As the CFO of a cyber threat intelligence company, I am often asked what we as accounting and finance professionals need to know about cybersecurity.

Cybersecurity is a challenge all companies and individuals face today. As an accounting and finance professional, you have the opportunity to become a trusted cybersecurity advisor within your organization and/or to your clients. It is critical for all organizations to manage cyber risks to ensure the security of their and their clients’ data.

Cyberattacks are increasing in volume and sophistication worldwide. The threat landscape continues to evolve at a rapid pace, with bad actors constantly evolving their tactics, oftentimes staying one step ahead of security measures. As a result, cybersecurity can be an intimidating topic because of this complexity and rapid change.

However, it is critical that we as finance and accounting professionals understand the risks so we can take appropriate measures to mitigate them. Unfortunately, in today’s world, due to our reliance on connecting our systems and devices to the Internet, it is not “if” an attack will happen but “when.”

What is cybersecurity?

Cybersecurity, also known as information technology security, is the practice of protecting data, computers, servers, networks, and mobile devices from unauthorized access or attacks.

Why is cybersecurity important to understand?

Consider the costs associated with a breach or an event in which confidential data, such as credit card numbers or names and social security numbers, has been viewed or stolen by an unauthorized individual. The Equifax breach cost Equifax over $400 million; the Target breach cost Target over $160 million; and the Yahoo breach affected three billion user accounts and impacted the sale of Yahoo to Verizon. Most recent publications estimate the average cost of a data breach to an organization to be $3.86 million. However, more serious breaches can cost hundreds of millions of dollars, as evidenced by breaches such as Equifax and Target.

Consider the risks associated with all the devices and software connected to the Internet we use every day. Most organizations are using some sort of cloud computing service – Amazon Web Service (AWS) computers, networking services, or software such as QuickBooks Online or NetSuite, to name a few. Companies store immense amounts of sensitive data in the cloud, which can increase the potential for security vulnerabilities.

Further, employees have personal mobile devices on which they store work-related email, access employer server systems, and connect to corporate networks. Mobile applications may have additional security risks, and companies must rely on their employees to make good decisions with respect to how they use their mobile devices.

What are some common cyberattacks to be aware of?

• W-2 scams: Financial and HR professionals are tricked into divulging employee W-2s, which are subsequently used to file false tax returns for refunds.
• Wired money scams: Individuals are tricked into wiring money to organizations controlled by the cyberattackers.
• Theft of credit card information: Cyberattackers use various techniques to access credit card information or other sensitive information.
• Theft of login credentials: Cyberattackers steal online login information to steal services, access online banking accounts (and drain them), or for other nefarious purposes.
• Holding data or systems for ransom: Cyberattackers may lock up a single computer using ransomware or entire networks via a DDoS attack (details below) until a ransom is paid.

What are some of the techniques that are used for these cyberattacks?

• Malware is malicious software designed to inflict harm on a system and can be downloaded into systems via email attachments or from websites.
• Ransomware is a subcategory of malware that attackers use to lock up a target computer and demand a fee for the release of captured data.
• Spyware is another subcategory of malware that runs without the person’s or organization’s knowledge and can watch what actions the user takes on the computer. This can be used to steal passwords or banking credentials.
• Phishing exploits the “human error” factor by manipulating unsuspecting users into divulging sensitive or personal information, or enticing them to click on links that download malware. One common example is when a user receives an email that appears to be from a bank and asks the user to confirm his or her account credentials. The email may contain links that appear to go to the bank’s website, but instead directs to the threat actor’s servers, where malware is downloaded on the user’s computer.
• Spearphishing is a form of phishing that is generally delivered via email, targeting a specific individual, organization, or business. It may include social engineering, based on readily available information about the victim, in order to target the victim of the attack.
• Vulnerability exploitation is a technique that takes advantage of bugs in software to obtain access to computer systems for malicious purposes.
• Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, network, or service by overwhelming the target with a flood of Internet traffic, likely using other compromised computer systems to carry out the attack.

How do we protect ourselves and our organizations and advise our clients?

A high percentage of successful attacks occur due to the human error factor, which means education is the first step and key to defending against attacks.

Things you can do to help as an individual:

• Work with your IT organization to keep all of your computers and systems patched and updated.
• Use a complex, alphanumeric password and, if available, use two-factor authentication.
• Change your passwords regularly and don’t use the same password for multiple sites. Use a password manager.
• Do not open emails or attachments from unfamiliar sources, even if they look official or important.
• Do not install or connect any personal software or hardware to your company’s network or computer systems without permission from the IT department.
• Do not run unexpected executable files from the Internet, even if obtained from websites you trust.
• Do not give data about your company or its systems or login credentials to anyone that is not authorized to have that information.
• Report all suspicious or unusual problems (pop-ups, pornography, ads, unusual system slowness, etc.) with your computer to your IT department.
• Most importantly, ensure all your employees and/or clients are trained and educated about the threats and how attacks are most commonly carried out. Ensure they know to immediately contact their IT department if they suspect their system has been compromised.

Does your organization and/or your client have a network security plan in place?

Network security plans can be outsourced or developed in house. The first step to establishing a network security plan is to identify all sensitive information systems and assess the risk associated with each of them. Consider where confidential data such as customer information, trade secrets, and personal information of employees is stored.

Next, perform an analysis to assess the security measures in place to protect the confidentiality, integrity, and availability of the identified confidential information and systems. Access levels for data or system users should be reviewed. Individuals should only have access to data or systems if it is necessary to their role. Implement an Incident Response Plan and make sure that all employees are familiar with its protocols. Security policies should be established and employees trained on those policies. Most importantly, all employees need to be educated to raise awareness of the risks associated with a cyberattack.

An additional consideration is whether your organization or your client has cybersecurity insurance. There are a number of policies available to reduce the financial exposure of a cyberattack.

While implementation of these measures comes at a cost, it is a drop in the proverbial bucket compared to the cost, both fiscal and reputational, of remediating a successful cyberattack.

Kirsten Duke, CPA, CGMA, is Chief Financial Officer at DomainTools and 2018-2019 Chair of the WSCPA Board of Directors. You can contact her at kirsten@domaintools.com.