A strong defense

Cybersecurity is a top concern for Virginia’s CPAs

Published October 30, 2019 by Joan Tupponce

San Francisco-based cryptocurrency exchange Coinbase learned the effectiveness of its cybersecurity plan this May when it had to thwart off a cyberattack.

It was a well-thought-out attack, “potentially from a criminal organization,” says Joe DePlato, co-founder and chief technology officer for Charlottesville-based Bluestone Analytics, a cybersecurity consulting firm.

“It was a spear phishing attack,” he explains, a type of cybercrime in which the attacker emails a specific user base within an organization seeking potentially valuable access or information. “Nothing appeared malicious. When they opened the emails, they didn’t notice anything wrong.”

The opened emails allowed the attackers to leverage an unpatched vulnerability in the Firefox browser. Once the user clicked on a link, the intruders had access to the employee’s machine.

Firefox started another program that it should not have started. “That’s what alerted them to the issue,” says DePlato, allowing Coinbase to successfully defend against that attack. “What Coinbase did right was they took a security-first mindset to the way they deployed their security architecture,” DePlato says, noting that its employees were trained in best practices and the company had a dedicated security team.

Cyberattacks can happen to anyone at anytime. “All businesses are at risk,” says Stephanie Peters, president and CEO of the Virginia Society of Certified Public Accountants (VSCPA).

In a 2019 survey conducted by the VSCPA in partnership with Virginia Business to gain insight into current economic conditions, 100% of 282 Virginia CPAs who responded said cybersecurity is of significant or moderate concern to them.

And 18.79% of those CPAs said their businesses had been the victims of cybercrimes. Anecdotally, some said their clients had also suffered breaches, and many said they experience frequent attempted cyberattacks. “My monitoring system tells me that attempts are being made each hour of the day. It is only a matter of time that someone gets through. I try to limit what might be available,” one CPA wrote.

Risky to business
“CPAs are tuned into cybersecurity because of their clients,” Peters says. “A lot of the work they do is related to financial security. They have a heightened awareness of the risks that are out there for anyone.”

CPA firms aren’t at a greater risk than other companies, Peters says, but VSCPA members are “doing more to advise customers about these risks,” she says. “CPA firms can also go in and audit a company’s cybersecurity risk management program.”

The society conducted its own cybersecurity assessment, looking at all of the organization’s processes. “We made so many changes to how we do remote work,” Peters says. “Now when we go into the network, we use multifactor authentication security. We have at least two additional levels of security to get into our data.”

Employees are also trained on best practices. “A lot of small businesses don’t realize how much risk they have,” she says.

Computers and networks are getting attacked by malicious hackers at a rate of one attack every 39 seconds, according to a Clark Study at the University of Maryland. Most attacks (69%, per the Verizon Data Breach Investigations Report) are perpetrated by outsiders, while 34% involve internal hackers.

Most breaches (52%) in the report featured hacking, while 33% included social attacks, and 28% involved malware.

“We have seen an increase in cyberattacks and attempted cyberbreaches,” says Bartosz Wojszczyk, co-founder and CEO of SPARQ Global, a Virginia Beach-based cybersecurity firm. Damages from cybercrimes worldwide amounted to $600 billion in 2017 and it’s estimated to reach $6 trillion by 2021, he adds. “There is a growing intensity of cybercrime, and the resultant damages to companies and institutions, both private and public, will only escalate.”

There has been a large uptick in ransomware threats, as well as phishing attempts and compromised email accounts. “In both cases threat actors are financially motivated,” says DePlato. “We have seen a decrease in the overall cost of unlocking ransomware. Five years ago, you would hear about larger organizations compromised and [held ransom for] exorbitant fees. Now we are seeing many small organizations targeted” for less money each.

Earlier this year a mid-Atlantic organization’s computer systems were shut down for about two weeks while it was held hostage by a ransomware attack, DePlato says. “They didn’t have a dedicated security team or a user base with training,” he explains. “They didn’t realize the risks from a security perspective. They didn’t follow best practices.”

The organization had to rebuild from scratch. “You can imagine the cost,” he says, adding that if the right measures were in place, “they would have been able to successfully defend the attack.”
Industries frequently targeted by threat actors range from financial services and health care to public institutions and professional services firms. All are good targets because they contain “a treasure trove of personal information,” says Colleen Johnson, senior cybersecurity legal analyst at Suffolk-based cybersecurity firm Sera-Brynn.

One of the biggest threats to a company is an insider threat. An employee, “not necessarily for malicious intent but unknowingly, clicks on a link or email phishing attack,” says Anthony Russo, SPARQ Global’s chief information security officer.

Or sometimes, it’s because they mistakenly think they’re communicating with someone from within their organization. “A CFO, for instance, received a phone call from someone posing as the company’s CEO, asking for a money transfer,” Russo recalls. “The CFO ignored the controls.”

That’s why it’s critical for businesses to establish cybersecurity protocols and enforce the rules they put into place.

Cybersecurity needs to be a mindset, he adds. “That allows you to recognize new threats that are coming. There always needs to be a process. You have to advance your cybersecurity protections as technology advances.”

Putting the right measures in place
Businesses need to be proactive about cybersecurity. “We know that people don’t always do that,” says Wojszczyk. “Don’t skimp or save on cybersecurity protection. A successful cyberbreach can irreversibly impact its victims.”

Stealing or tampering with a company’s data and information can impact its performance and critical day-to-day operations. “Regardless of how small or big or what type of business, data security has to be from the top down,” Wojszczyk says. “It can’t be managed as an afterthought. It has to be strategic and it has to be part of the discussion.”

DePlato recommends that all businesses train employees on cybersecurity and follow best practices.

“You’ll also want to clean up your network,” DePlato says, using sophisticated antivirus and cybersecurity monitoring software developed by companies like Carbon Black or CrowdStrike.

He also recommends having a centralized logging location. “There are a number of different items that can compromise a firewall, network switches, wireless access points, servers, laptops and mobile devices,” DePlato says.

Each device by default logs what is going on in those systems to the device. “If we are doing an investigation and trying to determine point of detection, we go through log data,” DePlato says. “You want to have all your devices log to one location so your security team has everything in one place.”

Businesses also need to perform daily or weekly systems backups to a secure offsite server. “The best defense against ransomware is to have a robust backup system,” Russo says. “When we buy a house, we all buy the same thing first: homeowners’ insurance. We are protecting the asset against loss, with an ability to recover. The same thought is true in cybersecurity — protect your valuable data assets and have an ability to recover.”

Companies also need to be cognizant of their legal obligation regarding evolving cybersecurity laws. “On the legal side, you may be required to report an incident that you don’t know you are required to report,” Johnson says.

It’s also important for businesses to have an incident response plan in place, she adds. “Don’t wait until something happens.”