How to Keep Your CPA Firm Protected from a Cyberattack

The cyber threat environment changes every day and is a real concern for businesses large, small, and in between. You might be saying to yourself, “We’re too small and under-the-radar to get hit.” Well, unfortunately, that’s not the case; if you operate online and your employees use the Internet (which is every business), cyberattacks are a real and ever-present threat.

Did you know:

• There is no real way to protect your business from Ransomware.
• 22+ companies are being hit by crypto viruses every day.
• Email is the No. 1 culprit of a cyberattack. It only takes one person to activate a virus.
• Viruses are getting more sophisticated every day.
• If you don’t have a strong disaster recovery plan in place, you’re planning to fail.

The cyber threat matrix is complex and consistently difficult to combat. The bottom line is you need a comprehensive security plan that addresses intricate technological issues and possibly the biggest threat of all — human error.

Everything is not doom and gloom; there are some practical steps to keep your CPA firm safer more consistently. At Cetrom, we’re here to help you stay safe, secure, and operating smoothly.

Here are a few practical steps to enhance your cybersecurity program.

Adopt a Three-Pronged Approach
Your approach to cybersecurity cannot be piecemeal; it must be comprehensive and consistently executed, monitored, and adjusted, which can be a tough task for IT teams stuck in “break-and-fix mode.”

We recommend a three-pronged overall approach to improving cybersecurity:

1. Back-Up. You need to focus on building a multi-faceted backup protocol, possibly including onsite backup storage, cloud storage, and even geographically dispersed backups stored in highly secure data centers.
2. Secure. Assess or hire a third-party IT expert to assess your network’s weaknesses. Then, acquire the necessary technology, software, and tools to plug gaps and strengthen identified vulnerabilities. Securing your network also includes developing a detailed disaster recovery plan should you get hit; the faster you’re able to recover the less damage will be done to your CPA firm and its brand.
3. Educate. Your entire staff must be educated on digital security best practices; initial training must then be followed up by more training and a commitment to continually improving the cybersecurity knowledge of your entire team, not just your designated IT experts.

Let’s take a deeper dive into each of these three facets of stronger cybersecurity for CPA firms.

Cybersecurity Education
Your staff represents one of the gravest cybersecurity risks out there; it is also possibly the most difficult to prevent. Human error, ignorance to possible threats, and poorly communicated internal protocols can very easily lead to network breaches.

The most effective solution: Constant education and training of your staff.

Your small IT team, or one IT person, can’t do this alone. Every employee needs to take ownership of the role they play in keeping your CPA firm’s data and information safe. The most sophisticated and expensive software in the world can’t stop a single employee from opening a phishing email that lets the bad guys in.

A cybersecurity educated and trained workforce is your best line of defense against security breaches. Training should be an ongoing professional development requirement that will reinforce company-wide security policies like the following:

• Clear, enforced password rules. Don’t allow your staff the freedom to create simple passwords that they never change. Implement clear password requirements and designate password change deadlines that are appropriate for your industry.
• Restricting access and permissions. Employees should only have the keys to what they need to perform their job.
• Make sure all devices are protected. Cybersecurity should not just focus on an employee laptop — phones, tablets, and any other device doing company business must be protected.
• Require multi-step identity verification. This means that staff cannot always access data using only their username and password. A text or email verification could be required for full access.
• Document your policy and enforce it. Your cybersecurity protocols and processes need to be written down and signed-off on. As threats and technology change, your document needs to evolve and your team needs to get retrained. Have your team sign the document and hold them accountable.

Other Important Ways to Secure Your CPA Firm’s Data
Setting aside the human factor, let’s take a look at ways your CPA’s IT team can leverage technology to bulk up your cybersecurity infrastructure.

Deploy Artificial Intelligence
AI is a valuable tool for thwarting cyberattacks, be they malware, ransomware, or a solo hacker. It’s an established fact that human monitoring of any given IT network is doomed to failure: The global reach, non-stop change, and supersonic speed of the cybersecurity threat ecosystem is far too much for any one IT person — or even a sizable team — to handle alone. AI, when deployed by an experienced IT-managed services partner like Cetrom, can be a great weapon against security breaches.

