Byron Patrick, CPA, CITP, straddles the line between the accounting world and the information technology (IT) world. So he’s well attuned to the IT needs and shortcomings of the greater CPA community, as well as what they don’t need to spend as much time worrying about. And as it turns out, most cyberattacks come in the tried-and-true format of email.
“Email is still the No. 1 source of all of this stuff,” Patrick said in his session, “A CPA’s Guide to Cybersecurity.” “It’s so easy for hackers to just blast out and wait for somebody to click. There’s a different name for every variety of phishing, but at the end of the day, it’s all the same stuff — trying to get you to divulge a password or install malware to your system.
Patrick, managing director at Network Alliance, discussed email scams, effective passwords and social engineering during his session. He cited Verizon reports indicating that 66 percent of malware attacks were carried out using malicious email attachments. And, he said, the reason those attacks continue to work is much more about psychology than technology.
“We put a lot of time, effort and expertise into building out a very secure infrastructure,” he said. “But I think that causes something of a false sense of security. The reality is that the human factor is a component of 76 percent of the data breaches that happen. As secure as we make our systems, they definitely have to do a better job of the human factor, the awareness and the training.”
A great deal of that training is in recognizing email scams, and that task is getting more difficult all the time as scammers learn more effective ways to mimic companies. Some of that is in technology and design, but a lot of it is learning about potential targets and using a variety of tools to hit them.
“The social engineering is just getting really slick at tricking people into doing things. They’re using phone calls, they’re using text messaging,” Patrick said. “There’s even elements of tricking service providers. For example, we have
to be careful that if a client calls us and wants their password changed, we can’t just change that. We have a tool designed to ensure that the person requesting the password change is, in fact, who they say they are. If they just call, we can’t validate their identity.”
Your first line of defense against cyberattackers is the humble password. However, Patrick refers to one-password systems as a “skeleton key,” where the password to one site can open a variety of others. Brute-force attacks can and do happen, and many people make it easier by using easy-to-guess passwords.
He recommends a password management service to keep those passwords as hard to guess as possible. Multi-factor authentication is also more secure, but less convenient
“Stop trying to do it yourself,” Patrick said. “We are all sloppy and lazy with passwords because we try to keep it simple and try to remember it. We’re basically creating a very significant vulnerability with our passwords.
“I am a huge advocate of two things. Multi-factor authentication is something that we don’t often opt into because it’s an extra layer of inconvenience, but if you have an online service that offers it, you need to use it.”
Patrick particularly recommends LastPass, which he says will simplify users’ lives while improving their online security.
Voice social engineering is on the rise — think calls you yourself probably get, voicemails saying you owe a large amount of taxes or that there’s a huge lawsuit you need to settle. Those calls come from call centers where scammers
are hoping some small percentage or targets will panic and give out account information.
Scammers will stop at very little to create a convincing way in. If a company is being targeted, hackers will research names, company policies and other details.
“It’s a sad statement, but you just have to stop trusting,” Patrick said. “You’ve got to trust your gut, primarily. I tell everybody, if you’re suspicious, just delete it. There’s no point in pursuing it any further. If you’re suspicious, delete the
email, hang up the phone, whatever the case may be, and follow up through other means.”
Proper validation procedures are vital in ensuring your employees’ and customers’ sensitive information stays in the proper hands.
“Some of these scams are convincing people to do things like send copies of W-2s to somebody who wants to hack them.,” Patrick said. “If you put in policies and procedures to ensure that you would not do something like that without validating who’s requesting it, it would protect you from those types of things.”