Accounting Firm Security and the FTC: Ensuring Success ‘21

This Ensuring Success, We Focused on Firm Security

Last week, CPA Practice Advisor held their Ensuring Success CPE extravaganza, which was live-streamed to over 3,000 attendees. I participated along with panelists David Cieslak (RKL eSolutions LLC) and Eric McMillen (The McMillen Group) to talk about today’s key security considerations for accounting firms. Keep reading to find out what we discussed about legal requirements, firm security, and data protection.

Takeaway #1: Firms Aren’t Taking Cybersecurity Threats Seriously

The panelists agreed that most accountants do not take cybersecurity threats seriously enough, which puts their firms at risk, particularly as hacker groups increasingly target accountants.
According to IDTheftCenter.org, more than 60 accounting firms have experienced data breaches this year.

COVID and the push to remote work created new risks. And now that many accountants and their clients are doing more work remotely, cybersecurity policies must also extend to protect the work done from these locations.

The panelists suggested that firms:

• Extend their IT requirements to each remote location
• Provide support for remote worksites, including homes
• Mandate the use of firm-provided workstations

Takeaway #2: BYOD Now Means Bring Your Own Disaster

From a security perspective, using firm-provided managed workstations is safer than allowing personal devices, which come with higher cyber risk. And in case you missed it: No one should ever connect with a PC running Windows 7.

The panel suggested that when working from home, firm personnel should:

• Update their home router’s firmware (any time an update is released)
• Change their home router’s password regularly, at least once a quarter
• Segment router access; dedicate one access point for anything work-related and another for home and guests to use

And when working from a client’s site or anywhere in public, remote workers should either:

• Use a secure or virtual private network (VPN) or
• Connect to firm resources using their smartphone’s hotspot

If you do not know how to use your company’s VPN or need help setting up your smartphone’s hotspot, we suggest reaching out to your IT team for guidance.

Takeaway #3: Protecting Client Data Is (Still) a Legal Requirement

The panelists also reminded the audience that protecting client data is a legal requirement (FTC Safeguards Rule.) There can be criminal and monetary penalties for knowingly or recklessly disclosing taxpayer information.

Per the FTC Safeguards Rule, firms must train their employees annually on:

• Basic security protocols: If a cyber event turned from threat to attack–what should that employee do next? Who do they call?
• The latest phishing schemes: What’s this year’s “Nigerian Prince” scam? What are the trending red flags firm members need to look out for?

In addition to ensuring firm members are aware of basic security protocols through annual training, firms need to have a written information security plan (WISP) that is “appropriate to their firm’s circumstances.”

Right Networks provides access to annual security training through their website resources; click here for a list of current, on-demand security webinars.

And for automated phishing training, services such as KnowBe4, Cofense and Proofpoint are being utilized by accounting firms.

Takeaway #4: Passwords, Passphrases Aren’t Enough; Use Multi-Factor Authentication

The panelists discussed that one of the primary goals of hackers was to obtain users’ login and passwords, so it is crucial to have unique passwords for each login and not re-use them. A few more recommendations were:

• Have passwords at least 12 characters in length
• Use a mix of unique passwords and passphrases
• Secure credentials and store passwords with tools like Dashlane, LastPass, Keeper, etc.

But when it comes to passwords, overall, the panel agreed that any single authentication method wasn’t enough of a safeguard. Multi-factor authentication tools, like Duo, verify a user’s identity by sending a code or push notification to that user’s device.

Additionally, the use of multi-factor authentication tools is an IRS requirement for online tax application access. The panel suggested coordinating the installation of each of these security tools with an external security professional instead of trying to figure it out on your own.

Learn more about multi-factor authentication by downloading 3 Reasons Why You Should Be Using Multi-Factor Authentication Security.

Takeaway #5: The Most Effective Firm Security Strategy? IT Outsourcing.

Firms don’t have time or resources to be mucking with DIY security. And typically, they don’t have enough staff on board to dedicate to keeping their firm secure. 24/7 threat monitoring, daily back-ups, policy development—and all of the other security best practices required these days—is more than a one-person job.

The panelists agreed that firms do not have IT staff with the necessary time or skills to provide comprehensive security.

Outsourcing to managed IT providers or moving to a cloud provider with enterprise-class security built into their hosting packages is the only way to safeguard firm infrastructure.

Right Networks also provides customers with managed workstation services, including securing their local workstations.

In Conclusion

All accountants need to understand their cybersecurity status. To understand your level of protection and identify where your firm may be vulnerable to a cyber attack, review The CPA Cybersecurity Checklist: What Firms Need to Do to Protect Their Data with your IT provider as soon as possible.