With the myriad cyber threats today, every accounting firm should have an information security policy, even at a basic level, according to IT consultant Donny Shimamoto, who presented at the American Institute of CPAs’ Engage conference in Las Vegas this week.
While a policy can help safeguard client information at a time when sensitive data is increasingly under siege, it can also protect the firm.
“Not having a policy is putting you in the gross negligence area,” explained Shimamoto, who is the managing director at IntrapriseTechKnowlogies and director of innovation at the Houston CPA Society. “Even the attempt to have one is better than not having one at all.”
For firms with no policy in place, Shimamoto recommends they start with a basic template, adding that following that plan is also critical.
Dan Moore, owner of D.T. Moore and Co. in Salem, Ohio, and a co-presenter with Shimamoto for their Engage session on identity theft, has gone far beyond that baseline at his firm.
Moore has developed policies and procedures to help keep his firm secure, detailed in a 47-page security policy, which Shimamoto reviewed before their presentation. Before outlining the steps he has taken, Moore shared some sobering statistics.
“Since the beginning of the year, the IRS released 10 announcements on identity theft, and seven were directed to tax professionals,” said Moore.
According to the Poneman Data Breach study, released in June 2017, 47 percent of data breaches involve malicious or criminal attacks, 28 percent are the result of negligent employees, and 25 percent come from system or IT business process failures, Shimamoto explained. Per these stats, he continued, the idea that all breaches are the result of criminals hacking into the computer is a myth. The major Equifax breach in 2017, for example, was the result of a business-process failure.
With stories like that widespread hack continually in the news, firms are generally aware of the threat to their clients’ data and might have basic procedures in place, but Moore recommended they consider further actions.
- Consistent communication. “During tax season, we have discussions [about cybersecurity] monthly, usually over lunch,” Moore said. “Any news releases the IRS puts out, I have employees sign up for them. Then we scale back and do it quarterly for the main portion of the year. The monthly [during tax season], in my opinion, is required, particularly because I have three seasonal staff members.”
- Hiring experts to find cyber and physical vulnerabilities. Moore brought in an ethical hacker to test his firm’s systems, which were found to be sufficient. The hacker then provided a formal written report, which Moore found especially valuable. Moore has also walked around his office building with both local law enforcement (after someone attempted to break in through a window) and, more proactively, with a professional at a security alarm company. Both identified new areas of risk that had not occurred to Moore, including spots in the office that needed additional lighting or security cameras.
- Preparing for natural disasters. Moore’s firm has a separate and secure server room, with decorative shutters, glass protectors and an alarm system. The only thing missing to make it especially secure, he said, is concrete walls.
- Compiling contact lists. Even with all these protective measures in place, firms should operate under the assumption a security breach is still very likely, and have a list handy of everyone they need to contact in the event it happens. Besides the usual suspects, like clients, this list can include, according to Moore: the FBI, the IRS Criminal Investigation division, state and local law enforcement, attorneys general, and PR people to help manage the communication and damage control.
Other tools and methods Shimamoto and Moore recommended during their session included: two-factor authentication (already a requirement on most tax software) and email-scanning software. That software — unlike antivirus software, which reacts to malicious activity after it’s already on the firm’s computer (and now makes them liable) — prevents information like social security numbers or bank routing numbers from entering the email inbox. After rejecting the email, the software will then send a note to clients asking them to use a secure link instead.
This is just one more layer of security firms can add, among the many Shimamoto has urged accounting firms to employ. These include both tools and best practices because, as Shimamoto reminded attendees, “some solutions are not technical solutions, they’re procedural.”