated to your business. But what if an employee’s password was exposed in the breach and his or her place of employment or bank was identified on their page? The compromised password could be used to attempt to log in to other systems. (Editor’s note: Check out a suggestion for strong, unforgettable passwords from the JofA’s Technology Q&A columnist, J. Carlton Collins, CPA.)

The impact of weak and repeated passwords is magnified now that so many cloud systems are in use, because the bad guys no longer have to be inside the network to use discovered passwords. Add in what is now standard remote access to systems by vendors, and the problem again grows larger. Several major breaches have involved compromised vendor credentials.

As hard as it is to believe, Sony actually had a folder called “Password” on its breached network. I can’t imagine how this could happen in an organization so large, but during our IT security audit work, we routinely see not only passwords written down in all kinds of places, but unsecured password documents stored on employee computers and mobile devices. Don’t do this.

3. Phishing

The purpose of a phishing email is to entice the reader to click on a link or an attachment, opening the door for hackers to steal data or infect systems with malware. The Target breach and many others started with a phishing email.

Phishing emails come in many forms, notifying you of a package shipment delay, potential fraud on your credit card, or a lottery win, just to name a few. While many phishing emails are filled with misspelled words and grammatical errors, others are very well written and look quite believable.  

A targeted phishing email is known as spear phishing. This occurs when the email is not completely random but has relevance to the recipient. For example, if you receive a message that looks as if it came from your bank warning of possible problems with your account, you are more likely to heed the request to click on a link than if you receive a random message supposedly from a bank where you do not have an account. The ability to craft spear phishing attacks to specific targets is why seemingly harmless breaches of email addresses can be dangerous.  

Organizations use filtering to prevent many phishing emails from reaching employees, but some slip through in even the best of systems. And it is quite difficult to get users to slow down and think before opening emails and clicking on links and attachments. We perform phishing tests for many of our clients and even when the employees have been trained on the dangers of phishing, the click rate is still surprisingly high. In organizations with no training, the click rate can be alarming. And, remember, all it takes is a single click to potentially infect an entire network.

4. Malware

Malware, or malicious software, is installed without the user’s knowledge, typically from an attachment in a phishing email or a visit to an infected website. The user usually has no idea his or her computer has been infected, and the malware can stay dormant for months before it is used to steal data, including passwords, or take over systems.

Another scary fact is that the bad guys no longer need technical expertise to write the malware. That’s because virtually anyone can purchase malware online; all that is needed is malicious intent and a few hundred dollars.

5. Vulnerabilities

Misfortune Cookie, Poodle, Shellshock, Heartbleed, Freak, Venom, Logjam. This isn’t the band lineup for the latest Lollapalooza rock concert. These are the names used to identify recent computer vulnerabilities that millions of computer users are exposed to.

A vulnerability is a flaw or weakness in a system that hackers can exploit. In today’s world, software is written and released much more quickly than ever before, so the risk of security holes is naturally greater. The vendor must provide an update or patch to close the hole and then systems must be updated.

For many years, most vulnerabilities were found in operating systems (Windows XP, Windows 7, etc.), but individuals became accustomed to setting systems for periodic updates, somewhat diminishing the number of weak systems. So the criminals took a new approach and began to look for vulnerabilities in applications including Adobe Flash and Java, a common application module. Many individuals and organizations never update these applications because they are unaware of the risk.

The list of vulnerabilities discovered each day is astounding. These are known as zero-day vulnerabilities because there is not yet a remedy available at the time of discovery. Organizations must keep everything—servers, workstations, laptops, routers, switches, firewalls and even mobile devices—updated all of the time. This is a daunting task.


The cyber risks are so great these days that management must get involved to ensure that appropriate mitigation strategies are in place. We all know the first step to treating addiction is admitting there is a problem. Similarly, the first step toward cybersecurity is acknowledging that you are at risk.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Lisa Traina, CPA/CITP, CGMA, is the founder and owner of Traina & Associates, which provides information system and IT security audit and consulting services to business clients.