How to Create a Relevant Cybersecurity Strategy

The cybersecurity landscape is always changing: Between 2019 and 2020, ransomware attacks rose by 180 percent in North America alone, according to a 2021 report by cybersecurity firm SonicWall. The total global cost of damages from ransomware attacks is projected to exceed $20 billion in 2021, and the total global cost of cybercrime damages is predicted to soon be $6 trillion annually.

For organizations and individuals, creating protections against ever-evolving, ever-multiplying faceless criminals that steal identities and shut down businesses remains a challenge. The meteoric rise of ransomware attacks is just one facet of cybercrime proliferation amidst the pandemic that is creating an environment in which even newly developed cybersecurity risk management strategies are already outdated.

Charles Seets, Jr., partner and principal with Ernst & Young, says the cyberthreat landscape will never stop evolving. 

“If we’re connected to the internet, we’re vulnerable, and threat actors know that. They’re operating relatively anonymously and often outside the reach of the law. It’s a complicated environment in which to defend ourselves,” Seets said.

For CPAs and finance professionals, the threat is especially ominous: You hold the key to troves of very important, very private financial data. It’s therefore essential to do all you can to stay ahead of cybercriminals for as long as possible.

Your Cybercrime Guide

The first step toward protecting yourself and your organization is understanding what you’re up against. Here’s an overview of some of the most common cyberattacks:

Malware: This is a portmanteau that comes from malicious software, and it includes spyware, ransomware and viruses. Malware breaches a network through a vulnerability, typically via a dangerous link or email attachment. Once inside the system, malware can block access to key components of the network (ransomware), install malware or additional harmful software, covertly obtain information by transmitting data from the hard drive (spyware), disrupt certain components and even render the entire system inoperable.

Phishing: This is sending fraudulent communications, usually through email, that appear to come from a reputable source. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.

Man-in-the-middle (MitM) attack: Also known as eavesdropping attacks, MitMs occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can steal data. Unsecured public Wi-Fi is a common point of entry.

Denial-of-service attack: This kind of attack floods systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to function normally. Attackers can also use multiple compromised devices to launch this attack; this is known as a distributed-denial-of-service attack.

Zero-day exploit: This attack occurs after a network vulnerability is announced but before a patch or solution is implemented, taking advantage of the disclosed vulnerability before it’s fixed.

“If you’re not following breaches in the news and then conducting case studies and tabletop exercises about those cybercrime strategies, you’re not getting crisis-ready,” says Jonathan Marks, CPA, CFF, CITP, CGMA, CFE, partner and firm practice leader of global forensic, compliance, and integrity services for Baker Tilly US LLP.

“If the smoke is ultimately a fire, what do you do? What’s the plan and protocol? If you need remediation, who do you call? These are all keys to avoiding a business interruption.”

It Could Happen to You

One of the biggest risks in cybercrime is believing that it won’t happen to your organization—a mindset called “perfect place syndrome.” But from the smallest nonprofit organizations to the largest corporations, criminals aren’t discriminating.

“Our increasing dependence on networks and the growing pools of personal financial information being stored online exposes individuals to privacy violations and institutions to huge liabilities when a data breach occurs—that’s when a breach occurs, not if,” Marks said.

Smaller organizations in particular shouldn’t fall victim to perfect place syndrome and slack off on cybersecurity. 

“Small businesses might not be able to afford the best technology or an in-house IT team, but everyone can take certain steps and measures. Outsource some of your infrastructure. Get someone to help you,” Marks said.

The only choice organizations have is to evolve faster.

“Experts have been saying for years that cyberattacks will increase in number and sophistication despite what we do to protect ourselves. Advances in technology make it even easier for criminals. It’s going to continue to evolve,” said Donny Shimamoto, CPA, CITP, CGMA, founder and managing director of IntrapriseTechKnowlogies LLC.

The Layers of Defense

There’s no single best cybersecurity strategy, but all organizations should shore up both their technological and human defenses. Shimamoto said good cybersecurity strategy should be like an onion: multiple layers of protection to deter criminals as they encounter obstacle after obstacle. A firewall, the outermost layer, will check emails and attachments for phishing links and viruses. These days, antivirus software can actually detect if a virus is starting to encrypt files and, if so, roll the virus back.

Too often, however, organizations rely solely or primarily on technological protections, incorrectly thinking a firewall and antivirus software are enough while failing to educate or prepare people within the organization.

One of the most critical layers to cybersecurity is training people to spot red flags. It sounds simple, and yet a survey of more than 1,000 IT professionals by automation company Ivanti revealed that 74 percent of companies have fallen prey to a phishing attack in the past year. More than one in three respondents said that a lack of technology and understanding among employees was the main cause for the increase in successful phishing attacks.

“Whether we want to admit it or not, our own employees are constantly and inadvertently opening the door to cyberthreats,” Seets said.

Even organizations that train employees on cybersecurity likely aren’t doing it frequently enough. Shimamoto said the rapid and constant evolution of cybercrime makes quarterly or even monthly mini-training sessions necessary for keeping awareness high. After all, one of the most effective protective measures against cybercrime is training employees to have good cyber hygiene.

Cyber hygiene refers to best practices for cybersecurity, which includes everything from browsing Instagram on our phones to opening work emails in our offices. Having good cyber hygiene ensures more secure information streams as well as a more effective response to and recovery from a breach. 

Good cyber hygiene practices for all organizations include: 

• Knowing where critical data is stored and housed. 
• Building and maintaining a secure network, including a firewall and strong password requirements. 
• Encrypting data. 
• Maintaining a vulnerability management program that includes regularly updating antivirus software and other types of preventive software. 
• Utilizing controls to restrict data access based on roles and identification. 
• Having an information and security policy that covers employees, contractors and third parties. 
• Implementing software patches and updates as soon as they’re released.

Organizations must use technological protections effectively while also keeping their employees educated on what cybercriminals’ latest schemes are. Balancing technology with the human element is the best way for organizations to keep their cybersecurity strategies relevant and effective.

Beyond IT

Shimamoto recommends thinking about cybersecurity as a business issue rather than just an IT responsibility. 

“This is really about your business, your customers and your employees. The impact of a cyberbreach reaches far beyond the scope of IT,” he said.

While there may be fines and regulatory matters to address after a breach, the biggest loss at stake is trust, according to Seets.

“Trust is fundamental to any organization regardless of size. We need to inspire trust in our customers, regulators, insurers and employees. If we can’t trust each other, it’s going to be more difficult to do business going forward,” Seets said.

Starting now, any new services or products should have a cybersecurity risk management approach built in from the outset. 

“Anything a company intends to do proactively, whether that’s a new product or service, entering a new market, executing a transaction or upgrading technology, has to incorporate cybersecurity in development and buildout. It’s difficult to bolt cybersecurity on after the fact, and threat actors will take advantage of that. Those who can infuse security at the beginning stand a better chance of executing a successful rollout,” Seets said.

As cybercrime continues to increase and criminals become bolder, everyone must work to protect themselves and their organizations, and CPAs can play a special role in this.

“This isn’t just about IT risk—it’s about enterprise risk, and all of us connected to the enterprise play a part. CPAs understand systems, processes, and controls. We can lean into the conversation and contribute to corporate America raising its cybersecurity game in a collective effort to defend what we’ve created,” Seets said.

This article was originally published on the Illinois CPA Society’s website.