Cybersecurity and the Risks CPA Firms Face

Risk, simply defined, is the possibility that something bad will happen. It is the uncertainty of the effect an action, or lack thereof, will have on something valuable.

In cybersecurity, risk is the possibility of losing data, money, and restricted access to one’s financial, medical, and personal information. Accounting firms are particularly vulnerable to risk due to the large volumes of sensitive client information they handle. Information such as names, addresses, identification records, and bank information are especially attractive to cybercriminals.

Aside from cybersecurity risks, the accounting industry is also at risk of staffing inadequacy as the number of accounting professionals continues to dwindle more and more each year.

In this article, we will be discussing these two major risks that CPA Firms are facing today. We will also be providing solutions with actionable steps that your firm can take to mitigate these risks. 

Data Breach

Data breaches occur when unauthorized individuals access confidential information, including social security numbers, bank account details, healthcare records, corporate data, intellectual property, and financial information. 

Data breach is an expensive issue that every organization is at risk of. According to research conducted by IBM on the cost of data breaches, the average loss in such incidents is $4.88 million. In the US specifically, the cost averages around $9.77 million.

These costs include lost business, detection and containment efforts, fines, settlements, legal fees, breach reporting, and other post-breach response activities. 

Although financial gain is usually the number one motivation for data breach, they can also result from internal errors and malicious insiders. Internal errors typically occur with employees accidentally sending sensitive information to unintended and unauthorized recipients. Meanwhile, malicious insiders are individuals who have authorized access to data but leak information to other parties with the intention of disrupting business operations or profiting from company data. 

Most commonly, though, cybercriminals launch data breach attacks to steal financial information and drain the funds of their victims. They may also sell non-financial information such as names, addresses, and other personal information to other criminals who will then use this information to perform other cyberattacks such as identity theft, social engineering, and fraud. 

Organizations are especially vulnerable these days as the use of mobile devices for work becomes more widely accepted by businesses. Mobile devices are easier targets for data breach attacks, as they can be more easily penetrated by malware through clickable phishing links. With more businesses offering remote work setups, they are becoming increasingly susceptible to data breaches. Employees working remotely access data through personal or public networks, which may not be as secure as in-office networks. 

If an organization’s data breach response is inadequate, an incident may lead to unexpected expenses. Customers often lose trust in an organization following a data breach, as it can cause significant reputation harm. Especially when publicized, an organization becomes more vulnerable to future cyberattacks, as it becomes an even more attractive target for cybercriminals.

Staff Shortage

Recent years have seen a decline in interest in the accounting profession. In 2021, the AICPA reported a 33% decrease in first-time CPA exam takers. This trend continued into the following year, with a 7% decline in 2022. The same year also holds the record for the lowest examinees in the last 17 years. Given this already low number, 30% fewer candidates passed the final section of the exam.  On top of this, the industry is also experiencing the phenomenon of a graying profession, with the AICPA reporting that 75% of registered CPAs will reach retirement age in the next 15 years. 

The declining interest in the profession is mainly rooted in the perception that the requirements to become a CPA, as well as the workload once in the workforce, are not fairly aligned with the compensation. 

Students are required to have a bachelor’s degree and to complete a total of 150 college level credits with some needing to take additional credits, as bachelor’s degrees typically offer only 120.

Even when these students enter the profession, they face the next hurdle – demanding workloads, which lead to a lack of work-life balance and, eventually, burnout. 

On top of the demanding hours, tight deadlines, and the non-flexible nature of the job, one major reason the profession is less attractive to newer generations is that, for the most part, the industry has struggled to keep up with technology. The younger generation does not only have different expectations when it comes to their relationship with work, prioritizing a balanced lifestyle before career growth, they also prefer to work in spaces where the management is not afraid to leverage technology to improve processes and working conditions. 

We often hear the argument that the younger generation only wants to work remotely and do things their own way. While this can be viewed negatively, it’s worth reconsidering — it makes sense that this generation is wired this way. They are essentially digital natives who know how to make technology work for them, rather than viewing it as competition in the workplace. 

For any business, the likelihood of something negative suddenly happening can be alarming, and even detrimental to its survival. However, instead of dwelling on the negative, let’s view risks as opportunities for the business to grow, discover its strengths, and become more adaptable to change, especially the adoption of new technological advances. 

It is essential for any business to regularly assess risks and make plans to address them, as this ensures business continuity and supports better decision-making. Let us take a look at some possible solutions to the risks we have discussed above.

Implement Preventative Measures 

Every organization is at risk of a data breach. A simple, innocent mistake by an employee can lead to a data leak. However, this does not mean that there are no measures your firm can put in place to minimize the risk of such an incident occurring. Listed down below are some preventative measures your firm can implement to help mitigate the risk of a data breach. 

