Is it safe? 10 steps to better firm security

March 1, 2022 2:34 PM

With CPA firms a prime target for cybercriminals seeking sensitive information, and those bad actors only growing more sophisticated in their attacks, accountants need to make sure they stay ahead of the next big security breach. Mark Burnette, partner-in-charge of information security at Tennessee-based Top 100 Firm LBMC, outlined the 10 best practices he shares with colleagues and clients alike, and we asked a roster of fellow CPA security experts to add their insights.

(For more on the threats firms face, see our feature story.)

1. Conduct a cybersecurity risk assessment

Thumbnail for Video: Malpractice Risks to Watch Out For

By evaluating and prioritizing the biggest internal risks, firms can refine their cybersecurity efforts and structure firmwide policies. “All organizations have cybersecurity risks but most companies don’t know where to focus their attention, and where to direct their limited resources to have the biggest impact,” said Burnette.

2. Inventory and account for sensitive data

Nikita Gonin/ninog - Fotolia

“Be able to account for the nature and types of sensitive data you store, process and transmit,” advised Burnette. “Sit down and interview business leaders to understand the types of things the business does, the various business operations, identify the nature and type of data being used in operations. Inventorying that data gives a starting point for security efforts. That’s what you want to secure — sensitive data is where all the risk is.”

3. Require strong passwords and implement MFA

“Implement multifactor authentication as much as possible, at a minimum,” said Chris Williamson, CIO of Houston-based Regional Leader McConnell & Jones. “Anything is better than nothing. Things you can’t implement multifactor for, have a strong and robust password policy. Make sure people can’t put in a four-digit password, or 1234. I’ve been trying to do this for years, to get people to go with pass phrases and words that don’t go together.”

5. Implement security monitoring capabilities

St. Louis-based Top 100 Firm Anders shared an example of their security monitoring efforts. “We do continuous vulnerability scans,” said CIO Theresa Stearns. “We are constantly monitoring emerging threats, and once they are identified, [the threat] automatically gets scanned, [showing] this server could have this type of vulnerability. And we can go into action.”

6. Create a third-party monitoring program

viappy - Fotolia

For their security monitoring efforts, Anders outsources to a third-party company that Stearns deems a necessary investment: “I look at it as, even if I went and hired a security expert, they couldn’t monitor my system 24/7 … . An annual investment, the budget for this type of monitoring is far less than we’d pay an individual. It is a lot of money, but you have to do that today. You have to have a budget — people understand the risk is there.”

7. Train employees on an ongoing basis

Picasa/Rawpixel.com - stock.adobe.com

Firms generally understand the importance of regular security training. In a recent survey by Accounting Today’s parent company, Arizent, providing cybersecurity training to existing staff was identified as the third-biggest concern of accounting professional, at 32%. But security experts agree that annual training is not sufficient, and should be supplemented by other tests, like simulated phishing attacks, and regularly communicated updates on the latest threats.

8. Develop an incident response plan

Part of every firm’s security program should be a set of information security policies and procedures that you can use to identify, contain and eliminate cyberattacks. “Many [organizations] don’t have an incident response plan: what to do when something happens,” shared David Hammarberg, partner at Camp Hill, Pennsylvania-based Regional Leader McKonly & Asbury. “An incident response plan involves IT and senior management — just like a business continuity plan.”

10. Audit your security measures periodically

Firm’s security policies are only as good as the accountability behind them. In addition to IT professionals regularly testing these measures, employees should be made aware of the important part they play in keeping the firm secure. “The important part is having them reviewed annually — if they are not reviewed annually, it’s not going to do anyone any good,” advised Hammarberg. “A lot of companies have policies and procedures on their drive and they are not distributed … . I like the procedure of having employees sign off on them annually; it gives them more responsibility and they take it more seriously if they sign off on it.”