Contrary to popular belief, privacy events and their associated risks do not exclusively arise from external, malicious sources. As the chart, "2018 Privacy Event Claims, by Incident Type," indicates, external attacks were the most frequent cause of privacy event claims asserted against CPA firms in the AICPA Professional Liability Insurance Program in 2018. However, internal human error, whether it is the direct cause of a privacy event or an inadvertent action that assists an external bad actor, also contributes to a firm's data security risk.
While the fences you build to help protect your firm from external attacks are important, the housekeeping you do within your firm is equally important in managing information security risks facing your practice. Here are some housekeeping reminders to consider.
WAKE UP AND SMELL THE PHISHY EMAILS
Phishing is a form of social engineering in which a bad actor uses various technological channels, typically an email, to solicit personal information from a targeted individual or company by posing as a credible source. According to Verizon's 2018 Data Breach Investigations Report, phishing and pretexting represented 93% of breaches, of which email was a common vector. This demonstrates the need to be vigilant and alert when opening and reacting to email.
To address risks associated with phishing attempts, CPA firms should consider using anti-phishing tools that commonly provide the following types of capabilities:
* Preventive means to scan for and block malicious links, attachments, or accounts;
* Simulation of phishing attacks on users to test and raise their phishing attack awareness and detection savvy; and
* Post-delivery capabilities to intercept and neutralize malware and/or ransomware when a phishing message is opened.
PREPARE FOR THE UNEXPECTED
Author Radhika Mundra said, "Nothing inspires cleanliness more than an unexpected guest." Preparing and training your employees with the information and tools to raise their security awareness can be one of the most effective, and efficient, preventive measures to mitigate data security risks.
According to the Ponemon Institute and IBM's 2018 Cost of Data Breach Study, employee training is one of the highest cost-saving contributors to the per-capita cost of a data breach. To select the most relevant training topics, firms should stay informed about the latest information security threats facing the professional services industry, and, if applicable...