Last week, CPA Practice Advisor held their Ensuring Success CPE extravaganza, which was live-streamed to over 3,000 attendees. I participated along with panelists David Cieslak (RKL eSolutions LLC) and Eric McMillen (The McMillen Group) to talk about today’s key security considerations for accounting firms. Keep reading to find out what we discussed about legal requirements, firm security, and data protection.
The panelists agreed that most accountants do not take cybersecurity threats seriously enough, which puts their firms at risk, particularly as hacker groups increasingly target accountants.
According to IDTheftCenter.org, more than 60 accounting firms have experienced data breaches this year.
COVID and the push to remote work created new risks. And now that many accountants and their clients are doing more work remotely, cybersecurity policies must also extend to protect the work done from these locations.
The panelists suggested that firms:
From a security perspective, using firm-provided managed workstations is safer than allowing personal devices, which come with higher cyber risk. And in case you missed it: No one should ever connect with a PC running Windows 7.
The panel suggested that when working from home, firm personnel should:
And when working from a client’s site or anywhere in public, remote workers should either:
If you do not know how to use your company’s VPN or need help setting up your smartphone’s hotspot, we suggest reaching out to your IT team for guidance.
The panelists also reminded the audience that protecting client data is a legal requirement (FTC Safeguards Rule.) There can be criminal and monetary penalties for knowingly or recklessly disclosing taxpayer information.
Per the FTC Safeguards Rule, firms must train their employees annually on:
In addition to ensuring firm members are aware of basic security protocols through annual training, firms need to have a written information security plan (WISP) that is “appropriate to their firm’s circumstances.”
And for automated phishing training, services such as KnowBe4, Cofense and Proofpoint are being utilized by accounting firms.
The panelists discussed that one of the primary goals of hackers was to obtain users’ login and passwords, so it is crucial to have unique passwords for each login and not re-use them. A few more recommendations were:
But when it comes to passwords, overall, the panel agreed that any single authentication method wasn’t enough of a safeguard. Multi-factor authentication tools, like Duo, verify a user’s identity by sending a code or push notification to that user’s device.
Additionally, the use of multi-factor authentication tools is an IRS requirement for online tax application access. The panel suggested coordinating the installation of each of these security tools with an external security professional instead of trying to figure it out on your own.
Firms don’t have time or resources to be mucking with DIY security. And typically, they don’t have enough staff on board to dedicate to keeping their firm secure. 24/7 threat monitoring, daily back-ups, policy development—and all of the other security best practices required these days—is more than a one-person job.
The panelists agreed that firms do not have IT staff with the necessary time or skills to provide comprehensive security.
Outsourcing to managed IT providers or moving to a cloud provider with enterprise-class security built into their hosting packages is the only way to safeguard firm infrastructure.
Right Networks also provides customers with managed workstation services, including securing their local workstations.
All accountants need to understand their cybersecurity status. To understand your level of protection and identify where your firm may be vulnerable to a cyber attack, review The CPA Cybersecurity Checklist: What Firms Need to Do to Protect Their Data with your IT provider as soon as possible.
Join our mailing list and get all of the latest news delivered straight to your inbox.