• News & Resources
• Technical Resources
  • Tax
    • American Rescue Plan Act Conformity Guide (2021)
    • CCH Online Tax Research
    • SALT Resources
    • Tax Podcasts
    • CCH Tax Deadline Calendar
    • Tax Communities
  • Audit
    • Single Audit Resources
  • Beneficial Ownership Information
  • Cannabis
  • QM Standards
• Business Resources
  • Human Resources
    • HR Hotline
    • HR Webinar Archive
    • HR Assessment
    • HR Articles
    • Sample HR Documents
    • Return to Work Resources
  • Disaster and Pandemic Planning
  • Data Privacy and Protection
• Accounting Firm Management
  • Small Firm Special Interest Section
  • Client Letters
  • Engagement Letters
  • Client Record Retention Guidelines
  • MAP Survey
    • Download Results
  • Customized CPE Training
  • Career Center
• Publications
  • Footnote
    • Issue Archive
    • Regular Columns
    • Articles by Topic
    • Write for the MNCPA
  • eNewsletters
    • This Just In
    • Legislative Digest
    • Firm Administrator Bulletin
    • Accounting Educator
    • Student eNews
  • CPA Stories
  • MNCPA Perspectives
    • Topics
    • Authors
    • Archive
  • Tax Podcasts
    • Archive
• Areas of Interest
  • Focus Features
    • Cybersecurity
    • Emerging Technologies
    • Cannabis
    • Automation
• Wellness Resources
  • Step Challenge
    • Step Challenge FAQs
  • Wellness Webinars
• Knowledge Hub
• Webinar Archive
• Rules & CPA Certification
  • CPE Log
  • CPE Rules
  • CPA Certificate Information
    • Applying for Your Certificate
    • First Year Requirements
    • Certificate Renewal
    • 2020 CPE deadline extension
  • Certificate Status
    • Active vs. inactive: What's the Difference?
    • Convert to Active CPA
    • Love Your CPA Letters?
    • Retired CPA Status
    • Videos
  • Firm Requirements
    • Firm Permit Renewal
    • Firm Name Changes
  • MNCPA and BOA Differences
  • Preparing for the CPA Exam
    • Educational Requirements
    • Experience Requirements
    • Applying to Take the Exam
    • Becoming a CPA FAQ
  • FAQ
• Peer Review
  • PRIMA info
  • Review Process
  • Fees
  • Pay Peer Review Invoice
  • Find a Reviewer
  • Become a Peer Reviewer
  • AICPA Resources
  • FAQ
• Press Room
  • MNCPA Overview
    • About the MNCPA
    • Leadership Bios
      • Board Chair
      • President and CEO
    • About Minnesota CPAs
  • MNCPA in the News
  • Connect with a Media Spokesperson
  • MNCPA Logo Usage
• Professional Ethics
  • Ask an Ethics Question
  • Filing an Ethics Complaint
  • Responding to an Ethics Complaint
  • Professional Ethics Resources

Optimal cybersecurity protocols

A comprehensive guide for CPAs

By Jon Melloy, Practice Protect

October 11, 2023

Looking back on the past year, one thing is abundantly clear from a cybersecurity perspective — there has been a significant increase in global data breaches and cybercriminal activities. Cybersecurity concerns are making headlines more frequently, and the threats are ever-present.
 
One alarming trend is the rise of Business Email Compromise (BEC), leading to substantial financial losses as reported by authorities in the United States and Australia. Small and medium-sized businesses — especially CPAs — have become prime targets for hackers due to the valuable information they handle and the relatively lower risk of attracting attention.
 
Given these challenges, it's crucial for CPAs to be well-informed about cyberthreats and take proactive steps to mitigate the associated risks.

Understanding common cyberthreats

In today's constantly evolving digital landscape, cybercriminals are continuously adapting their tactics to infiltrate computer systems. While the methods they employ may vary, there are several common approaches that characterize most cyberattacks. Familiarizing yourself with these tactics is an essential first line of defense — and it won't cost you a thing.
 
