Simple Steps to be Cyber Secure 

by Lisa Traina, CPA, CITP, CGMA 

I began my career as a sole proprietor focused primarily on technology consulting. The IT audits I performed when I first started were very simple in comparison to the issues and challenges that organizations are facing now. Today my practice has grown to an 11 person firm that completes over 100 IT audit engagements a year. Our services and area of expertise include controls review, vulnerability and penetration testing, vendor due diligence and speaking and training on cybersecurity and technology issues. Because CPAs work with such a wide range of clients, it’s imperative that they take the necessary steps to protect both themselves and their client base from a cybersecurity standpoint.

Initially, our clients were limited to financial institutions and healthcare organizations. We’ve also served a number of CPA and law firms. However, in the last two years, we have really seen a large increase in clients coming from nonregulated industries. Cyber-attacks are a threat to virtually every industry, therefore, the need for cybersecurity services has become increasingly prevalent and businesses are starting to raise their level of awareness regarding this issue.

Protection Beyond Insurance
Like many firms, we protect ours with cybersecurity insurance, but we’re pragmatic about insurance. While this is valuable, it can also provide a false sense of security. Insurance can help with costs in light of an event or attack. However, if there is a breach and the firm’s controls and procedures were lacking, the reputation damage can be detrimental, not to mention that the insurance coverage might be impacted or the claim denied. Firms need to consistently test their controls and vulnerabilities, and identify and swiftly address areas for improvement. To that end, they also need to be timely in addressing those areas that they have identified.

As a security firm, we implement an extensive list of controls to aid in protecting ourselves. Some of the primary components include keeping our systems cloud based and utilizing vendors that we have vetted with extensive due diligence efforts. We have in place basic elements such as firewalls and protected internet connections, and strict authentication controls, particularly multi-factor authentication on key applications. We also maintain virus and malware protection on all mobile devices and laptops.

Because security is our specialization, we have highly aware employees. They stay abreast of cybersecurity trends and research related topics before they become a big issue, so that we’re positioned against potential risks.

It’s important that firms have a cybersecurity governance plan.  There are a number of resources and frameworks available to assist with developing these plans. Generally our approach is to integrate different elements of those various frameworks, such as NIST, while also tailoring the plan based upon our personal, practical knowledge.

Overcome Common Issues
There are several steps firms can take to help protect themselves and their clients. One major issue that is extremely prevalent is exchanging client documents via email, which is not a secure way to exchange information and makes you more vulnerable. This is a trend I have read about and experienced in our work with clients. If your firm falls victim to this common activity, I would strongly encourage use of a secure portal or file transfer system. In addition to implementing and regularly testing controls, firms need to be sure that mobile devices are included in these procedures and protocols. You should have a solid grasp on the number of devices that are in use and how they are being managed and protected. On a similar note, be sure to implement multi-factor authentication for your critical systems. As more people move to cloud-based systems, and more mobile devices are being used in a work capacity, the need for device authentication has become vital.

Another key to protecting your firm and clients is employee awareness. Often times, an uninformed employee can be the weakest link in a firm’s defense mechanism. This is further complicated by the fact that the methods used in cyberattacks are constantly becoming more sophisticated. Sometimes firms can view cybersecurity as an IT issue and delegate the responsibility of protection to a single department or IT individual. Because CPAs are increasingly busy, many don’t make the time to address or acknowledge the huge risk involved with cybersecurity. I would recommend appointing someone who is outside of the IT department to be responsible for working towards a secure environment and communicating that goal firm-wide. With threats that are evolving and becoming increasingly prevalent, cybersecurity needs to become a critical business priority.

Traina & Associates is an IT security firm operating in the southeast. Lisa Traina, CPA, CITP, CGMA is the founder and owner.


© 2017 Association of International Certified Professional Accountants. All rights reserved.