• Earlier Breach Detection. Much of detection work is rote, mundane work that’s less than ideal for people and a perfect fit for AI, which never gets bored, or tired, or careless. AI is a logical solution for improving the speed and accuracy of breach detection. AI’s always-on, always-scanning nature not only can reduce vulnerabilities, it also can increase attack response times by allowing your IT team to focus on response rather than everything all at once, including detection. In that way, AI enhances your cybersecurity program both in detection and response.
• Email Scanning. The sheer volume of email activity at a company of any size makes manual, human-led monitoring very difficult, if not impossible. Having automated, AI-led email monitoring is really the only effective approach to mitigating the biggest cybersecurity risk of all: your staff.
• AI Is Better Than Antivirus Software. Antivirus tools are always lagging behind the pace of existing malware threats. AI can detect threats without the lag as it doesn’t depend on signature updates. AI will look at anomalies and unusual program behaviors as they happen, so there is no gap for malware of hackers to exploit between signature detection and distribution.

Leverage the Cloud’s Enhanced IT Security Features
Moving to a cloud-hosted system has its security advantages, particularly when this move is coupled with a partnership with an experienced IT-managed services partner. What you get by combining a cloud-hosted system with this partnership can be invaluable to your cybersecurity effectiveness. You should get:

• Access to top-notch security measures to protect your data from hackers (firewalls, anti-spam/anti-virus, endpoint protection platforms, two-step authentication, etc.)
• Proactive monitoring of all hardware and software systems 24/7/365
• Access to the best hardware and software available in the market
• A dedicated team of engineers experienced with combating cyber threats

Develop a Disaster Recovery Plan
This last tip for better cybersecurity is not AI or tech-based. It’s really about being proactive and planning in advance for the worst case scenario. The first step is simply accepting that a cyberattack is coming sooner or later. Once you and your IT team accept this reality, developing a disaster response and recovery plan is a no brainer. Here are a few tips for building an effective plan:

• Assess your response plan as it currently stands, identifying strengths and weaknesses
• Create a disaster response and recovery team comprised of staff members from IT and all other departments
• Develop, document, and communicate the final plan to all employees
• Create standing re-evaluation periods where the plan can be adjusted, updated, and improved
• Practice, practice, practice. Run mock attacks and breaches periodically to test your team

The bottom line: Your CPA firm will get hit. How fast and how well you respond is directly correlated to the damage that will be done to your bottom line and brand reputation.

Bulk Up Your Backup Processes
Finally, you must have a regimented, sophisticated, and repeatable backup process for your data.

• Multiple backups need to be conducted daily
• You need to use various methods to backup your data to create redundancies; these could include cloud backups, hard drive backups, or other methods
• The key is that these backups must live outside of your network and some should live beyond your physical office space to mitigate the risk of natural disasters, fires, or break-ins

You can even store your data and backups in geographically dispersed, disaster-proof, and highly secured locations offsite. For example, Cetrom clients enjoy the peace of mind that comes with their data being securely stored in our two Cloud data centers in Virginia and Colorado that are geographically dispersed for automatic failover protection and remote backups, ensuring their data is protected. Both facilities are SSAE 16 compliant (formerly the SAS70 standard) and SOC 2 compliant for top-tier security measures.

Finally, our last piece of advice when it comes to cybersecurity: Don’t go at it alone.

The investment in a partnership with a Cloud and managed-IT services provider frees your non-IT employees from the burden of tasks not in their area of expertise, and it also alleviates “break-and-fix” pressure on your IT team. Both your unofficial IT person and your official IT staff can move beyond immediate issues to focus on their actual job and longer-term strategic IT issues, respectively.

Plus, partnering with a third-party IT management company simply gives you better security with tier-3 engineers on 24/7/365 watch over your network. For more information on how Cetrom can help protect your CPA firm from impending cyberattacks, click on the button below: