IMGCAP(1)] For the first installment of this series, click
CPA firms are both data collectors and data overseers, and they rely on numerous forms of technology to accumulate and distribute data. From tax preparations to audit documents, CPA firms are responsible for countless pieces of information for both their customers and their firms. This makes them doubly at risk for cybercrimes. And no business, even a CPA firm, is safe from cyberattacks.
Over
Should a firm’s data security be breeched, clients’ personal information could be compromised, negatively impacting the firm’s reputation. It’s important for all accounting firms, big and small, to understand the appropriate ways to keep themselves safe against cyber threats.
Here are the next three ways an accounting firm can bolster its security and safeguard its reputation.
4. Educate employees.
End users pose the greatest risk to a CPA firm’s security, but this threat can be reduced if the proper employee education is in place. Managers should be sure their staff is aware of the proper security protocols when storing and sharing important information. It’s also important for staff to be aware of the appearance of phishing scams and understand the best methods for safeguarding against virus and malware threats.
Firms can sufficiently educate employees on security best practices through a few methods. Passwords serve as a basic and easy method through which accounting firms can bolster security. However, when passwords are carelessly managed or are not updated regularly, firms can increase the chances of hackers cracking the code and gaining access to their systems.
Employees are often unaware they’re committing a security violation until it’s too late. It’s necessary for accounting firms to ensure their staff is aware of the best practices for internet, social media, and general device usage. Activities such as video and audio streaming may be forbidden and members of the firm may remain unaware of these policies without the proper education.
Firms should not only describe the various threats, such as malware, phishing scams, and viruses, but provide real-world and/or internal examples of similar incidents. By providing tangible examples of such events, the possibility of a network intrusion becomes more relatable to the firm’s staff, thus encouraging its members to implement the necessary safety protocols in their day-to-day work habits.
The development of mobile technology has been both a blessing and a curse to CPA firms trying to improve communication while maintaining security. Firms can establish a Bring Your Own Device (BYOD) policy in place to establish a set list of protocols on how to handle mobile technology. If an employee’s laptop is stolen or lost, a firm must have the ability to wipe the device of all sensitive information to prevent valuable data from being accessed by a malicious user.
Firms should also be wary of wireless, even with a BYOD policy. If employees travel frequently, they likely make use of a variety of wireless networks. While this may be useful when employees are trying to work and travel simultaneously, a majority of the networks available in airports, hotels, coffee shops, and restaurants lack the necessary security measures to ensure the firm’s information is sufficiently protected. Employees should use their firm’s virtual private network or purchase a mobile Wi-Fi hotspot to avoid using public networks.
5. Have a plan.
Your firm cannot eliminate all chances of a security breach, so it’s important to have a plan in place to address a threat if it does in fact occur. Your firm should establish a disaster recovery plan that outlines what to do in the event of a security compromise.
A suitable incident plan includes important elements such as having a compliant litigation hold in place, systems to confirm the event and an appointed person in charge of resulting the investigations. Once the threat has been identified, managers should decide if the situation requires external or internal resources.
Firms need to remedy the immediate threat, but should preserve the evidence of what occurred to prevent further damage from the hacker and ensure the network’s security. Then it is important for managers to determine what breach response protocols the law requires a firms to take after the compromise occurs. The best practice to prevent further threats from occurring is to learn from mistakes made.
6. Be cloud conscious.
If hosting data in the cloud, your firm should be sure to check the location where its information is stored. If the cloud data is hosted on servers outside of the U.S., the firm’s information and clients’ information could be subject to search and seizure, depending on the laws of the specific country where the information is stored. In addition, firms should verify the cloud provider adheres to the compliance standards and security protocols specific to the firm.
In order to sufficiently safeguard data, leadership should be able to answer particular questions to determine the ability of the cloud service provider. For instance:
- “What encryption methods are in place for data in transit and at rest?”
- “Who is responsible for the encryption keys?”
- “Does the firm’s client base approve of data being stored in the cloud?”
- “What litigation holds does the cloud service provider have in place to prevent the deletion of data?”
Taking the necessary steps to protect your firm’s reputation and client information in and out of the office, from staff auditor to a senior partner, is easier than one might think. Doing so provides an invaluable service to you, your firm, and your clients.
Bryan Gregory is president of
