As Russia's invasion of Ukraine enters its third week, fears of a massive cyber offensive hitting Ukrainian and NATO targets have yet to become a reality. But the relative quiet on the cyber front so far does not mean that accountants, their firms, and their employers can rest easy.
Accounting professionals must remain aware — and wary — of the increased threat of Russia-backed cyberattacks. Just because cybercriminals are not making much noise doesn't mean they aren't making moves.
That's the view of Allison Davis Ward, CPA, a cybersecurity expert who is a partner with CapinCrouse LLP subsidiary CapinTech in the US. In an email interview, Ward assessed the cyberthreat landscape and offered several tips for what accountants can do to help their firms mitigate their risk of falling victim to cybercriminals.
Following are Davis' answers to the questions sent to her by FM. The questions and answers have been lightly edited for style and length.
Do you expect the cybersecurity threat to grow globally due to the war in Ukraine? If so, in what ways?
Allison Davis Ward: I do. Cyberattacks are going to continue to increase as a form of weaponry during wartime — even more so than they already have been. The cyber world allows bad actors and state-sponsored groups to attack from anywhere. Bad actors don't have to be on the ground in a country involved in a conflict to cause significant damage and distress.
The world's reliance on technology will only increase as it becomes more and more integrated into daily life. Cyberthreats will continue to evolve with those changes.
It seems like it's been quieter than expected on the cyberattack front in the US since the war started. Is that accurate?
Ward: We need to be very careful during these "quiet" periods and not let them give us a false sense of security. As we've seen with many significant cyberattacks, there is often a period of reconnaissance. Hackers use this time to gain access to systems, gather information, and learn about the organisation they have infiltrated so that when the time presents itself, they can launch their attack in a way that has a higher chance of success. This current "quiet" period could very well be that time of reconnaissance where hackers are determining the best way to attack to create the most significant impact.
What are the particular threats most commonly associated with state-sponsored cyberattacks?
Ward: Attacks on the supply chain go hand-in-hand with state-sponsored cyberattacks. The bad actors' goal for these attacks is to create significant, widespread disruption and damage. What better way to have that impact than to target a joint vendor, supplier, or another third party used by many different organisations in a variety of industries? By attacking a shared third party that is used by thousands of organisations, bad actors can cause damage to numerous organisations at once. It can be an efficient and effective way for attackers to achieve their goals.
Phishing and ransomware — two threats we've come to know very well in recent years — are also to be expected. It's proven that phishing works, and it gives bad actors an entry point to launch many of their attacks. Ransomware continues to evolve, making it extremely difficult for us to battle it. It also can be highly detrimental for an organisation, causing many to make a tough decision on whether to pay the ransom. Unfortunately, if the ransom is paid, it only funds the industry further and provides bad actors with the resources to continue carrying out their attacks.
The exploitation of vulnerabilities is rampant and is another area commonly associated with state-sponsored cyberattacks. Vulnerabilities are identified frequently, and organisations do not always patch and mitigate them as quickly as they should. State-sponsored hackers often use a variety of methods to scan systems and infrastructure to identify these unmitigated vulnerabilities. Once found, they use them as the starting point to either launch an attack or to gain entry into a network to perform further reconnaissance.
Are there specific sectors that you'd anticipate would be most at risk during this time?
Ward: I think outside of governmental agencies, organisations that support our critical infrastructure or provide nationwide services should be most vigilant. The ransomware attacks that Colonial Pipeline Company and JBS Foods dealt with in May 2021 showed us how much cyberattacks on those industries can affect the entire country. The trickle-down effects to individuals were significant.
A single attack on our police departments, water treatment facilities, power plants, and healthcare facilities, among many other organisations, could have widespread impacts for the nation. In a time when cyber warfare is a real threat, bad actors are going to aim to attack organisations and industries that will allow them to cause the most damage and the largest disruption.
What security strategies should be front and centre for organisations right now?
Ward: Awareness is the first step. You can't successfully mitigate threats if you don't know what those threats are. As mentioned above, many attacks start with social engineering — a phishing email that gets past the email filter and into the hands of an employee who doesn't realise it is malicious. It is imperative to empower your end users with the knowledge of basic cybersecurity hygiene. Help them understand that they are just as critical to the security of your organisation as your firewall. They are the human barrier for your organisation.
