The Kentucky CPA Journal


Cyber security: You are the target

Issue 4
November 1, 2023

By Jay Rollins

Cyber Security

Many small businesses put off investing in cyber security for the following common myths:

  1. I am too small; the bad guys will not bother with me.
  2. It is too expensive.
  3. My IT person handles our security.
  4. We have insurance.
  5. We are in the cloud.

With hundreds of companies as customers since our founding in 2010 we have gained insight into various cyber-attacks. As a financial advisor/controller/CFO/CPA to your customers or company, the risk management duties tend to fall on your shoulders; cyber security is risk management. 

Addressing the myths

I am too small:

The truth is, you are not too small; many hacking organizations are associated with organized crime and not just the 14-year-old in moms basement playing hacker. 

Most organizations have automated routines, or bots, that roam the internet looking for vulnerabilities to exploit. An actual person analyzes options after the reveled detected vulnerability. 

First, they start looking for you, the financial lead for your company or customers, as a primary target. LinkedIn or other social media platforms searched to gather information for password options (pet names, anniversary date, favorite sports team, etc.). The hackers use this information for attempts for brute force password attacks against email or other avenues of access. They will gather information to fuel a social engineering campaign or with a directed phishing attack via email or text to gain access. Once they gain access, they wait patiently for an opportunity.

One company we consulted with had a vendor that got hacked and monitored email traffic for the controller for an unknown period of time and discovered that the client had just changed their lead accounts payable person. The attacker took advantage of this change at the client site and targeted a phishing campaign to change payment details for the vendor, resulting in 2 months of bills paid to someone other than the vendor totaling over $120k until discovered.

It is too expensive: 

How much do you pay in insurance? Cyber security is a risk management function; costs of many solutions have come down significantly since we started doing cyber security services 13 years ago. What used to cost $15k can be implemented for $3k. Monitoring and active cyber security management can be as little as $1k monthly and meet best practice guidelines. 

With a 60 percent plus fail rate of businesses within 12 months of a successful cyber-attack, $1k monthly is a cheap insurance policy.

My IT person handles it:

Smaller organizations tend to have IT generalists. They need to know about PCs, servers, cloud services, networks, wireless, mobile phones, line of business applications and a slew of other technologies, plus other responsibilities. 

Cyber security is a different animal and requires a level of detail that takes years of specialized training and deep knowledge of hacking tools and attack types. An estimated four new malware variants are loosed on the internet every second of every day. With all the responsibilities that your IT person has, what percentage of time goes to cyber security? 

Many organizations with IT generalists outsource their cyber monitoring and security services by contracting vCSO (virtual Chief Security Office) talent to help guide and work closely with IT resources at a fraction of the cost of hiring a full-time CSO or security person.   

We have insurance:

Because of the frequency and volume of cyber-attacks, cyber insurance premiums have risen significantly. Insurance companies are requiring best practices be implemented in order to insure the company. Cyber insurance applications are also becoming significantly more technical in nature. If you answer yes to a question that is actually not implemented, it can lead to a denied claim (i.e., do you have EDR (Endpoint Detect and Respond) software?). 

Non-renewal of existing policies have also risen in frequency. Regardless, insurance payouts do not help with reputation damage or other non-tangibles.

We are in the cloud:

This does not always help you. Many cloud providers changed their terms of service or added disclaimers on what is protected, how quickly they can get you back online or how far back your backups go. Additionally, a compromised email account or a PC in the local office is also an easy way to access cloud services.  

Good cyber security practices can go a long way to protect you and your clients in this world of indiscriminate attacks. Technology and policy together make the best defense against attacks. 

If you are unsure about your companies security posture or want a second opinion, find a reputable Managed Security Service Provider (MSSP) or vCSO and get a consultation. Some MSSP’s offer low-cost network scans that can find low hanging fruit quickly.

Let us end on this note

Cyber security is not just a service; it is a shield against the unknown. It is the digital seatbelt, the fire extinguisher for the digital age. By understanding these myths and the realities of cyber threats, we are not just safeguarding data; we are protecting dreams, innovations, and hard work. As we navigate this ever-changing digital landscape together, let us stay vigilant, stay informed, and, most importantly, stay secure.


About the author: Jay Rollins is the CEO for CloudNexus Technologies. CloudNexus performs cyber security managed services for small and midsized businesses throughout the Midwest and parts of the northeastern United States. 

Technology Conference

 November 16-17 Virtual only
16 CPE hours
  • Determine how to utilize existing and future technologies to address the needs of your organization
  • Describe trends in hardware and software to make more informed decisions for your business and your clients
  • Develop and implement strategies for improving information security and collaboration
  • Utilize the most powerful features of Microsoft Office and other productivity software