Cybersecurity in CPA and Professional Services Firms

In 2013, some 900 Connecticut residents in Fairfield County found out the hard way that even a small town accounting firm can be a prime target for hackers when their tax returns were stolen directly from the firm’s computers.

The hacker selected returns that had been completed but not yet filed, altered certain details, then sent them to the IRS in hopes of collecting the refunds before the legitimate filers could. It had never been clearer that even small accounting firms could be at risk.

In the big scheme of things, stolen tax returns are nothing. The amount of personal information CPA firms amass about their clients over the years can be staggering, and this is the real issue. In the hands of a cybercriminal, that data can lead to identity theft, fraud, and even theft of tangible property.

From ma and pa firms that work with individuals and small business clients, to international CPA firms like PWC, Deloitte, KPMG and Ernst & Young that service the world’s largest corporations – accounting practices of all stripes and sizes are more interested than ever in hiring or contracting skilled cybersecurity experts.

Featured Programs:

It Helps to Speak the Language: How Security Audits Are Improving Compliance

Cybersecurity professionals working with accounting and professional services firms are beginning to find ways to identify issues early using some of the same techniques accountants have traditionally used with their own clients: audits.

System security audits aren’t terribly different from traditional financial audits: experts sit down and go through the details of configuration and practices and compare them to the recommended and required settings and behaviors.

Deficiencies are then noted and brought to the offending parties for correction. It’s an orderly and effective procedure that fits well into the regular practices of accounting firms. Association for Chartered Certified Accountants (ACCA) surveys show that nearly half its member firms regularly engage in information system security audits.

ACCA has also called for accountants to begin working more closely with cybersecurity professionals and other professional services firms in order to enhance their security posture. In fact, ACCA is working with ISACA (Information Systems Audit and Control Association), a non-profit organization that supports information systems security professionals, to help partner ACCA members with qualified cybersecurity administrators, analysts, auditors and architects.

A fascinating interview in the June 2015 Journal of Accountancy with three technology-focused CPAs paints a clear picture of the state of the industry today as far as smaller firms are concerned: Staff and principles who feel that security is unimportant for computers when “it’s just being used here in the office” … confusion about what applications and services are cloud-based … unfamiliarity with the security features of programs they use regularly … and the list of issues goes on.

Overcoming these knowledge gaps will make the role of the cybersecurity specialist in accounting and professional services more about education than about technology.

Smaller Firms Have Become Aware of the Risks and are Taking Steps to Protect Themselves

Some 65 percent of accountants that participated in the Accounting Web 2014 survey indicated that they believe the cyberthreat level was high or increasing. Yet only 14 percent indicated that they were directly involved in security efforts during the previous year.

This sort of disconnect is a particular challenge for cybersecurity professionals to overcome. In accounting, where it’s a mark of professionalism to rigidly adhere to rules and formats that tend to change slowly over time and with a logical consistency, it can be difficult to convince CPAs and firm executives of the need to constantly update security protocols in response to new threats. This can make accounting firms easy pickings for hackers.

There’s No Safety in Numbers

As the targets of choice for cyber-thieves, of course the big names in accounting, auditing, professional services and finance have wielded their hefty resources to harden their systems and improve their security posture after a rash of massive cyberthefts. It’s the smaller local accounting firms that have been a bit slower to adapt.

Like water running downhill, hackers will take the path of least resistance to get the information they need to wipe out bank accounts and commit fraud. That information is found just as readily in tax returns, bank statements, and legal documents kept in the client files of CPA firms.

Neighborhood accounting firms are infinitesimally small compared to massive international professional services firms and even regional CPA firms, and there are a lot more of them. This can lead to a false sense of security, a sense of safety for being part of a larger herd. Many businesses think that if they avoid attracting attention, they won’t be hacked.

But this instinctive approach doesn’t work in the high-speed world of the Internet. It takes no more effort for hackers to scan millions of small networks than it does for them to scan a few hundred large networks.

The extent to which these exploits have become automated comes as a shock to many outside the field of information security.

Proactively Resolving Vulnerabilities Before the Government Gets Involved

As if complacency and rigidity weren’t difficult enough problems to overcome, market pressures have increased the vulnerability of many accounting firms.

In today’s fully connected society, consumers expect to be able to interact with their accountants and advisers online. They want access to work papers, the ability to sign documents electronically, and immediate answers to important questions by email.

As accounting firms bow to the pressure to implement such systems, they run the risk of creating even more security holes. Simple client portals and quick deployments from small shop contracted information security professionals without oversight can be rife with vulnerabilities.

If the public relations hit accounting firms take when these vulnerabilities are exploited isn’t enough motivation, then a hit to their bottom line certainly will be. Governments are now holding CPA firms legally accountable for exposing customer data, according to a September 2015 article in Accounting Today. Firms that don’t bring in cybersecurity experts are liable to suffer under a barrage of civil claims and government sanctions.

Even the little guys in the accounting industry are now allocating major resources to building cybersecurity teams in-house or contracting with respected experts in the field to safeguard client information.

Back to Top