Overcoming the Challenge to Protect CPA Accounting Firms From Cyberattacks
Table of Contents
Certified Public Accounting (CPA) firms are organized in the partner model. These firms are more than just a company; they become a collective of individuals with financial and professional stakes goals.
Hackers targeting CPA firms benefit from accessing the firm's billing records, customer accounting, and tax information and exploiting and blackmailing the partners within the firm. Any client record data breach is detrimental to a CPA firm, resulting in lawsuits, loss of client confidence, and possible suspension of their practice license. These breaches could also cause additional fines for firms violating compliance and private mandates, including GDPR, CCPA, and HIPAA.
Developing and Sustaining a Cybersecurity Strategy
Like other consulting and engagement services firms, CPA accounting firms need help creating and sustaining a cybersecurity strategy. Keeping up with the global threat landscape, lowering operations costs, and meeting various compliance and privacy mandates remain constant challenges.
Protecting a CPA firm starts with safeguarding individuals. Employees need to protect access to their identities, including email accounts, passwords, social media accounts, and financial information. The quickest path to breach a CPA firm is to impersonate an employee.
Managing Through Partner Financial Dynamics
All partners in a CPA firm share the profits. These partners decide how much money to spend on overhead operations costs, including cybersecurity prevention capabilities.
Yes, some partners will look at the bottom profit implications when considering how much cybersecurity investments the firm should make. This judgment call ultimately leads to a cybersecurity breach, hence the reason all employees should begin by protecting their identity. Removing the ability for hackers to steal credentials and personal identities helps protect the accounting firms' critical data.
What are the Top 5 Cyberattacks Methods Against CPA Firms?
CPAs can access their clients' financial records - profit and loss statements, bank records, and payroll information embedded in cloud-based accounting software. They also have access to their clients' retirement fund information and the amount of taxes they pay. Hackers and scammers target these firms, hoping to siphon money from these funds or alter the firm's clients' accounting records. CPA firms suffer a breach of their client’s social security numbers, which would hurt the firm’s brand.
Client trust is critical for any CPA firm. Preventing malware attacks, phishing scams, and unauthorized system access is paramount for all CPA firms and other financial industry members.
Here are the most common attack vectors used by hackers in the accounting industry.
Social Engineering
Social engineering is an attack vector used by hackers and scammers to troll their victims' social media accounts, looking for people they can impersonate. Hackers often impersonate old-school friends, past employees, or close friends when trying to connect with an employee inside an accounting firm they are targeting.
Phishing
Phishing is an attack that leverages connections and content acquired by a social engineering attack. Phishing emails crafted using artificial intelligence (AI) and machine learning (ML) targeting CPA firms focus on luring employees to disclose their usernames and passwords, names of important clients, access to accounting software, and internal financial controls. This attack vector is the most common attack vector by hackers. 91% of all security breaches start with an email phishing attack.
Insider Threat
Recent research shows that insider threats can cost organizations up to $16.2 million annually. CPA firms may incur substantial financial losses, potentially reaching millions yearly based on incident severity and frequency. Disgruntled employees, vendors, partners, and outside firms contribute to insider threat losses.
Someone accidentally emails critical client information to the wrong person, disgruntled employees copy information to a USB before leaving the firm, and firm partners take sensitive information outside the office only to find documents misplaced or stolen, leading to data breaches.
Clients Themselves
Clients, especially those attempting to hide criminal-related information, will also try to access their accounting records by breaching the CPA's storage of this information. While this breach may seem slightly off, it often happens within the CPA and other industries. CPAs protect themselves from this attack by leveraging accounting standards with checks and balances, enabling internal controls, and using complex passwords to protect cloud-based accounting systems.
Recent Data Breaches Against CPA Firms
Data breaches from malware, ransomware, and other cyber threats happen. Here are the top accounting firm security breaches in 2024:
CPA Firm 1: Wright, Moore, DeHart, Dupuis & Hutchinson (WMDDH)
| Location: | Lafayette, Louisiana |
| Implications: | According to WHDDH, the affected personal information included names, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, and medical and treatment information. |
| Cause: | Unusual network activity |
| Remediation: | The company provides affected individuals with one year of free credit monitoring and identity theft protection services. |
CPA Firm 2: Feldstein & Stewart (F&S) LLP, CPAs
| Location: | New York |
| Implications: | 8700 people affected by the breach |
| Cause: | External system breach |
| Remediation: | F&S responded by taking the above steps and implementing extra security measures to prevent future incidents. F&S offered those affected complimentary identity protection services via IDX, including credit monitoring, dark web monitoring, a $1 million fraud loss reimbursement policy, and managed identity theft recovery services. |
What Are Top Security Adaptive Controls All CPA Firms Need to Deploy?
CPA firms investing in effective strategies and robust cybersecurity measures need to include the following protection layers:
Email Security
Advanced email security powered by AI and ML is essential for CPA firms to prevent social engineering, email phishing, and ransomware attacks. Accounting practices depend on email security for encryption when sending sensitive information. Advanced email security solutions include email encryption and data loss prevention capabilities.
Data Encryption
All data must be encrypted, including customer accounting records, employee information, and the firm's financial records. Client, employee, and CPA firm data transmitted or stored in a cloud-based depository must be encrypted. Most modern accounting software systems will encrypt the information stored within the application's database structure.
MFA
Several compliance mandates, including GDPR, HIPAA, PCI-DSS, and others, require multi-factor authentication (MFA). CPA firms supporting clients in these regulated industries must also enable strong password policies and leverage MFA for more secure access control to the various advanced tax accounting and general ledger software platforms.
Security Awareness Training
Security awareness training and attack simulation are critical for CPA firms to help better educate their users about the constant cyber threats the firms face every day. The training must incorporate the various cybersecurity features within the multiple controls function. Users need to become familiar with various email security controls, including data encryption, and help identify social engineering attempts to help reduce the risk against the firm.
What is the Role of ID Protection for Every Member of the Firm?
ID protection services have become one of the most effective cybersecurity solutions that CPA firms must incorporate for all employees. Sentinex's ID protection service alerts CPA firm employees when their credentials become compromised. Their ability to monitor the dark web and other sources lets employees quickly discover if other parties use their usernames and passwords, FEIN, D&B numbers, email addresses, corporate credit cards, domain, and chatter content.
Why Sentinex?
Sentinex's subscription-based service scans several areas, including the dark web, medical ID monitoring, home title search monitoring, and data brokering sites. This service also helps businesses protect their personal and corporate identity, which hackers could use to access and compromise account firm records, financial monitoring, bank information, passwords, email accounts, D&B numbers, and domain information, causing data breaches that result in lawsuits, loss of brand value, and compliance violations.
Are you interested in learning more? Click here to see the various subscription models offered by the Sentinex team!