Written by Gretchen McCole, Vice President Aon Affinity, Professional Firms
Let’s begin with the moth and a woman named Grace Hopper. Grace Hopper was a computer programmer who earned a PhD in mathematics from Yale in 1934 and was a rear admiral in the U.S. Navy during World War II. After the war, Grace continued programming and went on to become a research fellow at Harvard. While at Harvard, Grace worked on the Mark I, II and III computers (computational computers) under the direction of mathematician, Howard Aiken. On September 9, 1945, Grace and the team working on the computers found a moth between the relays (an electrically operated switch). Grace taped the moth in her notebook and added the following note, “first actual case of bug being found”. If you do a web search you can find a picture of the notebook page with the moth. While details can be debated, Grace has been associated by many with discovering the first computer bug.
What does this have to do with CPA firms? Bugs in software create vulnerabilities and an access point for data to be exposed. Businesses of all types and sizes are exposed to this type of risk. A computer or software bug is a flaw or error in a program or computer system that causes faulty results and prevents the application from working as intended. Bugs are corrected by applying a patch. A patch is a software update comprised of code inserted (or patched) into the code of an existing program. According to techopedia.com, patches may do any of the following: (source: www.techopedia.com/definition/24537/patch)
Patches can do any of the following:
- Fix a software bug
- Install new drivers
- Address new security vulnerabilities
- Address software stability issues
- Upgrade the software
Outdated software that is left unpatched is more easily exploited by criminals looking to access data. Cyber criminals look for the path of least resistance. If they were to walk around a neighborhood, the house they would enter is the one with the open unlocked door. It is the same thing here. They are scanning the network looking for easy access and outdated, unpatched software is a key vulnerability. The Heartbleed bug (a software flaw that allowed encrypted information to be stolen) is a strong example of what can become exposed - even with encryption - and the impact a patch had on sealing the continued breach of data, encryption keys, passwords and more. Staying current on the latest patch and security software will mitigate potential damage from these types of bugs.
Recommendation: Keep software updated to reduce vulnerabilities.
Phishing and pretexting events continue to be a major method for criminals to obtain data or money. Small firms to large firms are all vulnerable to this scam and we hear from firms on a regular basis that have been party to an incident or potential incident. Phishing involves an email with the attempt to trick a person into opening the email and clicking on an attachment to install malware. Pretexting employs a back and forth dialogue where the criminal is pretending to be a client, vendor or senior person at the firm. The criminal is attempting to gain trust so that they can obtain information - like a list of employees with social security numbers for HR purposes or getting someone to transfer funds to an account the criminal has set up. These schemes are becoming more and more sophisticated. Criminals have found this to be a quick means to an end; fairly simple execution with a quick monetary return.
Recommendation: Keep firm members aware of this risk. If something does not seem to be right then do not click on the link. Do some investigating. If there is an email for a request to transfer funds, call the client or firm leadership to verify it is legitimate.
Another issue for firms concerns passwords. According to the Verizon 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default or stolen passwords. This includes mobile devices and setting passwords, encrypting and using a security app to protect data. With a little diligence and creativity, maintaining strong and up-to-date passwords is a relatively simple and effective defense against a potential breach.
Recommendation: Ensure there is multifactor authentication, encryption and a strong password policy in place.
Keeping software updated with the latest patch or other software fix, awareness and training of phishing schemes as well as having a protocol in place to avoid an issue, and having a strong password and encryption policy are just a few of the fundamentals in preventing or mitigating a cyber incident. This applies regardless of firm size or industry. These fundamental concepts are where Ben Franklin enters our story. While Ben Franklin was referring to fire safety when he wrote “an ounce of prevention is worth a pound of cure”, the same concept applies to any good risk control program, including enterprise risk management for managing cyber risk. Ben Franklin’s advice for the City of Philadelphia to help manage risk from fire included*:
1. Raising public awareness.
2. Improving defenses with things like leather buckets with strong bags and baskets for packing and transporting goods for better response results.
3. Forming the Blaze Battlers to meet monthly to discuss prevention and response.
4. Promoting best practices for in home prevention such as care in how hot coals are moved from one room to another, looking for a licensed chimney sweep and keeping a leather fire bucket in a home.
When it comes to good cyber risk management as well, the same basic fundamentals should be in place:
- Raising awareness: Training of all firm staff (yourself included!) is the most important thing that can be done. According to James Trainor, SVP of Aon and a former FBI agent, “Education is a key factor to a good cyber security program. Integrate data security and cyber risk into your day to day practice.” One suggestion to encourage compliance was to tie bonuses to cyber security awareness. Even a one or two person shop needs to stay vigilant with the risks that are out there. Every size firm is vulnerable to an attack or a breach of private data and according to the Verizon Data Breach Study of 2016, new vulnerabilities emerge every day.
- Improving defenses: Strong password policies and encryption are important defense techniques. Additional defenses include limiting access to private data to those with a need to know and shutting off access for employees when they leave a firm. As mentioned above, keep software updated with the most recent patches to reduce vulnerabilities. Also, do not leave laptops in a car or otherwise unattended where they can be stolen. And not all employees need access to the same breadth of information – be careful with who actually has what.
- Blaze Battlers: A point person for cyber security who provides regular communication firm wide is an important step to take. Even in a small firm with a few people, if there are not a set of policies and procedures in place to include a protocol for who should be informed in the event of a potential incident, the scope of the issue could be made much more severe from an exposure, cost and public relations perspective.
- Promote best practices: A foundation for good risk management is keeping best practices top of mind. For cyber, you need to be aware of the risks, keep everyone updated and ensure you have a plan in place to mitigate the potential damages when the inevitable occurs. Continue regularly with vulnerability scans, email filtering, anti-virus software and secure your Wi-Fi. In addition, back up data regularly. It helps to return to operations if data is lost, stolen or held ransom.
Grace Hopper gave us the first “bug” and Ben Franklin provided rudimentary risk control techniques. Keeping the story of the moth in mind will remind us that bugs have come a long way from an insect to the insidious software bugs of today. Ben reminds us that some of the best defenses can be the most basic yet easy to forget. Incorporating the noted fundamental techniques is a good start to making your business more secure or ready when an incident does occur. When we are better prepared for a cyber incident we are better equipped to handle it and help CPAs do what they do best - serve clients.
An important partner in prevention, response and getting back to business is an insurance advisor who knows the cyber risks CPA firms face and can help to provide the guidance needed to get firms to smart solutions. Vigilance is required to protect private data in your firm’s care, custody and control. Criminals are vigilant in trying to obtain that data. These techniques should give you a great start. For more information about these risk control techniques or for further information on risk mitigation or risk transfer, please give us a call.
To learn more about the AICPA Professional Liability Insurance Program and supplemental cyber coverages, CPA NetProtect® and CPA NetProtect PRIME®, please visit cpai.com or call 800.221.3023.
This article is provided for general informational purposes only and is not intended to provide individualized business, risk management or legal advice. It is not intended to be a substitute for any professional standards, guidelines or workplace policies related to the subject matter.