Day after day we hear about another cyberbreach, another phishing attack, another zero-day vulnerability that we have to patch for, and now we are learning that AI tools are being used by hackers in increasingly sophisticated attacks.
This constant stream of cyberattacks can create anxiety in firm owners, particularly those who are already grinding away in busy season mode and have little time to focus on anything outside of the client work in front of them. But now is precisely the time to make sure the firm's security is locked down as hackers know that when people are busy and stressed, they are most vulnerable to making a mistake. So, what can firms do to minimize the risk of being the victim of a cyberattack? Below are five security tips to protect your firm this busy season:
Employee education: Cyberthieves know the easiest way to compromise your network is to trick one of your personnel into clicking on a link in an email or text message, or to have them divulge confidential information via a phone call where the hacker uses "social engineering" tricks to get the accountant to trust the hacker and fall for one of their ploys. Accordingly, the first cyber-step in locking down your firm is to continue Security Awareness Training throughout the busy season! Regularly educating your personnel on the latest phishing and social engineering methods being utilized by hackers is critical, as well as testing them with simulated phishing emails and texts. I also suggest firms highlight the warning signs that identify if they (or a tax client) may have been breached, and issue regular reminders on the steps to take to respond in the event of something suspicious happening.
System access controls: Compromised logins and passwords are another way that cyberthieves are able to hack into the firm, and our second tip is to mandate "modern" access controls. This begins with requiring the use of complex passwords that are unique to each login (a 2022 AT&T study found that 42% of users reuse the same password). Today, I recommend at least 14 characters and to store them in a password manager, which consequently can automatically generate complex password strings that are virtually impossible to guess. Combined with the mandatory use of multifactor authentication and a zero-trust mindset (verify every person before giving them access), firms are making it much more difficult for hackers to login to your account.
Secure collaboration: Securing work with remote employees and clients is the third priority. Firms should utilize VPNs, secure emails and portals to transact and transfer files in an encrypted manner that must be scanned for viruses and malware before opening. The use of USB flash drives should be prohibited for file transfer as this can easily introduce malware. Clients should be educated on how the firm (and the IRS) will work with them, and that for any transaction requiring the disclosure or changing of financial information, there will be a firm-mandated process to do so, as well as verification through secondary means such as an employee-initiated phone call or email to a known number/address.
Professionally managed security infrastructure: Hackers will go after any vulnerability; therefore, it is critical to ensure that all hardware and operating system applications are automatically updated. This means not only the file server and related network infrastructure applications, but also workstations, tablets and smartphones, and all the software running on them. This takes a significant amount of effort and expertise, which is why I recommend all firms outsource their security management to a professional, enterprise-level security/cloud provider that has teams of personnel providing 7/24 coverage. In firm IT reviews, I find the worst exposed firms are those with an understaffed (and undertrained) internal technology team that are so busy that security is a secondary priority and the best being the enterprise-class cloud hosting providers focusing exclusively on the accounting profession.
Security governance: Security governance includes the updating of firm security training and policies, verifying adequate cyber-insurance, and the creation and testing of the firm's written information security plan, including disaster planning and response. However, during busy season, it is critical that firms continue doing hourly "shadow" copies of changed files, daily full-system backups, including transferring them offsite, and most importantly, testing and verification that the backup system is working. In the event of a ransomware attack, rebuilding the network will require access to backups.
Busy seasons will always be the most stressful and hectic times of the year for most CPA firm owners. While working with clients will be the lead priority, it's important not to forget this is the time firms are most at risk from a cybersecurity perspective. Ensuring your firm addresses the five key priorities above will go a long way toward protecting your firm from getting breached.
