was an early adopter when it came to cloud technology, integrating it into my former six-person CPA firm not long after it first became available. We did our due diligence and had confidence in the corporation that hosted our cloud solution, but I was also aware that the responsibility for cybersecurity measures couldn’t be outsourced, so we took many additional steps to protect our own and client data.
Considering the many ways cyber threats may affect us is a necessity for CPA firms, since even the smallest practice is a rich source of personal information that could be stolen and misused. And if you think the problem doesn’t apply to you, you could be in for a surprise. Practitioners should be aware that 55% of small and medium-size businesses had experienced a cyberattack during the previous 12 months, according to research by the Ponemon Institute.
With all that in mind, firms that follow these tips will be better equipped to safeguard their communications and the data entrusted to them.
Educate your staff. Whether staff members leave sensitive data on their desks or include it in an unencrypted email, there could be serious repercussions for the firm if it is stolen. Team members should know the different kinds of sensitive data--which include personally identifiable information, internal proprietary data, credit card details and, as applicable, any protected health information the firm might have--along with the laws and regulations that govern them. They should also know firm policies and procedures governing these areas such as encryption and protecting laptops and other devices inside and out of the office. You want to give your people the freedom and flexibility to work when and where they choose, but be sure they follow office policy wherever they may be. It’s also a good idea to familiarize them with the various types of threats the firm may encounter, from a phishing attack that tries to get them to open a dangerous link or unknowingly download a virus, to malware and ransomware that infects the entire system.
Maintain your firewall. Firewalls are the backup we used to augment the security our cloud technology gave us, ensuring that the information we tapped into in the cloud wasn’t stolen once it got into our system. Firms may know all about firewalls, but these tools only work at optimum levels if you have access to regular updates and patches that are designed to protect you from new threats. In our experience, when we paid for one type of firewall we received free updates, but when we used a free firewall we had to download the patches ourselves, so if those are your choices it’s important to think realistically about which option will offer the most reliable protection.
Keep your knowledge up to date. Don’t forget to “patch” your own understanding of cyber threats and solutions regularly to be sure your security is ready for the latest challenges. Consider assigning this responsibility to a staff member or a team of professional and administrative staff and ask them to provide regular updates in a firm meeting. This will maintain awareness of the issue among all staff and can further engage team members asked to take on this important role.
Stay safe on the road. Working remotely or on the road is common in the profession, but if you set up shop using the WiFi in a Starbucks or airport lounge, your data and communications are open to others on that network. Downloading a free virtual private network (VPN) can be part of the solution. It provides an encrypted connection wherever you are that protects you from hackers and other cyber snoops. Keep in mind that you may need to take additional steps if you’re working with highly sensitive data, such as using encryption software.
Arm Yourself with Information
These are only a few of the issues CPAs should consider in addressing cybersecurity. Fortunately, the Association offers some great tools that practitioners can use in their battle against cyberthreats. To tackle concerns within your own firm, resources such as “20 Straightforward Cybersecurity Tips” and “What is cybersecurity and why it affects you” can be found on the PCPS Firm Practice Management site.
Of course, your clients are also worried about cyberthreats, and CPAs can add real value by raising the issue and considering which services they can offer them. The PCPS Cybersecurity Toolkit includes a wealth of resources that can help you understand and make the most of consulting opportunities in this hot niche. And, it provides important background on the AICPA’s new cybersecurity risk management reporting framework, which you can use to assess your firm’s cybersecurity risk management program. The steps you take to learn about and tighten your cybersecurity will pay off in peace of mind—and possible new business.
Carl Peterson, CPA, CGMA is the Association’s Vice President of Small Firm Interests. Have questions for Carl? Contact him directly at firstname.lastname@example.org or 651-252-4618. And mark your calendars for Carl’s next Small Firm Update Webcast, which will be held on December 7 from 2 to 3 ET.