Advertisement

Header Utility Menu

  • Subscribe
  • Advertise
  • Contact Us
  • Events

LinkedIn Facebook Twitter Instagram Get Our App

Virginia Business

Mobile Menu

  • Issues
  • Industries
    • Banking/Finances
    • Business Law
    • Commercial Real Estate
    • Economic Development
    • Education
    • Energy/Green
    • Government
    • Healthcare
    • Hotels/Tourism
    • Insurance
    • Ports/Trade
    • Small Business
    • Technology
  • Regions
    • Central Virginia
    • Eastern Virginia
    • Northern Virginia
    • Roanoke/New River Valley
    • Shenandoah Valley
    • Southern Virginia
    • Southwest Virginia
  • Reports
    • Best Places to Work
    • Business Person of the Year
    • CEO Pay
    • Coronavirus 2020
    • Fantastic 50
    • Generous Virginians Project
    • Legal Elite
    • Maritime Guide
    • Site Locator
    • The Big Book
    • Virginia CFO Awards
  • Company News
    • For the Record
    • People
  • Opinion
  • Lists
  • Awards
    • Virginia 500
    • Legal Elite
    • CFO Awards
    • Big Book of Lists
    • 100 People To Meet
    • Best Places To Work
  • Virginia 500
    • Read the issue
    • Order a copy
    • Buy an award plaque
    • Nominate execs for 2021

Advertisement

Header Primary Menu

  • Issues
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • Issues Archive
  • Industries
    • Banking/Finances
    • Business Law
    • Commercial Real Estate
    • Economic Development
    • Education
    • Energy/Green
    • Government
    • Healthcare
    • Hotels/Tourism
    • Insurance
    • Ports/Trade
    • Small Business
    • Technology
  • Regions
    • Central Virginia
    • Eastern Virginia
    • Northern Virginia
    • Roanoke/New River Valley
    • Shenandoah Valley
    • Southern Virginia
    • Southwest Virginia
  • Reports
    • Best Places to Work
    • Business Person of the Year
    • CEO Pay
    • Coronavirus 2020
    • Fantastic 50
    • Generous Virginians Project
    • Legal Elite
    • Maritime Guide
    • Site Locator
    • The Big Book
    • Virginia CFO Awards
  • Company News
    • For the Record
    • People
  • Opinion
  • Lists
  • Awards
    • Virginia 500
    • Legal Elite
    • CFO Awards
    • Big Book of Lists
    • 100 People To Meet
    • Best Places To Work
  • Virginia 500
    • Read the issue
    • Order a copy
    • Buy an award plaque
    • Nominate execs for 2021

Home News Reports A strong defense

A strong defense

Cybersecurity is a top concern for Virginia’s CPAs

Published October 30, 2019 by Joan Tupponce

Cybercriminals have begun targeting smaller businesses for ransomware attacks, says Joe DePlato. Photo by Caroline Martin

San Francisco-based cryptocurrency exchange Coinbase learned the effectiveness of its cybersecurity plan this May when it had to thwart off a cyberattack.

It was a well-thought-out attack, “potentially from a criminal organization,” says Joe DePlato, co-founder and chief technology officer for Charlottesville-based Bluestone Analytics, a cybersecurity consulting firm.

“It was a spear phishing attack,” he explains, a type of cybercrime in which the attacker emails a specific user base within an organization seeking potentially valuable access or information. “Nothing appeared malicious. When they opened the emails, they didn’t notice anything wrong.”

The opened emails allowed the attackers to leverage an unpatched vulnerability in the Firefox browser. Once the user clicked on a link, the intruders had access to the employee’s machine.

Firefox started another program that it should not have started. “That’s what alerted them to the issue,” says DePlato, allowing Coinbase to successfully defend against that attack. “What Coinbase did right was they took a security-first mindset to the way they deployed their security architecture,” DePlato says, noting that its employees were trained in best practices and the company had a dedicated security team.

