May 18, 2021

Cybersecurity Guidelines for the CPA C-Suite

Cyberattacks are happening more frequently and with increasing sophistication. In order to counteract this threat, c-suite executives must prepare themselves with a cyber threat-based approach that must include education and training, being adaptable to new technologies and policies, and embracing best practices to most effectively counter cyberattacks. By taking these steps to protect their companies from cyberattack threats, c-suite executives will save their firms money, time, reputations, and resources. Especially with more employees and executives working remotely due to the pandemic, having training on how to prevent cyberattacks and garnering a secure cloud-based platform are paramount. Ultimately, c-suite executives should embrace a cloud-based platform to store your firm’s data, such as one offered by Cetrom. A cloud-based system is the most effective way to increase cybersecurity, reduce costs, enhance risk management, and prevent cyberattacks.

Understanding the Threats from Cyberattacks 

As cyberattacks evolve and advance, c-suite executives must educate themselves on the threats from cyberattacks to understand how they and their companies are at risk.

  1. Know the types of cyberattackers and their origins. The most common cyberattacks: malware, phishing, spear phishing, man in the middle attack, denial of service attack, SQL injection, zero-day exploit, advanced persistent threats, ransomware, and DNS attack. In particular, ransomware continues to be one of the biggest risks to a company’s data security and operations; it can paralyze business an average of 19 days after an attack. Further, cyberattacks also originate from a variety of sources. The most typical categories of perpetrators are: nation states, criminal groups & cyber criminals, malicious insiders, hacktivists, hackers, and terrorist groups. Most cyberattacks are conducted by members outside the organization. Even as cyberattacks advance on a firm’s data system, they can change tactics quickly.
  2. Time to detect a cyber breach is not instantaneous. Unfortunately, detecting a cyber breach against your company takes time. Fifty-six percent of cyberattacks can take months or years to detect that a data breach has even occurred. When you do discover it, the damage has been done, both financially and reputationally.
  3. Cyberattack costs a lot of money in damages. Cyberattacks will cost firms a lot of money in damages, with $3.92 million being the global average per company and up to $7.5 million according to the Securities and Exchange Commission. The most expensive cyberattack so far, which was through malware, was MyDoom in 2004 that cost approximately $38 billion. Cybercrime is expected to cause damages reaching $6 trillion globally by 2021. Also, many firms do not even have cyber liability insurance to mitigate costs from cyberattack. The average cost of cyber liability insurance coverage has increased by nearly six times worldwide from 2019 to 2020. Surprisingly, only 27 percent of firms even had cyber liability insurance, with the vast majority of companies using generic insurance only or no insurance at all.
  4. Reputational damage hurts the bottom line. One of the biggest expenses from cyberattacks is through reputational loss. Due to cyberattacks, companies have had to pay millions of dollars to settle customers’ claims because they lost control over the data breaches. Firms will find their reputations tarnished because clients and customers will feel less secure dealing with a company that has suffered a cyber breach. Companies including Target, Capital One, J.P. Morgan, and Equifax all had massive security breaches that compromised millions of accounts containing sensitive customer data. These cyberattacks tarnished their reputations for years.

Common Challenges C-Suite Executives Face: Within Their Own Office

Perhaps surprisingly, common challenges that many c-suite executives face when dealing with cyberattacks involve their own office: breaches to their own data and accounts, lack of involvement and education in cybersecurity, and increasing the visibility of the cyberattack issue across the company. C-suite executives' accounts are breached often due to the lack of sufficient education on cybercrime, cyberattacks, and cyber security, which in turn makes them and their companies more vulnerable to be prime targets for breach. Interestingly, 20 percent of small business executives have not been briefed on cybersecurity issues, whereas executives from large organizations reported zero percent. Thus, the executives from many organizations lack institutional knowledge on how to combat cyberattacks. Only 25 percent of surveyed board members were involved in reviewing cybersecurity threats. A recent PWC report found that 50 percent of businesses and IT professionals wanted an increase in cybersecurity measures across departments.

C-suite executives themselves are prime targets for cyberattacks. While c-suite executives may not consider themselves to be targets, they are 12 times more likely to be besieged in a cyberattack than other employees in the same company. Further, they are nine times more likely to be the target of social breaches than in previous years. A global survey of companies found that 40 percent of these organizations report c-suite executives as their top cybersecurity risk. Cyber criminals view c-suite executives as easy, lucrative targets.

So, why do c-suite executives become easy targets for cyber criminals? C-suite executives are more mobile and travel frequently, have access to sensitive company data, enjoy more lax security constraints than employees, use multiple mobile devices across different networks, and are often surrounded by individuals who can leverage their access to the c-suite executive for material gain. C-suite executives are particularly vulnerable to phishing attacks. Statistics from the Verizon breach, based on FBI data, determined that 71 percent of these cyberattacks were financially motivated. Attackers were looking to exploit a particular company to extract employee data, gain intellectual property or ransomware to make money, and target executives for money.

As leaders of the company, c-suite executives can raise the importance of the cyberattack problem in their company by arranging training on cyberattacks to educate employees, executives, and board members, in addition to making prevention a key topic of discussion. Other studies have shown a concerning disconnect between c-suite executives within their own office and between IT departments on cyberattack prevention, thus leading to devastating data breaches.

Industry Best Practices

While there is no playbook on how to prevent cyberattacks, here are some key “Industry Best Practices” on how to reduce the risk of a cyberattack and better the understanding of cybersecurity in an organization.

  1. Change passwords often. A company can beef up password protection and security by using two-factor login and multi-step authentication, as well as requiring passwords to be changed frequently.
  2. Reduce third-party access. Third-party software causes vulnerabilities that enable cyberattacks. Also, not a popular option, companies can institute a blanket ban on employees using public Wi-Fi with their devices. Instead, a company can install Virtual Private Networks (VPNs) for their employees to use.
  3. Reduce costs of cyberattack damages. Companies should be purchasing cyberattack-specific liability insurance, which will help reduce the costs of a cyberattack. In particular, cyberattack insurance will most often cover the cost of third-party services and victim restitution.
  4. Greater c-suite involvement in cybersecurity. Have the c-suite participate in incident response exercises to shore up their understanding on how attacks happen and to mitigate them. The c-suite executives should embrace a cybersecurity mindset, which would elevate the importance of preventing cyberattacks across the company. Also, companies should train the c-suite and management to understand the risks of a cyber breach and its implications both in IT aspects and cost effects.
  5. Increase cybersecurity education. Everyone in the company should go through cybersecurity training. Improving an employee’s understanding of cyberattacks and how to avoid them through education and training will increase security.
  6. Hardening your internal systems. If your internal system is attacked, make sure that your systems have the most up-to-date software to mitigate the impact of a breach. Also keep access to certain data, programs, and software on an as-needed basis. This policy will reduce the number of people who have access to sensitive areas.
  7. Stay updated on changing laws and regulations. Recently, the California Consumer Privacy Act (CCPA) went into effect. As of January 1, 2020, while your business may not be located in California, if your business operates in California and collects personal information of California residents, their households, or electronic devices, the CCPA will likely apply to your organization if it meets certain criteria. The company must buy, receive, sell, or share personal information of 50,000 consumers, households or devices annually; have an annual gross revenue exceeding $25 million; or derive 50 percent or more of annual revenues from selling consumers’ personal information. If your company is subject to this privacy law and you experience a cyberattack exposing personal information, you could be subject to a lawsuit if you neglected to take proper cybersecurity steps to protect data in a breach. This type of law will likely expand to other states in time.

Guidelines for Risk Management

While Industry Best Practices help improve cybersecurity operations, companies must also adopt guidelines for risk management. Across the board, many companies have embraced the following “Threat-Based Cybersecurity Guidelines for Improved Business Results” framework. Rather than reinventing the wheel, here are the top 10 guidelines many consulting companies suggested using for firms.

  1. Hire an independent firm to conduct some or all of the following advanced diagnostics: email threat assessment, network and endpoint threat assessment, vulnerability assessment, penetration testing, spear-phishing test campaign, red-team security assessment, security software tools assessment;
  2. Hire a dedicated Chief Information Security Officer (CISO) who reports to the CEO or General Counsel to develop a sound cybersecurity and data privacy risk management program tailored to the specific cyber threats facing your organization;
  3. Implement advanced software encryption with multi-factor authentication, including biometrics;
  4. Provide timely and effective cybersecurity education and training programs for the entire organization, top to bottom;
  5. Implement a timely and effective software security patch management program;
  6. Ensure the organization has developed and implemented a robust information governance program to map, track and secure all data assets;
  7. Review and periodically test the organization’s Incident Response Plan;
  8. Review and periodically test the organization’s Business Continuity Plan and Disaster Recovery Plan;
  9. Conduct or outsource 24x7x365 managed detection and response (MDR) of the organization’s information systems, networks, endpoints, software applications, and email systems using the most advanced machine learning and artificial intelligence applications; and
  10. Verify the compliance of the organization and all supply chain partners with all cybersecurity and data privacy regulatory requirements by using independent compliance and risk assessments conducted by qualified firms.

Long-Term Solutions in Cetrom’s Cloud-Hosting Platform

One positive development from the increase in cyberattacks is that cloud-based platforms have become much more sophisticated and accessible than in the past. Fortunately, Cetrom provides long-term solutions to help firms protect themselves from cyberattacks through their cloud-based IT solutions. For using their secure, cloud-based platform, Cetrom provides round-the-clock support to take the burden off IT teams, top-notch enterprise-level security to prevent attacks and mitigate them, mobility and flexibility to access the data anywhere and across devices, and promote cost-effective measures with predictable pricing.

While a cloud-based solution offers many benefits, it does have some disadvantages. As more firms migrate to a cloud-based data system, cyberattacks will target this platform more often. Common sources of cyberattacks on a cloud-based system can include cloud misconfigurations, incomplete data deletion, and vulnerable cloud apps. However, firms can prepare and adapt more effectively to these possible attacks on the cloud-based platform.

Despite these downsides, the advantages of a cloud-based system vastly outnumber the disadvantages. A cloud-based system is constantly being patched, monitored, and evaluated by dedicated staff, who are “on call” to watch the cloud for any cyberattacks and weaknesses. Subscribing to a cloud-based system by an outside provider saves resources for the firm, such as not diverting IT resources or the company’s funds to work on the cloud.

Key advantages include:

  • Providing a stable, predictable budget for data security
  • Taking the burden off the firm’s IT department and freeing up resources
  • Monitoring and scanning for vulnerabilities 24/7/365
  • Constantly updating the platform with the latest software and technology
  • Creating cost-efficient, secure, and reliable services
  • Using latest AI security technology solutions
  • Providing excellent customer service tailored to the client’s needs

Contact Us

AI and Tax Preparation: Opportunities and Risks for Accounting Firms

Artificial Intelligence (AI) is revolutionizing industries worldwide, and accounting is no exception. Tools like ChatGPT and Microsoft Copilot are..
November 25,2024

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like this, it would be a better world...

- Mid-sized
View All

One of the things we appreciate wholeheartedly about working with Cetrom is how great the people in the service area are and the high-level of responsiveness we have received. I’ve been very pleased..

- Mid-sized
View All

Cetrom’s services and support really stood out against the other cloud vendors. We thought their Citrix delivery platform would have a higher level of adoption because our employees would have the..

- Mid-sized
View All

Our accounting services users working in the field have greatly benefited from our migration to the cloud. They’re now able to be much more efficient while working in a client’s office because they..

- Mid-sized
View All

The decision to migrate to the cloud was one of the best business decisions Rub & Brillhart has made. It required an investment, but we have determined that our year two IT costs will be reduced by..

- Midwest
View All

Our migration process with Cetrom was very smooth and we had an excellent experience with their support during the demo process. We have 24/7 monitoring on our onsite equipment and they have the..

- Small
View All

We are extremely happy with the service and support we receive from Cetrom. Our staff is more efficient overall in our day-to-day activities and we don’t have any downtime. It’s a good feeling..

- Mid-sized
View All

Cetrom is an extremely cost-effective option for IT services. Not only do we receive significantly improved customer service, but we were also able to add a new VoIP system, better internet service,..

- Mid-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- Mid-sized
View All

We use two programs that often posed a challenge for our previous IT providers. Cetrom handled the situation professionally, coordinated with the software vendors, did all the backend testing, and..

- Mid-sized
View All

After interviewing and reviewing the proposals from various IT providers, it was really a night and day comparison about price, service, and performance—Cetrom was just outshining the others on every..

- Mid-sized
View All

I just want to drop you a line and let you know how pleased we are with our move to Cetrom. Your people knocked it out of the park for us and are doing a great job getting us up and working. On our..

- Small-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- 97%
View All

Cetrom’s Cloud Computing offers a high-quality, reliable and secure alternative to traditional IT management and provides immediate access to all my IT resources whether I’m in the office, at home or..

- High-quality,
View All

blog Archives

See all

AI and Tax Preparation: Opportunities and Risks for Accounting Firms

Artificial Intelligence (AI) is revolutionizing industries worldwide, and accounting is no exception. Tools like ChatGPT and Microsoft Copilot are..
November 25,2024

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like...

- Mid-sized
View All

Blog Archives

See all
Is Cetrom Your Cloud Services Solution?