Cyber Threats are on the Rise: CPA Firms are Ready to Help

Cyber Threats are on the Rise: CPA Firms are Ready to Help

COMPANIES AND THEIR CUSTOMER data are proven targets of sophis­ticated cyberattacks. As cyber­crime is on the rise, draining about $500 billion a year from businesses, accounting firms are coming to the rescue. Here are some case studies that showcase how clients are upgrading their defenses, thanks to CPA firm cyber professionals.

Baker Tilly

By Tom R. Wojcinski, CISA, CRISC, CCSK, CCSFP, Principal, Cybersecurity & IT Risk Practice

A major retailer had not developed a comprehensive cybersecurity manage­ment program, functioning instead with a disparate set of disconnected security elements not aligned to a comprehen­sive framework. Baker Tilly cybersecurity professionals used a recognized and vetted cybersecurity framework (e.g., NIST, CSC) to assess the company’s current security profile, what the com­pany was doing well, where there were issues or gaps, and built a three-year roadmap with remediation activities to help the company improve security and build and maintain a sustainable cybersecurity management program. The company is currently using the recommended remediation plans to further enhance its cybersecurity posture overall.


By Gregory Garrett, CISSP, PMP, CPCM, Head, U.S. and International Cybersecurity

Our client—a leading U.S. hospital association—needed an exten­sive review of its information security policies, plans, procedures and vulnera­bilities to test its cyber readiness for a malicious attempt to harm the associa­tion. To accomplish this goal, we first conducted a cyber risk assessment of the association’s current policies and proce­dures against U.S. healthcare industry requirements. Second, we performed a cyber vulnerability assessment and net­work penetration test. Last, we deliv­ered a customized cybersecurity aware­ness education and training program for the board of directors, senior leadership and membership of 5,600 hospital CEOs nationwide. These assessments helped to identify where the association had vulnerabilities and the kinds of threats that could critically undermine its sys­tems, assets and reputation—insights which guided cyber investment priorities for the organization going forward.

Citrin Cooperman

By Michael Camacho, CPA, CIA, Partner, Cybersecurity Practice Co-Leader

Data breaches are at an all-time high, with daily headlines reporting large-scale breaches. Our cybersecurity team recently provided breach response services to a client that had fallen prey to a cyber attack that crippled their ability to do business. Minutes after being informed of the attack, our team of specialists executed a plan of action to stop the attack from inflicting any additional damage, assess who carried out the attack, learn what was compromised and deploy the prop­er defenses to mitigate the chance of a future attack. Within days, the IT environment was fully secured, and the client’s operations were back at full capacity. As a preemptive service, we perform simulated spear phishing cam­paigns for clients in order to reduce their susceptibility to becoming victims of actual spear phishing attacks.

CohnReznick LLP

By Shahryar Shaghaghi, MSc, Principal and National Director of Cybersecurity

A comprehensive risk assessment is the first step in developing an effective cybersecurity risk manage­ment program. When we first met with a mid-market construction company, they felt that a firewall and antivirus software was all they needed to protect themselves from cyber threats. When their ERP system was hit with ran­somware, they realized what they had was inadequate. Our risk assessment uncovered gaps in their cybersecurity, including ad-hoc policies and procedures and minimal technical controls. By utiliz­ing the Center for Internet Security’s Top 20 Critical Security Controls as their framework, we elevated their cybersecu­rity maturity level through an enterprise security strategy that integrates with their business and is fully focused on incident prevention, detection and response.

Friedman CyZen LLC

By Jacob Lehmann, Managing Director

Our cybersecurity experts recently helped mitigate a breach against the municipal govern­ment of a U.S. county. This municipality fell victim to malware introduced through “spear phishing,” possibly exposing critical data. Our team con­ducted a threat assessment to evaluate the scope of damage and then, as part of the incident response process, per­formed a deep dive into the infected devices using computer forensics. Once the threat was eradicated, the team boosted the municipality’s overall securi­ty posture to prevent future attacks. Our process is unique, and our experts make a point of explaining their techni­cal methodology to clients in a way they can understand and work as a force multiplier with client IT teams—ultimately giving clients the peace of mind that comes with knowing their valuable assets are safe.