Cyberattacks can happen to anyone at anytime. “All businesses are at risk,” says Stephanie Peters, president and CEO of the Virginia Society of Certified Public Accountants (VSCPA).

In a 2019 survey conducted by the VSCPA in partnership with Virginia Business to gain insight into current economic conditions, 100% of 282 Virginia CPAs who responded said cybersecurity is of significant or moderate concern to them.

And 18.79% of those CPAs said their businesses had been the victims of cybercrimes. Anecdotally, some said their clients had also suffered breaches, and many said they experience frequent attempted cyberattacks. “My monitoring system tells me that attempts are being made each hour of the day. It is only a matter of time that someone gets through. I try to limit what might be available,” one CPA wrote.

Risky to business
“CPAs are tuned into cybersecurity because of their clients,” Peters says. “A lot of the work they do is related to financial security. They have a heightened awareness of the risks that are out there for anyone.”

CPA firms aren’t at a greater risk than other companies, Peters says, but VSCPA members are “doing more to advise customers about these risks,” she says. “CPA firms can also go in and audit a company’s cybersecurity risk management program.”

The society conducted its own cybersecurity assessment, looking at all of the organization’s processes. “We made so many changes to how we do remote work,” Peters says. “Now when we go into the network, we use multifactor authentication security. We have at least two additional levels of security to get into our data.”

Employees are also trained on best practices. “A lot of small businesses don’t realize how much risk they have,” she says.

Computers and networks are getting attacked by malicious hackers at a rate of one attack every 39 seconds, according to a Clark Study at the University of Maryland. Most attacks (69%, per the Verizon Data Breach Investigations Report) are perpetrated by outsiders, while 34% involve internal hackers.

Most breaches (52%) in the report featured hacking, while 33% included social attacks, and 28% involved malware.

“We have seen an increase in cyberattacks and attempted cyberbreaches,” says Bartosz Wojszczyk, co-founder and CEO of SPARQ Global, a Virginia Beach-based cybersecurity firm. Damages from cybercrimes worldwide amounted to $600 billion in 2017 and it’s estimated to reach $6 trillion by 2021, he adds. “There is a growing intensity of cybercrime, and the resultant damages to companies and institutions, both private and public, will only escalate.”

There has been a large uptick in ransomware threats, as well as phishing attempts and compromised email accounts. “In both cases threat actors are financially motivated,” says DePlato. “We have seen a decrease in the overall cost of unlocking ransomware. Five years ago, you would hear about larger organizations compromised and [held ransom for] exorbitant fees. Now we are seeing many small organizations targeted” for less money each.

Earlier this year a mid-Atlantic organization’s computer systems were shut down for about two weeks while it was held hostage by a ransomware attack, DePlato says. “They didn’t have a dedicated security team or a user base with training,” he explains. “They didn’t realize the risks from a security perspective. They didn’t follow best practices.”

The organization had to rebuild from scratch. “You can imagine the cost,” he says, adding that if the right measures were in place, “they would have been able to successfully defend the attack.”
Industries frequently targeted by threat actors range from financial services and health care to public institutions and professional services firms. All are good targets because they contain “a treasure trove of personal information,” says Colleen Johnson, senior cybersecurity legal analyst at Suffolk-based cybersecurity firm Sera-Brynn.

One of the biggest threats to a company is an insider threat. An employee, “not necessarily for malicious intent but unknowingly, clicks on a link or email phishing attack,” says Anthony Russo, SPARQ Global’s chief information security officer.

Or sometimes, it’s because they mistakenly think they’re communicating with someone from within their organization. “A CFO, for instance, received a phone call from someone posing as the company’s CEO, asking for a money transfer,” Russo recalls. “The CFO ignored the controls.”

That’s why it’s critical for businesses to establish cybersecurity protocols and enforce the rules they put into place.

Cybersecurity needs to be a mindset, he adds. “That allows you to recognize new threats that are coming. There always needs to be a process. You have to advance your cybersecurity protections as technology advances.”