• Utilize full disk encryption for every work device that your employees use 
• Implement a stringent security policy for accessing company data using personal devices 
• Require multiple factor authentication (MFA) when accessing company data 
• Implement regular security awareness training 
• Extend security control protocols to devices operating embedded systems, such as keycards, tracking systems, barcode scanners, and security systems, to ensure comprehensive protection across all points of access and operation 
• Develop an incident response plan and conduct regular audits and checks  
• Develop and implement a data retention policy that clearly indicates what should be done in the event data needs to be deleted or is accidentally deleted 
• Conduct an annual penetration test to ensure the IR plan is fool-proof and up-to-date 
• Enlist the assistance of IT experts who can guide you to develop and implement preventative measures that will cover all facets of your business operations

Develop a Predefined Breach Response Sequence

Your organization should have a response process that automatically starts as soon as a data breach incident occurs. A predefined sequence will help your organization respond to the incident smoothly without skipping over any necessary steps. This will not only ensure that all areas are addressed, but also that all concerned parties are informed in a timely manner. 

Preparing such a process might take some time as you develop the steps and determine which technologies to implement to ensure the workflow runs smoothly. Staff should also be trained to ensure they know how to respond in the event of an incident. Consider enlisting the help of a trusted IT partner to set up an effective and all-inclusive data breach response procedure. 

An example of a simplified, predefined data breach response sequence is as follows: 

1. Security monitoring tools send automated alerts to your Security Operations Center (SOC) team once suspicious activity is detected. 
2. Once suspicious activity is verified as a breach, temporarily disable compromised user accounts, restrict network access from affected endpoints, and isolate the affected servers to contain the breach. 
3. Send notifications to internal stakeholders including IT, legal, compliance, and executive teams, and any third-party security partner. 
4. Initiate forensic analysis. Gather logs, identify affected systems, and determine the origin and extent of the breach. 
5. Create an incident report by filling out a breach response incident report template from your data breach plan. 
6. Execute data recovery and system restoration steps, deploy patches, and review data security. 
7. Send notifications to regulatory bodies, affected customers, or partners. It’s best to have a notification template that can be quickly filled out with the relevant details and reviewed by legal and compliance teams for faster dispatch. 
8. Conduct a post-incident review discussing the reports, summarizing the breach, the actions taken in response to the incident, and lessons learned. 
9. Make necessary updates to security protocols, training, and monitoring tools to avoid future incidents.

A predefined data breach response sequence can help firms execute remedial measures at the right time. Since each step is triggered by the one before it, firms can be more confident that they are following the protocol in its entirety without skipping any stages.

Additionally, firms should familiarize themselves with breach reporting deadlines in their state so they can be included in the data breach response plan. 

Employ the Use of AI-Based Tools

AI-based tools are not only effective for automating responses to predefined triggers that activate a data breach response sequence, but they can also be a valuable aid in helping accountants manage their demanding workloads. 

The use of AI is becoming more widely accepted and if used correctly and ethically, it can be a a significant help in optimizing processes within a firm’s operations. By automating administrative and routine tasks, AI allows accountants to focus more on high-level decision-making and value-added work. 

The challenge, however, is that the accounting and finance industry remains to have reservations about using AI, which leads to limited adoption of the technology. While this is understandable, given concerns about data privacy and security—such as what kind of information AI can gather and retain from firms—accuracy (which is crucial when working with numbers), as well as the general fear of change and the perceived inconveniences that come with it, AI, if used and configured correctly, can be a great solution to help address the current shortage of accountants. 

By automating certain tasks with AI, firms can reduce accountants’ workloads, help alleviate burnout, and ease the pressure on accounting firms to hire additional staff. Some tasks that can be configured and automated with the help of AI-based tools are:

• Data summarization, organization, and analysis 
• Expense and payroll processing 
• Reporting 
• Forecasting 
• Fraud detection and risk management 
• Workflow automation 
• Workload distributions 

By leveraging AI, firms can shift their focus to staff development through training, allowing them to promote accountants to higher positions while bringing in new hires who can apply the skills they’ve gained through school and internships. 

CPA firms are increasingly vulnerable to data breaches and staff shortages, both of which can harm client trust, lead to regulatory penalties, and strain resources. Data breaches expose sensitive financial information, while staff shortages hinder consistent service delivery and increase workloads on existing employees, raising risks of burnout and error. 

To address these challenges, firms can implement preventive security measures like employee training, strong cybersecurity protocols, and regular audits. Additionally, a predefined data breach response plan enables quick and effective containment if a breach occurs. Leveraging AI-based tools can mitigate both risks by flagging suspicious activity and supporting busy teams by automating repetitive tasks.

Together, these strategies help CPA firms safeguard client data and maintain operational stability amid staffing limitations. There’s no need to feel overwhelmed. Contact us today for help setting up these solutions, and let us be your trusted IT partner in mitigating these risks.