Risk Alert: Data Security Considerations to Help Weather a Pandemic

Cybercriminals love a crisis. Panic-inducing events such as the COVID-19 pandemic prove to be lucrative opportunities for the unscrupulous to capitalize on fear.

Social engineering attacks tailored to exploit the public unease surrounding the coronavirus have been on the rise. One sophisticated attack falsely claimed to be from the World Health Organization. The phony email included an attachment purportedly containing updated safety measures and treatments for symptoms. It exploited the public’s hope for a swift end to the pandemic, but, in reality, concealed malware designed to steal personal information.

The coronavirus pandemic has forced major changes to the way in which we work and carry out day-to-day activities. Millions of Americans have been required to adapt quickly in order to work remotely. For CPAs, the adjustment has occurred during the height of busy season. The shift from where CPA firm employees work has resulted in significant changes to the way practitioners interact with clients and collaborate with one another. Social distancing and limitations on in-person meetings have created heavier-than-usual reliance on virtual and electronic communication.

Just as working remotely enables CPA practices and their employees to continue to serve clients during the pandemic, the responsibility of every practitioner to secure confidential client data continues as well.

In light of the ongoing cyber threats caused by the pandemic environment, CPAs should exercise enhanced cautionary measures in order to avoid falling victim to schemes seeking to exploit security weaknesses and human psychology. Fortunately, both CPA firms and their employees can implement a number of measures to avoid such incidents and to protect and secure data: 

1) Address the risks of accessing sensitive data remotely 

Ideally, data should be encrypted, whether in transit or at rest. To access the firm’s systems remotely, employees may use home wireless networks, which may be less secure than accessing the same information from the office. Unsecured or less secure networks may offer a backdoor to malicious actors monitoring connections to harvest confidential information. For example, data sent in unencrypted form can be easily intercepted and stolen by cybercriminals.

For this reason, security experts recommend that Virtual Private Networks (VPNs) be used to route traffic to the firm’s systems when working remotely, making it difficult for unauthorized parties to intercept the encrypted data, and render it unreadable. 

2) Reinforce security weaknesses with patches

Just as how viruses mutate, cybercriminals’ tactics to exploit and obtain access to sensitive data also evolve. Similar to vaccines, security patches are developed to help correct and address known vulnerabilities used by cybercriminals to gain unauthorized access to devices or applications.

It is important for firms to periodically assess whether its devices and systems are up-to-date with security patches and antivirus solutions.

3) Stay engaged with vendors 

The pandemic has shifted the preferred way to conduct meetings, conferences, and even social events, to online. With such a dramatic shift in a short period of time, a number of security weaknesses with certain platforms and vendors have been revealed. Many providers have responded with options for users to address security concerns.

Rather than relying only on a vendor’s reaction to security weaknesses, consider proactively managing vendor discussions in order to understand the controls or practices they may have in place to address any of the firm’s security concerns.

For example, to support the shift to remote working environments, many firms have implemented VPNs to permit employees secure access to firm resources. Consider discussing these changes with other vendors such as cloud service providers to determine whether it affects the compatibility with the vendor’s technical requirements.

4) Promote employee security awareness

Like showers and wearing clothes other than pajamas, data security may not be the first priority on a CPA firm’s growing list of matters to be tackled. However, it is essential during this critical period of disruption that employees be reminded of the importance of maintaining cyber-security hygiene.

Consider sending friendly reminders to firm employees that emphasize the importance of the following:

  • Employees should only use firm-issued or approved devices to access company resources securely.
  • If employees are using personal devices for business purposes, employees should strengthen the security settings on their devices. Electronic work files from company resources should remain on company-issued or approved devices, and not placed on personal devices.
  • Reinforce how to identify phishing emails:
    • Links and attachments from unknown or untrusted senders should not be opened without careful inspection. When an embedded address appears suspicious or unfamiliar, hover over the link to view the full URL, or use URL checkers to confirm the safety of a suspicious link before clicking.
    • Do not respond to requests for sensitive information (i.e. account details, tax return information), especially if urgent, without verifying the validity of the requestor, even colleagues and clients. If the request is obtained via email, always confirm directly with the requestor using alternative, verified contact information such as phone numbers.
  • List the preferred tools and platforms employees are to use such as cloud storage platforms, portals for sharing information, and virtual conferencing tools.
  • Provide employees with clear guidance on how to report technical issues and empower them to report suspicious activity.

5) Employ strong authentication practices

The importance of using strong passwords and multi-factor authentication to enhance security measures is nothing new. Now is not the time to allow these security measures to lapse or weaken. Refer to best practices outlined in NIST Special Publication 800-63 Digital Identity Guidelines​  for guidance and continue to utilize and employ strong password and authentication practices, including:

  • Password length: Should be preferably 8 – 20 characters. 
  • Password complexity: Consider requiring a combination of capital and lowercase letters, numbers and special characters.
  • Password protection: Passwords and user IDs should be never shared.

Final thoughts

The coronavirus has been widely referred to as the “invisible enemy.” This is a reminder that the invisible or intangible can have as significant of an impact as physical threats, such as accidents or crime. Security risks take on similar characteristics, with the impact made tangible in the form of information compromised, reputation damaged or dollars lost.

Depending upon the size of the CPA practice, the aforementioned tips and advice may seem daunting and technical to tackle. Just as the global response to the COVID-19 pandemic has been multi-faceted, requiring collaboration and support, a CPA firm’s approach to addressing data security risk should be similar. The firm’s leadership sets the tone and prioritizes data security. IT professionals are then empowered to establish security protocols to address the firm’s data security risk. Finally, every individual at the firm is responsible for doing their part in maintaining cybersecurity hygiene. 

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. 

Related Content