How To Keep Your CPA Firm’s Data Safe In The Era of Digital Security Breaches

It seems like every day we learn of another data security breach involving some of the largest and most powerful companies in the world. Unfortunately, no one is immune to a virus, as we can attest to from our recent experience.

Smaller businesses (when compared to giants like Wells Fargo, Target, and Equifax) are being targeted by hackers and malicious programs more and more frequently.

• 43% of cyber attacks target small businesses. (Small Business Trends)
• It takes an average of 191 days or a little over six months for a company to detect a breach. (Tech Beacon)
• According to the National Cyber Security Alliance, 60% of small businesses that experience a cyber breach close within six months. (Inc.)

Now, if you’re thinking to yourself, those small businesses must have been really small and not had an IT department. Well, that’s actually not the case. The data listed above applies to businesses with only a handful of employees to around 100. The point is, your CPA firm, whether it’s nine employees or a few hundred, needs an experienced IT team to take the necessary steps to protect customer and company data.

According to Thomson-Reuters, “Small companies are becoming more of a target because criminals know large firms are devoting more resources to cybersecurity,” says Eric McMillen, an information security consultant...who works with the financial services industry. “A common argument I hear is, ‘I’m just a nine-person accounting firm. Why should anyone want to go after me?’ Well, you probably have 1,000 or more pieces of client data that a criminal can use.”

So, what steps do you need to take to better protect your CPA firm’s data and your clients?

Conduct a System Assessment

IT infrastructure and behavior assessments need to be ongoing. Conducting an assessment at a single point in time and not reassessing at regular intervals is a recipe for disaster.

In order to understand where your CPA firm might be vulnerable, you need to have a deep understanding of your hardware, software, and your staff behaviors first.

When your CPA firm has other priorities--like taking care of its clients during the craziness of tax season--assessments can fall by the wayside. Be thoughtful about when you conduct your assessments by scheduling them during less busy parts of the year, so your IT team and core working group can focus on triaging your cybersecurity protections with minimal distractions.   

Train Your Team

Cybersecurity is not just IT’s responsibility.  All of your employees need to take ownership of data protection. The latest and greatest software in the world can’t stop a single employee from opening a phishing email that gets the bad guys into your system.

A cybersecurity educated and trained workforce is your best line of defense against security breaches. Training should be an ongoing professional development requirement that will reinforce company-wide security policies like the following:

• Clear, enforced password rules. Don’t allow your staff the freedom to create simple passwords that they never change. Implement clear password requirements and designate password change deadlines that are appropriate for your industry.
• Restricting access and permissions. Employees should only have the keys to what they need to perform their job.
• Make sure all devices are protected. Cybersecurity should not just focus on an employee laptop--phones, tablets, and any other device doing company business must be protected.
• Require multi-factor identity verification. This means that staff cannot always access data using only their username and password. A text or email verification could be required for full access.
• Document your policy and enforce it. Your cybersecurity protocols and processes need to be written down and signed off on. As threats and technology change, your document needs to evolve and your team needs to get retrained. Have your team sign the document and hold them accountable.

Get Help

Smaller and midsize CPA firms often have no dedicated IT staff or only a few employees that are stuck in “break and fix mode.” Many cybersecurity strategic needs get discussed, but few, if any, actually get completed.

This isn’t anyone’s fault. It's typically caused by a lack of human capital and resources. That said, if you consider the damage a successful hack can have on your reputation and on your clients’ lives, investing in outside IT and cybersecurity expertise is really a no brainer.

The investment in a partnership with a cloud and managed IT services provider frees your non-IT employees from the burden of tasks not in their area of expertise, and it also alleviates “break and fix” pressure on your IT team. Both your unofficial IT person and your official IT staff can move beyond immediate issues to focus on their actual job and longer-term strategic IT issues, respectively.

Your managed IT service partner will provide 24/7/365 system monitoring, automatic software updates, patch management, and overall system management. At Cetrom, we take a three-pronged approach to protecting your CPA firm’s most important data:

• Physical Security. We secure our two cloud data centers with armed guards, biometrics, pre-approved clearance, restricted access, and more.
• Logical Security. To protect your network, we utilize enterprise-level firewalls, multi-layered virus and spam protection, intrusion prevention, daily backups, encryption, two-factor authentication for sign-on access, and user-defined permissions. We also pioneered a unique hybrid cloud option, which adds on-site server backup for added redundancy and peace of mind.
• Methodological Security. This level of security considers the “human factor”, such as confirming that every manual process is approved by multiple cleared users. Errors or hacks can occur at any level, but it is the methodological level that can cause the most issues, which is why we follow strict industry security best practices.

What’s more, all of our support team members are certified tier-3 level engineers that are available every day, all year to help your IT team solve pressing problems.

The cyber threat environment is real and changes in the blink of an eye for corporate behemoths and small to midsize businesses alike. The threat is real and ever-present as is the real damage malware or a data breach can cause your business.

Remember, like most complex challenges there is no one solution to protecting your CPA firm from a cyber attack.

It will take a combination of your team’s dedication, the proper utilization of the right software and hardware, and the assistance of external experts to provide the on-all-the-time coverage every business needs to counter today’s threat matrix.