Is your firm ready for cyber threats it may face? Cybersecurity threats have become much more invasive and pervasive in recent years, but firms can protect themselves by following a few steps and putting some powerful tools to work.
Recognize the danger. Think it can’t happen to you? The U.S. Chamber of Commerce notes that “the Department of Homeland Security and the Small Business Administration cite data showing that 44% of small businesses reported being the victim of a cyberattack with an average cost of approximately $9,000 per incident and that nearly 59% do not have a contingency plan on how to deal with a data breach.” Practitioners should be aware that small firms—and the small businesses they serve—are just as vulnerable to attack as the large organizations we hear about in the news. Use “A CPA’s Introduction to Cybersecurity” in the PCPS Cybersecurity Toolkit to educate yourself and your staff about key concerns.
Spot your vulnerabilities and accentuate your strengths. One great way to get started diagnosing where your firm stands and what steps to take next is the “2018 CPA Cybersecurity Checklist,” available on the PCPS IT Resources and Tools page. I believe all firms should review the basic but critical best practices in this checklist. Practitioners can circulate the checklist to staff and return to it regularly in firm meetings to remind your people of the importance of your cybersecurity policies. The checklist highlights 22 cybersecurity best practices that CPAs can adopt in their firms, in areas that include workstations, passwords, data, equipment, connecting to firm IT resources, administrative access privileges, antivirus or security software, backup logs, encryption, VPN access, IT policies, security training, background checks, office visitor policies, breach response plans and insurance concerns. How many of us don’t have or communicate policies in some of these areas? The checklist advises firms to review each point with their internal or external IT experts and discuss priorities and risk remediation plans.
Be prepared if you’re hacked. Let’s say the worst happens and you realize that your firm has suffered a cybersecurity breach. Do you and your staff know what to do? You’ll be better able to respond quickly if you have an incident response plan in place and have trained your staff on their roles and responsibilities when a breach occurs.
While the type and level of response will vary based on the incident, a new resource from the AICPA and Aon, “Hacked! Building defenses against and responses to intrusion,” is available to help firms build an incident response plan that addresses their own needs. This valuable tool recommends that plans might include the critical steps listed below.
- Contact your insurance carrier or advisor.
- Use forensic specialists to identify breach details.
- Consult with applicable legal experts/regulators.
- Complete required notification and/or credit monitoring.
- Take steps toward remediation.
- Restore data.
- Manage public relations to protect your firm’s reputation.
- Involve law enforcement.
Become a cybersecurity risk specialist. Once you boost your firm’s cybersecurity knowledge, it’s time to explore the best ways to turn your expertise into potential engagements. CPAs regularly discuss best practices of all kinds with our clients, including cybersecurity. Practitioners can go one step further, though, and begin to take advantage of this service potential. Get some inspiration and ideas from the valuable PCPS Service Opportunity Grid in the PCPS Cybersecurity Toolkit. This spreadsheet walks you through related advisory services, matches them to information you provide about your firm and provides potential engagement options. CPAs can also use “Building a business model for cybersecurity” to leverage their roles as trusted advisors and risk specialists. Based on the CGMA Business Model Framework, the cyber tool helps firms capitalize on cybersecurity opportunities, create a practice area, develop a strategy for establishing this niche and capture the value of this new service.
Be sure to check out the PCPS Cybersecurity Toolkit and IT Resources and Tools page for more valuable tools. There are great practice opportunities for CPAs in this area, as well as a wealth of information available to help you protect your practice. Don’t wait until a breach occurs in your firm or at one of your clients!
Carl Peterson, CPA, CGMA is the Association’s Vice President of Small Firm Interests. Have questions for Carl? Contact him directly at email@example.com or 651-252-4618. And be sure to sign up for Carl’s Small Firm Update webcasts. The next one will take place on December 13 at 2:00 to 3:00 PM ET.