Lisa Traina
The top 5 cybersecurity solutions for CPAs

With the right attitude and education, organizations can reduce their risk of being hacked.

July 27, 2015
by Lisa Traina, CPA/CITP, CGMA

Unless you’ve been living under a rock—or in the town of Bedrock—you are no doubt aware of the growing threat posed by cybercriminal activity. As a CPA, however, you may not know the role you can play in bolstering your organization’s cybersecurity efforts.

Whether in public accounting or business and industry, CPAs are key stakeholders in cybersecurity. Public accountants, of course, are responsible for safeguarding their clients’ most sensitive financial data. Meanwhile, management accountants such as CFOs often oversee risk management, under which cybersecurity typically falls. And in both public accounting and business and industry, CPAs play crucial roles in developing budgets that help determine how cybersecurity measures are implemented.

Improving cybersecurity starts with accepting that your organization is not immune from cybercrime and educating yourself on the biggest threats to your computer networks and data (see my June 15 CPA Insider article, “The top 5 cybersecurity risks for CPAs”). You can then begin taking concrete steps to shore up your cybersecurity defenses.

Following is a five–pronged approach CPAs can employ in the battle against cybercriminals.

1. Accept that your organization is at risk

CEOs, CFOs, boards of directors, managing partners, and other organizational leaders need to see cybersecurity as the huge issue it is and devote adequate resources to maintaining a secure environment. Executives don’t have to become computer geeks, but they can certainly learn the basics and what questions to ask.

Change starts at the top. You can’t have the CEO wanting to be exempt from the rule that passwords must be changed periodically—something I’ve seen many times. Management needs to establish and embrace a culture of strong security.

2. Educate yourself and your organization

Everyone in every organization needs security training. This means more than just sending out an email telling people to use secure passwords and to not fall prey to phishing emails.

The massive Target security breach started with an employee at one of the company’s vendors clicking on a link in a phishing email. Do your employees know how easily they could inadvertently open the door to such a cyberattack? Get that message across with ongoing cybersecurity training that covers new and old threats, defines the organization’s security controls, sets employee expectations, and explains the consequences for violating procedures.

3. Implement strong IT controls

Organizations need their IT departments (or outsourced vendor) to implement and maintain a comprehensive list of data and network security controls. As a CPA, you usually won’t be responsible for directly implementing these controls or knowing exactly how they work. But it is helpful to understand enough to at least ask the right questions of the IT folks. Among the basics you need to know are:

  • Perimeter security. This first line of defense includes firewall and intrusion detection systems. These should be configured with appropriate restrictions to block and filter both incoming and outgoing internet traffic.
  • Endpoint security. Endpoint security requires each computing device on a corporate network to comply with established standards before network access is granted. These measures protect the servers and workstations and include items such as administrative access limitations and anti–virus protection.
  • Network monitoring. Part of the control environment should include a monitoring program for all IT systems that is frequent and ongoing.
  • Authentication and administration controls. Authentication controls for the network and all critical systems (especially cloud systems that anyone can access from anywhere) should require complex passwords that expire periodically and restrictions on invalid login attempts, such as three strikes and you’re out. Strong controls over user administration are needed as well.
  • Incident response and business continuity. Finally, each organization should have appropriate business continuity and disaster recovery plans that include specific incident–response procedures for dealing with a cyber event.

4. Stay current on updates and patches

Updating and patching are the responsibility of the IT department and actually fall into the above category of IT controls, but they are such a critical security component that they warrant a separate discussion.

Organizations must keep all systems up–to–date at all times. That sounds simple—until you see the list of items that need updating. Among the items are firewalls, routers, switches, servers, peripheral devices such as printers and copiers, workstations, laptops, tablets, and phones. Management needs to ensure that IT—whether in–house or a vendor—updates all operating systems (Windows 7, Windows 8, etc.) and applications (Java, Adobe Flash, etc.) with vendor–supplied patches. In addition, anti–virus/malware protection is needed not only for desktops and laptops, but mobile devices as well, including employee–owned devices that connect to the network.

Make sure IT establishes an inventory reconciliation, which ensures that all systems are protected. Encourage the IT team, or your vendor, to assign this role to someone—preferably not an IT “firefighter”—who has time to fulfill these duties.

If you outsource your network support to a vendor, make sure that your contracts establish and assign clear patching and updating responsibilities.

5. Test your security and controls

To determine its cybersecurity risk level, an organization should rely on two types of periodic assessments—vulnerability testing and information systems (IS) controls testing.

Vulnerability testing involves the automated scanning of systems to determine if known vulnerabilities (security holes in software) are present. The tests should assess protections against threats both external (outside hackers) and internal (insiders or hackers that gain internal access). Commercialized scanning software currently tests for more than 50,000 vulnerabilities.

IS–controls testing verifies that the controls described above are functioning properly. Many organizations undergo a review of select controls as part of their financial audit, but this does not typically look at the entire environment. High–level oversight should ensure that IT promptly remediates any issues discovered during testing.

Organizations also need to regularly assess vendors that either host their data or have access to it via internal systems.

In the end, your organization can’t eliminate the threat of cyberattacks, but a mix of education, controls, and testing can significantly reduce the risk.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Lisa Traina, CPA/CITP, CGMA, is the founder and owner of Traina & Associates, which provides information systems and IT security audit and consulting services to business clients.