Grassi & Co.

By Karl Kispert, Principal, Cyber and Information Security Practice

Our client, a real estate development firm, was the victim of phishing attacks, network malware, computers freezing, and compromised sensitive information and server access; the CEO and CFO realized that action had to take place immediately. We did not overwhelm the client with the fix all at once; rather we proceeded with a comprehensive technical assessment, then developed a strategic roadmap to strengthen them and reduce their cyber and information security risk. Some of the key areas we addressed include a risk and compliance management plan; third-party vendor risk; policies and pro­cedures; business continuity and disaster recovery; security awareness and phish­ing; physical and environmental security, and penetration testing.

Nisivoccia LLP

By Mark Jensen, Director of Technology

A non-profit client approached us for help with technology issues and inefficiencies they were experiencing. After perform­ing a needs assessment and subsequent discussions with the client, we deter­mined they needed to improve security and technological inefficiencies across their network. We migrated them from an on-premise e-mail solution to a cloud solution that would not only reduce costly and complex ongoing mainte­nance but would increase security and improve mobility. Then we implemented next-generation Firewall/UTM devices with daily reporting, cloud-based end­point protection, group policies limiting the use of externally connected USB devices and disabling any unnecessary protocols within the internal network. This organization now has annual pene­tration tests performed externally and internally to continually test for current vulnerabilities and to help safeguard the client from future threats.

PKF O’Connor Davies, LLP

By Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE, Principal, Cyber Risk Management

We were engaged by a school district to identify its cyber risks. We discovered two critical weaknesses: the district viewed information security as solely an IT responsibility, and it lacked an overarching information security strate­gy across schools and business offices. Working closely with the administration, we illustrated the need for a dis­trictwide information risk management strategy and then identified and trained all the key stakeholders. Once we resolved the governance concern, we re-engineered a program focused on three key tenets: people, process and technol­ogy. The district fully embraced our work; existing technologies were com­plemented by new tools for a minimal capital expenditure.

Sax Technology Advisors

By Matthew Hahn, Chief Technology Officer

We recommend an in-depth defense approach for our clients to combat the growing presence of cyber threats. For the best protection, we typically provide a funda­mental security toolkit, which includes internal security awareness training geared toward educating staff on how best to protect themselves and the com­pany’s data and systems. It also includes a network assessment to determine whether the technology solutions cur­rently in place are appropriate and iden­tify where enhancements can be made. There is often a need to implement a Security Operations Center—a facility where a company’s IT environment is monitored 24/7—to gain deeper insight as to what’s happening both inside and outside of a client’s network. A combi­nation of all three solutions can miti­gate many of the internal and external threats that businesses now face.

Sobel & Co., LLC

By Kim Miller, Ph.D., CFE, Cyber Practice Leader

A due diligence investi­gation—a background check on a company and its principal—was performed for a client who utilizes e-commerce vendors. While none of the results on their own was necessarily cause for alarm, the presence of two or more issues raised suspicions. Our inves­tigation noted that the principal had three criminal charges for drug dealing and several monetary theft charges. The owner had changed the company name right after he was charged with the offenses, showing that he did not want clients to know about his criminal charges. The vendor had financial issues also. This investigation protected the client from any internal threats by end­ing the relationship and any potential hacking that a social engineering hacker could launch to get an internal user to provide sensitive credential information.

WithumSmith+Brown, PC

By Joe Riccie, CPA, Partner, Cybersecurity Practice Leader

A client had a phishing attempt made with an e-mail imperson­ating the CFO to the controller instruct­ing a wire transfer. The controller was not fooled, and the client’s IT performed an internal investigation. Withum was then hired do additional digital forensics work, double checking the security pos­ture. We found that the CFO had fallen for a previous phish months prior, which captured his e-mail, username and pass­word, allowing the hacker to track his e-mails for months. We fixed the issue and checked the logs to ensure no other accounts were compromised. In addi­tion, Withum performed a detailed internal and external penetration test, simulating an attack on the client’s sys­tems to evaluate the system security, and ran phishing tests. We also provided education for the employees to prevent future attempts.

View all featured articles