Secondly, you need to mitigate your vulnerabilities. That again starts with knowing what those vulnerabilities are. If you can conduct external and internal vulnerability scanning, do so frequently. Resolve any configuration issues or vulnerabilities resulting from outdated or obsolete systems as soon as possible. Then scan again to ensure you've addressed the vulnerability adequately. If this type of scanning is not feasible for you, look to other resources. Do you have other tools that can provide these insights? Do you monitor alerts from your vendors, news sources, and other information-sharing groups that can help you identify threats you may be susceptible to? These can all be ways to increase your awareness.
It's also important to revisit your patch and anti-malware management processes. So many vulnerabilities arise from outdated and obsolete systems, and bad actors and malware can often exploit these vulnerabilities. Decommission obsolete systems. Ensure all relevant devices are included in these critical patch and anti-malware management oversight processes. In addition, don't forget about ancillary, internet-connected endpoints like smart TVs, multi-function printers, thermostats, and security systems. If it connects to the internet, it can potentially be used as an initial attack point.
I would also encourage organisations to think about the risks that have evolved from the continued implementation of hybrid work environments, which has led to an increased reliance on third parties and more employees working remotely. Many people feel a false sense of security working from their homes; however, an issue at an employee's house can ultimately affect your organisation and its systems and data. Similarly, I have conversations frequently with organisations that tell me they don't have any risk because they outsource everything to third parties. But as we've seen time and time again, attacks on the vendor supply chain can detrimentally affect a vendor's clients.
Organisations also need to refocus on detection and response efforts. With the world as it is right now, especially with ongoing conflicts, incidents are no longer a matter of "if" but "when". At some point, organisations will be dealing with some form of cyberattack, if they haven't already. A lot of focus tends to go into preventive controls — and while those should be a significant portion of a control framework, it's also important to be able to identify when a preventive control has failed.
Assess the visibility you have into your systems, infrastructure, and applications — regardless of where they are hosted. Are you successfully monitoring these areas for potential intrusions? Are you monitoring them in a way that allows you to respond effectively and efficiently? Once you detect the issue, do you have plans in place to minimise the impact on other systems? If the answers to any of these questions are lacking, it is probably time to refocus and address those questions.
What can finance executives and accountants who advise businesses do during this time to help the organisations that they serve or advise?
Ward: The biggest things finance executives and accountants who advise businesses can do during this time is to be an advocate for cybersecurity. Finance and accounting practitioners — whether internal or external to a business — are trusted advisers. While they may not be responsible for all of the ins and outs of cybersecurity and how certain threats should be mitigated, understanding what the threats are and the potential impact on the organisation is an important first step.
Discuss these issues with the leaders of the organisations you serve. These leaders will be the key decision-makers guiding cybersecurity investments, and you can help them understand why cyberthreat mitigations need to be prioritised.
It is often very difficult for business leaders to justify reallocating or incurring additional expenses to the cybersecurity function. Finance and accounting practitioners can help these leaders understand that cyber risk is as much a business risk as strategic, reputational, operational, and financial risks. It's a risk you must prioritise now — and in the future — to ensure that you can continue securing and serving your organisation and constituents for many years to come.
Is a cybersecurity budget increase necessary at this time, or are there ways you can implement better security with minimal spending?
Ward: Increases in the cybersecurity budget are not only necessary right now, they have been necessary for a long time. That being said, not every organisation has the financial resources to implement some of the measures discussed. That shouldn't discourage organisations from taking whatever steps they can, however.
Increase your organisation's employee training on threats. Talk to your business leaders about the threats to start to build a culture of security. Understand what assets you must protect in your organisation and what the biggest risks are to them. Awareness is vital for organisations that may not have the ability to implement certain technical controls.
Finally, I recommend that all organisations revisit their control frameworks regularly. Controls are all about layers. Ensure that you have enough layers so that if one primary control fails, there is a backup control to minimise the risk and impact. What is not achievable today may be something that can be implemented six months down the road.
It's important to ensure that cybersecurity controls constantly evolve to address changing threats. Controls put into place today may be insufficient to mitigate the same threats in the future. If we don't recognise that cybersecurity efforts need to be ongoing, we may be putting our future at risk.
— To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.