CPAs have been heavily dependent on the use of technology, especially during the COVID-19 pandemic. Unfortunately, cyber criminals are seizing on this as an opportunity to gain access to confidential databases, using phishing and social engineering schemes. Some cyber criminals seek to sell data on the dark web. Others attempt to commit theft through wire transfers purportedly requested by clients at CPA firms or accounting department staff or by demanding ransom payments. While CPAs are well aware of the need for data security and secure client portals/VPNs, they should also recognize the increased risk due to remote employees using technology in their homes.
Home routers can be especially vulnerable. In a December 2020 ThreatPost.com article, vulnerabilities were discovered in home routers manufactured by D-Link, a key supplier of routers for home use. Routers that are improperly configured or use default settings can be easily breached, so it’s best to ensure that employee home routers are patched with the latest firmware to withstand malware infections.
Use of employee-owned devices for business can also expose an organization’s data which is why all companies should have a written policy on the use of personal devices to conduct company business and have systems in place to enforce security measures.
Here are some points to consider:
- Business conversations should be conducted through the use of secure technology recommended by the company.
- Avoid using SMS text and voice-based multi-factor authentication systems on cell phones, which Microsoft recently identified as a system security vulnerability, potentially exposing other data stored on phones.
- Staff should be provided with training on how to secure devices prior to logging into a public WiFi network. Using a company VPN provides additional security when using a public WiFi network, but it isn’t foolproof.
- Operating virtually also requires an increased focus on providing staff and management with the necessary tools and education. Revisit existing organization policies on the use of technology and maintaining privacy/security over confidential information. As the nature of privacy breaches continues to evolve, training on privacy/security should be continuous, rather than an annual exercise.
- Given the danger of privacy breaches associated with working remotely, there is also an increased risk of claims against management alleging a breach of fiduciary duty for failure to maintain adequate data security. Individual firm managers can be held personally liable for such claims by a variety of parties, including owners, partners, shareholders, staff, clients, competitors and vendors.
Accordingly, organizations need to understand the risks associated with their data security decisions. Management should reach out to known and fully vetted third-party consultants to help construct and monitor data security protocols. Contracts with third-party vendors should contain language that the vendor will maintain cyber insurance coverage throughout the engagement and sometime thereafter and, if you can get it, to defend and indemnify the organization for breaches as a result of their advice.
Implementing the aforementioned protocols along with ongoing consultation with a cross section of specialized management, technical, legal and insurance experts can help mitigate cyber risk.