Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Cyber Security: Can You Repel a Sophisticated Cyber Attack?

Written by: Cameron G. Shilling

Published in MA Society of CPAs' SumNews (November 2020)

Accountants are prime targets of cyber crime. You are an enticing target because you possess large quantities of sensitive personal, financial, and tax information highly valuable for identity and financial theft, and you have the information and credentials necessary for criminals to generate fraudulent tax refunds in the names of your clients. Moreover, you are a vulnerable target because, unlike large institutions, you have less time and money to invest to ensure that all your security controls are strong enough to repel sophisticated cyber attacks.

Additionally, accountants face increasing regulatory pressure to adopt best-in-class protections for client information. Such pressure emanates not only from our home state (in the form of M.G.L. Chapter 93H and 201 C.M.R. Chapter 17), and from the Internal Revenue Service (in the form of I.R.S. Publication 4557), but also other states (like New York and California) and foreign jurisdictions (like the European Union and United Kingdom), which impose their laws on Massachusetts accountants who possess information about clients who are residents of those states and countries. Fines and penalties for failing to comply with these regulations are substantial, and typically follow a breach that was already painful enough.

It is imperative that accountants stay ahead of the cyber security curve. Ransomware, phishing, and malware exploit the tiniest of gaps, resulting in the exposure of sensitive client information or crippling your business during the busiest of tax seasons. To reduce these risks, accountants must operationalize cyber security by: (a) conducting annual risk assessments with outside cyber security professionals, (b) identifying and mitigating all existing and potential vulnerabilities and threats, (c) implementing appropriate written policies and procedures, and (d) providing topical training to employees several times per year.

However, in addition to those routine processes, accountants also need to ensure that you have implemented advanced safeguards that can repel sophisticated cyber attacks. Simply put, your risk exposure means that you need to up your game. The following are a few examples of advanced controls that accountants should be implementing.

  1. Advanced Threat Detection: Anti-virus/anti-malware is old news, and largely ineffective against modern ransomware and malware. The current standard is to implement an application that detects anomalous activity, prevents the activity from occurring further, and quarantines infected data and systems. In fact, having multiple such applications may be necessary to ensure protection against sophisticated attacks.
  2. Multi-Factor Authentication: Passwords alone are not a particularly effective safeguard, because people too often use weak passwords that can be readily cracked, and use the same password on multiple accounts, enabling hackers to steal credentials for multiple systems by attacking one weak account. Multi-factor authentication requires both a password as well as another means of authentication, such as a device that is registered with the account, a code sent to a device registered with the account, or a biometric unique to the person permitted to access the account. Multi-factor authentication is not cutting-edge technology. However, accountants often do not have it implemented on all network and cloud applications that contain client information, such as email, tax preparation and filing systems, cloud storage accounts, and data transmission applications.
  3. Encryption: Encrypting data transfers and electronic devices is not optional. Accountants must transmit sensitive information only via secure file transfer protocol (SFTP) links or portals or encrypted email. Similarly, you must ensure that data is encrypted on all laptops, tablets, smartphones, USB/external drives, and other devices that are mobile. For example, employees should use only firm owned and managed laptops with encrypted hard drives, the firm should deploy a mobile device management (MDM) applications that manages client information on tablets and smartphones, and firm computers should scan and encrypt all USB/external drives connected to them.
  4. Vendor Management: Your client information is only as secure as your weakest vendor. Accountants and accounting firms rely on vendors to provide critical services, including tax preparation and filing systems. You need to conduct appropriate due diligence to ensure that every vendor that receives client information has adopted cyber security safeguards at least as protective as the controls you are required to implement. You also need to enter into a data security agreement with each such vendor to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.

 

Implementing the controls necessary to repel sophisticated cyber attacks can seem like a daunting task, particularly for individuals who are not trained in this area. However, ignoring the problem will not make it go away, and only invites a disaster. Effective cyber security can be accomplished by partnering with outside experts, and then committing to assessing your risk and implementing advanced safeguards to protect yourself and your client information.

Cam Shilling founded and chairs McLane Middleton’s Information Privacy and Security Practice Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise.  He can be reached at [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.