Putting the right measures in place
Businesses need to be proactive about cybersecurity. “We know that people don’t always do that,” says Wojszczyk. “Don’t skimp or save on cybersecurity protection. A successful cyberbreach can irreversibly impact its victims.”

Stealing or tampering with a company’s data and information can impact its performance and critical day-to-day operations. “Regardless of how small or big or what type of business, data security has to be from the top down,” Wojszczyk says. “It can’t be managed as an afterthought. It has to be strategic and it has to be part of the discussion.”

DePlato recommends that all businesses train employees on cybersecurity and follow best practices.

“You’ll also want to clean up your network,” DePlato says, using sophisticated antivirus and cybersecurity monitoring software developed by companies like Carbon Black or CrowdStrike.

He also recommends having a centralized logging location. “There are a number of different items that can compromise a firewall, network switches, wireless access points, servers, laptops and mobile devices,” DePlato says.

Each device by default logs what is going on in those systems to the device. “If we are doing an investigation and trying to determine point of detection, we go through log data,” DePlato says. “You want to have all your devices log to one location so your security team has everything in one place.”

Businesses also need to perform daily or weekly systems backups to a secure offsite server. “The best defense against ransomware is to have a robust backup system,” Russo says. “When we buy a house, we all buy the same thing first: homeowners’ insurance. We are protecting the asset against loss, with an ability to recover. The same thought is true in cybersecurity — protect your valuable data assets and have an ability to recover.”

Companies also need to be cognizant of their legal obligation regarding evolving cybersecurity laws. “On the legal side, you may be required to report an incident that you don’t know you are required to report,” Johnson says.

It’s also important for businesses to have an incident response plan in place, she adds. “Don’t wait until something happens.”

Related Stories

Virginia Business logo

Ransom thrives on change at rapidly growing company

Virginia Business logo

Women make their mark

Their numbers are growing in top corporate roles

Revitalization realized

New warehousing projects reflect Richmond Marine Terminal’s growth

Trending

Norfolk’s MacArthur Center may meet the wrecking ball

Heavy hitters

Virginia State Capitol. Photo by Conor Lobb, VCU Capital News Service

UPDATED: Va. becomes 2nd state with consumer data protection law

The Virginia Executive Mansion will be occupied by a new (or possibly returning) governor in January 2022. Photo by Kira Jenkins

Election 2021: Who’s running for governor?

University of Richmond names new president

Sponsored Stories

Supply Chains After a Year of Disruptions

The Jackson Ward Collective is equipping Black-owned small businesses with the tools for success

The Hottest Topic in 2021: Keeping People Connected

Advertisement

Advertisement

Trending

Norfolk’s MacArthur Center may meet the wrecking ball

Heavy hitters

Virginia State Capitol. Photo by Conor Lobb, VCU Capital News Service

UPDATED: Va. becomes 2nd state with consumer data protection law

The Virginia Executive Mansion will be occupied by a new (or possibly returning) governor in January 2022. Photo by Kira Jenkins

Election 2021: Who’s running for governor?

University of Richmond names new president

Sponsored Stories

Supply Chains After a Year of Disruptions

The Jackson Ward Collective is equipping Black-owned small businesses with the tools for success

The Hottest Topic in 2021: Keeping People Connected

Get Virginia Business directly on your tablet or in your mailbox!

Subscribe to Virginia Business

Advertisement

Advertisement

Footer Primary Menu

  • virginiabusiness.com
  • Subscribe
  • Advertise
  • About Us
  • Contact Us

Footer Secondary Menu

  • Industries
  • Regions
  • Reports
  • Company News
  • Events

Sign Up For Our Newsletter

Sign Up

LinkedIn Facebook Twitter Instagram Get Our App

Privacy Policy Cookie Policy

Footer Utility Menu

Copyright © 2021 Virginia Business. All rights reserved.

Site Maintained by TechArk