As firms rushed to reengineer their work environments when the pandemic began, many may not have had time to think about establishing new cybersecurity protocols. Whether your firm members are slowly returning to offices or working remotely some or all of the time, your security guidelines should be updated as soon as possible to take into account new ways of dealing with other firm members, clients and business contacts. The remote environment can cause new vulnerabilities that firm guidelines need to address.
Review practices for remote workers using personal devices.
About 53% of those who work remotely use personal laptops for company business, according to a Wall Street Journal article, and 23% of those who work with personally identifiable information use personal devices that are not managed by their employer. In many cases, asking or allowing staff to use their own devices made remote work possible when the pandemic first hit, but it’s important to ensure that the right security measures are being applied. For example:
- Has the firm reminded staff of its policy on secure passwords and the fact that they must be used on any device?
- Are staff using the firm’s firewalls, antivirus/malware and other security software and protocols on all of their personal devices used for firm business? Are all security and work-related applications being updated automatically on those devices?
- Are all smartphones, computers or tablets used to access firm applications and client data reserved solely for business use? They should not be accessible by friends, roommates or other members of the family or for personal use, all of which could expose data to breaches or theft.
- Is the firm using safeguards such as multifactor authentication and screen lock to protect against unauthorized access to data and systems? Do remote workers use VPNs or otherwise ensure that their Wi-fi connection to the firm’s system is secure?
Protect client data.
A firm member downloads a client file while working remotely and opens it in an Excel file. Sounds plausible, doesn’t it? Unfortunately, that step can leave the client’s personally identifiable information or other confidential data vulnerable to a breach. In my former six-person firm, we solved problems such as this by moving all our files to the cloud. Keeping our files in a secure environment with actively managed updates and safeguards that are updated every day, instead of housing them on one or more devices, added another layer of security wherever we were working.
Make a plan.
What are your protocols for a breach, malware attack or a loss of data or equipment for any reason? If you already have a plan, has it been updated to encompass people working from home with a wide range of personal equipment and network setups? If it has not, use this time before busy season to get started.
Bring in the experts.
I have always had an active interest in new technologies, so when I was in practice I regularly brought in an outside tech consultant to update our procedures and offer us a new perspective based on his or her experience with other organizations. Remote work has presented new challenges and hackers have shifted their focus to people working from home, so this is a good time to get some fresh ideas from a tech professional.
Get added protection with a branding bonus.
I’m very excited about .cpa, a new top-level domain name developed exclusively for the accounting profession that is available only to licensed CPA firms (and to licensed individual CPAs starting in January 2021). It is owned by the AICPA and managed by CPA.com. This domain, whose security is regularly monitored and verified, also provides a strong branding advantage. Whenever you send an email or someone visits your site, your domain name will set you apart, reminding people of your respected CPA credential. You can customize your name to highlight your firm’s strengths, choosing, for example, yourfirmname.cpa or using the name to emphasize your location (MinnesotaCPA.cpa) or your area of expertise.
Don’t assume you’re covered
These tips offer ideas on some of the cybersecurity steps you should be considering. You can find more information in this PCPS column by technology consultant Roman Kepczyk.
Don’t assume your shop is safe because of its size. In fact, many small organizations suffer data breaches. Review your existing policies, revise them as needed and set up an online meeting to reintroduce them to staff and to underscore the importance of following them.
Carl Peterson, CPA, CGMA is the Association’s Vice President of Small Firm Interests. Have questions for Carl? Contact him directly at email@example.com or 651-252-4618. And be sure to sign up for Carl’s Small Firm Update webcasts. The next one will take place on December 3 at 2:00 to 3:00 PM ET