Just as your CPA firms have rapidly adapted to a near 100% telework environment for months now, hackers and cybercriminal syndicates are evolving their techniques to exploit this expanded work-from-home IT ecosystem.
The cyber security threat matrix is always shifting, changing and adapting at light speed to exploit gaps created by vulnerabilities in software, IT tools, and, most of all, human error and inconsistent cyber security training on the part of companies.
The COVID-19 pandemic forced CPA firms that were lagging behind the IT and security curves to rapidly deploy a remote work infrastructure. And in some cases, security was superseded by a desperate need to remain operational within a chaotic situation.
This is all understandable. But be aware that cybercriminals and hackers understand this too, and will seize any opportunity to “get in” via more vulnerable home networks tapped into your CPA firm’s IT infrastructure. The threat is real and the Big 5 are not the only companies in the hackers’ sites.
Cetrom is here to help. We’ve been operating as a near 100% telework company for years and have unparalleled experience in cyber security measures, software and tools that can keep your CPA firm client data as safe as possible. We’ve gained new knowledge during the initial phases of COVID-19 and we continue to learn as the situation has changed over time.
Here are Cetrom’s top eight telework cyber security tips for CPA firms adjusting to the pandemic new normal:
- Widespread Telework Is Here to Stay: Make Peace With This. This sounds really trite and simple, but it is important. If your CPA firm leadership is always thinking that a return to the 8 a.m. to 6 p.m. in-office workday is right around the proverbial corner when a SARS-CoV-2 vaccine gets approved, a commitment to building security for a long-term approach to increased telework won’t be there. Near 100% telework, or at a minimum, a significant piece of your workforce operating remotely, is the future. Accepting this new reality is critical to keeping your firm’s data safe.
- Provide Your Team the Tools They Need to Stay Secure at Home. More people are working from home because of the coronavirus, which means an increased risk of security breaches via home networks working with your CPA firm’s data. Here are some tips for securing home networks:
- Use a wired connection
- Review equipment that’s being used by staff at home
- Run updates, patch and reboot until all updates are made
- Subscribe to antivirus software
- Use two-factor authentication (2FA)
- Remain vigilant both about updates and staff behaviors/education about the threat environment
- Establish or Enhance Companywide Security Policies. Technology like Artificial Intelligence (AI) will not solve security issues. People remain a huge factor in the success of any cyber security system. Therefore it is critical that CPA firms build out, distribute and update an enterprise security policy that is clear and promotes accountability. This policy should include:
- Clear, enforced password rules
- Restricted access and permissions
- Protection for all devices
- Two-factor authentication
- Documentation disseminated to all staff
- Create a Bring Your Own Device (BYOD)/Telework Policy for Your Employees. If your CPA firm doesn’t have a current BYOD protocol in place already, your BYOD program needs to focus on the basics and low-hanging fruit. However, it’s also important to think of the future as you build this BYOD set of rules and employee requirements — whatever policies you build out now in response to COVID-19 should serve as the foundation for a more comprehensive IT security and emergency preparedness model to be built out in the near future. Create a reference list of information types that are sensitive and need to be protected that your team can keep handy. This could include client personal information, intellectual property content and a host of other critical data types.
- Define the acceptable forms of personal devices and remote access methods that can be used for work-related matters
- Use encryption tools whenever sending sensitive information from a personal device
- Provide tips and ongoing staff training on how to identify email scams, phishing emails and other threats that attempt to exploit human error
- Mandate that staff working remotely only access CPA information via the company’s Virtual Desktop (VD) to make sure information is encrypted
- Require that antivirus and malware protections are installed on personal devices and updated to cyber security best practice standards
- Execute multifactor authentication (MFA) immediately
- Prohibit the downloading of company information to any staff personal devices, including laptop computers, tablets or personal cloud storage systems
- Stratify employee remote access to only information necessary to complete their specific job functions
- The National Institute of Standards and Technology (NIST) recommends “considering a tiered approach for remote access that allows the most controlled device types (e.g., organization-owned laptop computers) to have the most access and the least controlled device types (e.g., BYOD personal mobile devices) to have minimal access.”
- Make Certain Your Telework and Bring Your Own Device (BYOD) Policy is Integrated Into Your Business Continuity (BC) and Disaster Response (DR) Plans. In a recent blog we discussed the importance of having a BC plan that included a DR plan with a focus on IT. Your CPA firm might have had a BC, but in COVID-19 aftermath, it’s important to apply what your firm’s IT team has learned during the pandemic to your BC, DR and IT disaster protocols.
- Create Consistent, Redundant Data Backup Processes. Implement multiple daily backups using different methods like the cloud and hard drive backups, for example. Backups should live outside your network, outside your physical office space and should not be virtually connected to your network. The key is diversity of backup types and consistency.
- Keep Your CPA Firm Leaders and Staff Trained and Educated. The cyberthreat environment is constantly changing, so keeping abreast of the latest reports and threats is critical to keeping your data safe. Follow IT security-related resources like MSSP Alerts, Crowdstrike, Cybersecurity SmartBrief, and Tech Republic for cyber security updates. Committing to continuous security improvement is the name of the security game. Nowhere is this more important than in staff security training. Your people can be your biggest security asset or biggest threat. The choice is yours.
- Once You Have Your New Normal Footing, Pursue Migrating to the Cloud and Partnering With an Experienced IT/Cloud Provider. Part of the long-term solution to supporting telework productivity and security is migrating your infrastructure to the cloud and partnering with an experienced, expert cloud host and services provider. Cloud computing and cloud services will not only improve productivity and efficiency, but they also provide significant risk mitigation against the unexpected, like a pandemic.