Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like this, it would be a better world...
- Mid-sized
At Cetrom, we’re 100% focused on protecting CPA firms. All of our cybersecurity and cloud services are specifically designed to protect and cater to CPA firms. Our strength is understanding CPAs unique business needs as well as the top cyberthreats that they face. Due to their role in hosting important financial data, hackers are increasingly targeting CPA firms.
The cost of data breaches can be enormous. Between compromised financial data, shutting down business, legal repercussions, and loss of client trust, cyber hacks are one of the biggest risks most CPA firms face today. Look out for these top cyberthreats and be sure to take proper security measures to stop them.
Types of Cyber Threats Targeting CPA Firms
There are a wide range of cyberthreats that target CPA firms. They vary in how they attack and their ultimate goal. Some seek to steal unprotected data, others aim to shut down your systems, and others pretend to be a trusted source. The attacks commonly want money or information or power that can be turned into financial compensation.
While a few threats are sophisticated enough to sneak through security defenses, research shows that up to 90% of all breaches are caused by user error. For CPA firms, these attacks focus on social security numbers, financial information, passwords, and increasingly, tax returns. Even more concerning is the fact that many of these attacks target small to medium sized firms that may not have the same level of cyber security, training, or data protection. The following are some of the top threats to CPA firms.
Malware: This is a broad term to describe a number of harmful types of software that can infect a computer and network. It’s one of the most common types of attacks, and usually implants due to a user opening a harmful link. Of particular concern for CPA is the fact that there are several types of malware programs that target banking information and indications are that these types of attacks are increasing in prevalence. Depending on the type, malware can cause havoc in a number of different ways including stealing information, shutting down access to parts of the system, installing additional software, and even shutting down the whole system.
Phishing: Phishing attacks steal sensitive information through the use of fake communications that may appear real – like in emails, phone calls, texts, or websites. They can steal important data or use their access to install harmful malware software. Phishing attacks rely on users believing the communication is real and often play into human emotions like fear, greed, and urgency to force action. There are ways to recognize and avoid phishing scams, and most precautions urge users to double-check the veracity of a communication and to take time before clicking links or disclosing information.
Today, the most common types of attacks fall into a variety of phishing and malware scams. However, there are other less common but equally harmful threats facing CPA firms.
Denial of service: This attack, called DoS, overwhelms a system with traffic and effectively shuts down that firm’s ability to do business. Similar to a ransom, the attackers will ask for information, money, or something else in order for the attack to stop. These attacks can also be done as a disguise for another type of attack that occurs simultaneously.
Watering hole: This attack doesn’t target the firm specifically, but does an end around through other, less secure websites used often by employees. They then infect that site with malware which then attacks the firm’s system after an employee visits that site. Watering hole attacks are challenging because they often use websites that may in fact be legitimate.
SIM Card swapping: SIM Card swapping is another tactic hackers use that is on the rise. Even more so overseas but we’re also seeing in the US.
Cetrom recommends using authenticator apps as the most secure method of 2FA. Most apps for personal social and banking have 2FA options (e.g., DUO, Google Authenticator). SMS or phone authentication is not recommended as hackers are tricking carriers into porting phone numbers to new devices in a move called "SIM swap".
Other, technical attacks: While the majority of attacks rely on mistakes to gain access to a system, some attacks simply sneak through or overpower cybersecurity protections. Some use artificial intelligence and machine learning to get in. The structured query language (SQL) injection uses sophisticated coding to gain access. Still other attacks include crypto jacking, zero day exploits, and DNS tunneling to disrupt your system and steal money and information.
Are these attacks preventable?
The wide variety of attacks is concerning, especially for smaller CPA firms. While phishing and malware are the most common types of attacks there are still several varieties and methods that CPA firms need to protect themselves from. The good news is that through proper security measures, user training, and best practices, many of these attacks can be avoided and the damage minimized if they manage to get through.
Conduct company cybersecurity training: this isn’t the most glamorous or technologically advanced prevention system, but it still might be the most effective. Even the best walls aren’t effective if the enemy is let in through the gates. Training employees and creating a culture where security is valued can go a long way toward preventing successful cyber-attacks. Of special importance for CPA firms is multiple layers of confirmation for money transfers, password protection of all client data and files, email security and discerning emails that shouldn’t be opened, and recognizing the signs of phishing scams. Other best practices include exercising skepticism for all unknown communications, inspecting emails and attachments, looking for hacked accounts that may appear legitimate but behave unnaturally, and taking extra precautions when working remotely.
Protect and backup data: To a hacker, a CPA firm’s data is one of the most valuable and sought-after assets. That’s why protecting all data through layers of encryption and passwords is a best practice. And make a policy of only providing access to data on a limited basis to ensure that if one user is compromised the negative impact can be contained. Firms should also get in the habit of keeping as little data as necessary and deleting past client data and other aged files.
Run risk assessments and tests: This task can be done by your security team behind the scenes but can also be done more openly toward front-line employees. Sending mock phishing emails or other communications to see how many people fall for them is one good example. You can also hire contractors who will look objectively at your system and expose known weak points. This prevention method can also include creating SOPs and procedures for data protection and phishing and malware prevention. The process looks like 1) plan for security protections, 2) implement the safeguards, 3) test the effectiveness, 4) repeat step one correcting for potential weaknesses.
Invest in premier cybersecurity: given that using multiple AI security technologies detect different types of threats be sure that your cybersecurity package uses both AI and machine learning. AI in combination with security experts available around-the-clock ensures that potential attacks are thwarted early, and any successful attacks are stopped before they can cause serious damage. The best security firms will protect you from attacks, are available when needed, and look at security on an organization-wide level and not just the technical side.
Bottom Line
Even small and medium-sized less profitable and less technologically advanced CPA firms are at risk for cyberattacks. Phishing and malware attacks are the most common and rely on users making errors that allow the attack to succeed. Given the valuable information that CPA firms hold, they should be especially proactive in preventing attacks.
In addition to powerful cyber security technology, they can protect data, implement strong cybersecurity training and security best practices for employees, and periodically test the system for weaknesses. Even though the risk is real, with precautions CPA firms can continue to do what they do best while knowing they’re protecting themselves from cyber-attacks.
Reach out to us. We’d love to learn more about your IT needs and challenges. Your security is Cetrom’s #1 priority.
