For CPA firms, the start of 2020 is more than just the advent of a new year, it’s also the beginning of tax season. As your firm looks ahead to 2020, it’s an important time to assess the successes, challenges, strengths and weaknesses that emerged over the course of 2019.
One of the most important assessments your CPA firm can conduct is the state of your cybersecurity policies, technologies and plans.
The question is not if your firm will be targeted; the question is when.
CPA firms of all sizes need to operate under the assumption they will be targeted by bad actors and be prepared to identify a breach, quickly respond to an attack and have a plan in place to recover.
This is the reality of a financial industry that has what hackers want: sensitive data that can be held for ransom or leveraged for financial gain. As tax season approaches—a prime time for cyberattacks and the worst possible time to experience one—is your CPA firm prepared?
To help you explore this question, Cetrom has pulled together the following cybersecurity checklist for your CPA firm to add to its New Year resolution list as it heads into tax season.
Develop a Disaster Recovery Plan
The first step to stronger data security is simply accepting that a cyberattack is coming sooner or later. Once your IT team and you accept this reality, developing a disaster response and recovery plan is a no-brainer. Here are a few tips for building an effective plan:
- Assess your response plan as it currently stands, identifying strengths and weaknesses
- Create a disaster response and recovery team comprised of staff members from IT and all other departments
- Develop, document, and communicate the final plan to all employees
- Create standing re-evaluation periods where the plan can be adjusted, updated, and improved
- Practice, practice, practice. Run mock attacks and breaches periodically to test your team
The bottom line: Your CPA firm will get hit. How fast and how well you respond is directly correlated to the damage that will be done to your bottom line and brand reputation.
Train Your Team to Defend Your Data
Your staff represents one of the gravest cybersecurity risks out there; it is also possibly the most difficult risk to mitigate. Human error, ignorance to possible threats and poorly communicated internal protocols can very easily lead to network breaches. The most effective solution: constant education and training of your staff. Training should be an ongoing professional development requirement that will reinforce company-wide security policies like the following:
- Clear, enforced password rules. Don’t allow your staff the freedom to create simple passwords that they never change. Implement clear password requirements and designate password change deadlines that are appropriate for your industry.
- Restricting access and permissions. Employees should only have the keys to what they need to perform their job.
- Make sure all devices are protected. Cybersecurity should not just focus on an employee laptop—phones, tablets, and any other device used in doing company business must be protected.
- Require multistep identity verification. This means that staff cannot always access data using only their username and password. A text or email verification could be required for full access.
- Document your policy and enforce it. Your cybersecurity protocols and processes need to be written down and signed for accountability. As threats and technology change, your document needs to evolve and your team needs to get retrained. Have your team sign the document and hold them accountable.
Integrate Artificial Intelligence (AI)
AI is a valuable tool for thwarting cyberattacks, be they malware, ransomware or a solo hacker. It’s an established fact that human monitoring of any given IT network is doomed to failure. AI can be a great weapon against cybersecurity attacks.
- Earlier Breach Detection. AI’s always-on, always-scanning nature not only can reduce vulnerabilities, it also can increase attack response times by allowing your IT team to focus on response rather than everything all at once, including detection. In that way, AI enhances your cybersecurity program both in detection and response.
- Email Scanning. Having automated, AI-led email monitoring is really the only effective approach to mitigating the biggest cybersecurity risk of all: your staff.
- AI Is Better Than Antivirus Software. Antivirus tools are always lagging behind the pace of existing malware threats. AI can detect anomalies and unusual program behaviors as they happen, so there is no gap for malware of hackers to exploit between signature detection and distribution.
Bulk Up Your Backup Processes
Finally, you must have a regimented, sophisticated, and repeatable backup process for your data.
- Multiple backups need to be conducted daily
- You need to use various methods to backup your data to create redundancies; these could include cloud backups, hard drive backups, or other methods
- The key is that these backups must live outside of your network and some should live beyond your physical office space to mitigate the risk of natural disasters, fires, or break-ins
Use this checklist to orient your 2020 cybersecurity planning and budgeting. CPA firms can no longer afford to push off or ignore investing in more robust data security technology, services, processes and protocols.
If you have any questions or would like expert advice on how to transform your security infrastructure, Cetrom is ready to help. Reach out to us today.