Here are four prevalent and potentially harmful cyberthreats.

1. Social engineering

Social engineering involves manipulating individuals to divulge confidential information or grant unauthorized access to computer systems. Unlike traditional hacking, social engineering exploits human vulnerabilities.
 
For instance, attackers may impersonate trusted entities like government agencies or banks to coax people into sharing sensitive information. AI-powered tools have exponentially increased the sophistication of these types of impersonation attacks. In fact, a recent study revealed that 67% of email-based cyberattacks now leverage AI technology, making them more difficult to detect and defend against.
 
Accountants should exercise caution when sharing information or granting access, especially if they have doubts about the requestor's identity.

2. Targeted phishing

Phishing is a fraudulent scheme where scammers trick individuals into revealing sensitive details, such as passwords or credit card numbers. Hackers now employ targeted phishing tactics, aiming at industries with sensitive information and trusted payment partners.
 
Accounting firms often become targets of spear-phishing attacks, where hackers focus on the leadership within organizations. Executives have better access to valuable financial data and are more susceptible to attacks due to a lack of proper training. Be cautious not to click on suspicious links or provide personal information without verifying the source's legitimacy.

3. Business Email Compromise (BEC)

BEC specifically targets businesses, organizations and individuals involved in financial transactions. Attackers impersonate trustworthy individuals — like CEOs or vendors — to send false emails, tricking recipients into sharing confidential information or transferring funds. Accountants and bookkeepers are especially vulnerable because they handle sensitive financial data and are responsible for fund transfers. Vigilance is key in identifying potential BEC attacks.

4. Ransomware

Ransomware is malicious software that encrypts files, making them inaccessible. Attackers demand a ransom payment for the decryption key. Ransomware can have severe financial and reputational consequences. Perpetrators often use social engineering tactics to deliver ransomware, such as sending emails that appear legitimate but contain infected attachments or links.

Three pillars of cybersecurity to defend your practice

Effective defense against cybercrime attacks hinges on three pillars: the right technology, a well-educated team and comprehensive policies. Ensuring robust email access and application security, training your team to recognize threats and implementing sound policies are the key components to safeguarding your business from the evolving dangers of cybercrime.

1. Technology

Implementing technology helps add a vital security layer to all digital processes. For accountants and bookkeepers, this means managing user accounts, permissions and roles while enforcing security policies to ensure that confidential financial data remains accessible only to authorized personnel.
 
Prioritize access and password protection for all your applications using accounting-specific platforms like Practice Protect. This will ensure you effectively manage access across your team by having features in place like multi-factor authentication, advanced user and team permissions, IP, time, and location locks for email or application access, password cloaking, and encryption, one-click user lockout, and controls for remote and third-party access.

2. Team

Remember, cybercriminals target people, not just technology. Investing in security products won’t be effective if your employees lack proper education. Train your team to recognize some of the common cyber threats as mentioned earlier. Teach them to report suspicious emails to security specialists and avoid forwarding such emails.
 
There are public resources available around small business cybersecurity. Moreover, Practice Protect University‘s security training provides valuable insights and training materials.

3. Policy

Create policies for critical processes. Update payment policies to require phone confirmation for new account details, reducing the risk of fraudulent transactions. Apply similar processes to clients with secondary confirmation procedures.
 
Review your insurance policy to ensure coverage for social engineering attacks like BEC. Also, establish clear IT and internet usage policies understood by all employees.

What's next for your firm

Cybersecurity may seem daunting, but it doesn't have to be. Examining vulnerabilities and implementing protective measures can be accomplished by any organization. Start by conducting a comprehensive evaluation of your current cybersecurity infrastructure and seek professional assistance when needed.

Jon Melloy serves as the head of growth for Practice Protect, the leading cybersecurity platform for accountants worldwide. With an extensive background in data security and the accounting industry, Jon works with accountants daily to ensure that their people, process, and software are positioned for security.