Cyber Crime has been rising for decades and has accelerated during the pandemic. The reactionary shift to remote work has created the perfect opportunity for criminals to exploit information security vulnerabilities, and compromise business information systems. The accounting industry is facing an unprecedented challenge to the security of operations and protecting consumer data. Nationally, billions of dollars are lost to insider threats, ransomware, business email compromise and espionage. Customer information is regularly exfiltrated from inside of corporate electronic perimeters and posted for sale to identity thieves on the dark web.
The Southeast United States is heavily targeted, as the vast majority of regional CPAs simply do not invest in data security. Alabama was one of the last states to create a Breach Notification Act, which requires businesses to report known data security breaches to law enforcement. The critical questions emerge, what are the root causes of the failures in information security and what moves can CPAs make to lower the probability of a disastrous breach?
ControlAltProtect has helped corporations across the world recover from Cyber Attacks, and plenty of them are based right here in Alabama. Who is attacking these businesses? About 60 percent of attacks on small to mid-cap American companies originate in China and Russia, with Iran and North Korea close behind. Because Alabama has seen growth in high-tech, manufacturing, and space industry in Huntsville and Birmingham, our businesses are primary targets. The last five years have seen financial, medical, and public accountants bear the brunt of attacks.
Many attacks occur from lateral sources, for example Company A in the manufacturing sector or a mom-and-pop company is used to target a CPA firm, a hospital or a dentist’s office. Hackers will take anything you give them and use it to gain access, expand internal reach and ultimately extort the business. Criminals want to steal customer PII (Personally Identifiable Information) and proprietary data or piggyback on established business relationships through email to commit wire-fraud. There is a fortune to be made in the illicit resale of privileged information through criminal channels and all businesses are targeted.
Why are American companies at such risk for these attacks? Collectively, American businesses see information security as a risk unique to their Information Technology group or “IT guy,” not as a general business risk, and in response fail to give the subject the proper attention or budget. Many “check the box” for compliance or insurance reasons but lack the appropriate understanding of the field and often rely on their IT resources to handle it. Because of this, businesses often suffer significant losses, and find their IT resources inadequate to the task.
A paradigm shift in the mindset of business must take place if they are to be equal or better than current and future threats. CEOs have to be financially savvy, but now they must also be technically literate in information security. We encourage businesses to become an active part in securing their enterprise, and make sure that third party vendors are doing their part. You can’t stop criminal hackers unless you hire ethical ones. Sophisticated cyber criminals navigate around traditional cyber-defenses in days, if not minutes. Unless you hire an experienced, trained cyber-security professional, you are vulnerable.
Gone are the days when CPAs can completely lean on law enforcement to help solve issues. The FBI states openly that they cannot assist businesses with cyber attacks. As attacks continue to keep pace with changes to technology, a mindset centered around electronic defense must come from the top down and spread to all aspects of business. If American businesses are to survive these turbulent times, changes to IT staffing, business process and methodology must surmount these challenges. The onus of action remains with leadership, and a proactive approach to information security is very often the litmus of whether a company prevents or survives an information security breach.