With damages from cybercrime expected to top $6 trillion by 2021, no organization is immune. It is no longer a matter of if, but when your company or firm is attacked and given the wealth of sensitive financial data, accounting firms are a desirable target for cyber criminals to exploit.
Accountants across the country on Monday realized that CCH Axcess, a popular cloud-based tax and accounting software from Wolters Kluwer, was down. One day later, Wolters Kluwer announced they had suffered a malware attack and are continuing to work to restore service.
The CCH Axcess attack is a good example of the vulnerabilities that exist when using third-party vendors, including cloud or web-based platforms. While outsourcing essential functions can provide convenience, the risk accompanying that convenience cannot go unanalyzed.
A 2019 Verizon Data Breach Investigation found that web applications are a top target for hackers. The central problem with these applications is that they involve custom software code, which can be easily exploited by cyber criminals. Some estimates suggest there are 111 billion lines of new software code produced each year, leaving countless opportunities for hackers to find vulnerabilities and backdoors into a network.
When companies rely on a third-party software like CCH Axcess to host their data or provide critical business functions, they are still responsible for a wide array of matters. These include the security, availability, process and confidentiality, to the privacy of what is hosted by the third-party vendor.
Given the realities of doing business today, how can a company take advantage of these tools while still practicing good cybersecurity?
• Do your research. Your data is only as safe as the vendor’s employees and processes make it. As you negotiate an initial contract, you must be certain that the vendor is taking proactive measures to prevent your data from being compromised in security breaches and process failure. Look for vendors that provide verifiable high availability systems, usually labeled “three nines” for providing system availability 99.9 percent of the time.
• Ensure privacy. You want to ensure that your data is isolated from the data of other companies who may be using the same vendor or software. Ask your vendor to verify that your data is discreet and safeguarded from other customers accessing it, accidentally or by design. You can also request a SOC 2 report from your vendor.
• Determine ownership. Consult legal counsel to determine who owns your data after it is transferred to an outside vendor. In most situations in the United States, you own the data regardless of where it is stored.
• Know what’s on your network. The Internet of Things (IoT) can increase operational efficiency, but also decrease your level of security. Organizations are compromised everyday via third-party systems that they did not know were on their network. If you can’t tell when a new device is added anywhere on your network, there’s an issue.
• Practice what you preach. You’ve heard them before, but it never hurts to reinforce good cyber hygiene. If you demand it of your service providers—which you should—you should also demand it of your employees. Evergreen cybersecurity tips include keeping all software up to date, using dual-factor authentication and practicing good password management, training staff on phishing schemes and monitoring your network. You can also engage a cybersecurity expert to conduct advanced penetration testing to uncover any potential vulnerabilities in your system.
As this recent example of cyber vulnerability shows, your ability to function is directly related to your vendor’s procedures, quick response and advanced planning. Take the steps outlined above to help ensure you’re doing your due diligence when selecting third-party vendors as part of an offense-oriented cybersecurity strategy.
About Mike Skinner
Mike Skinner, CPA, CITP, CISA is the partner in charge for HORNE Cyber. His primary focus is to enable clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers’ critical data and brand reputation while gaining return on investment from IT regulatory compliance activities. He is responsible for cybersecurity, information technology audit, regulatory compliance and business solution implementation.