What Small Firms Should Know about Cybersecurity

October 5, 2016

Fast forward to February, the early days of busy season, and a six-person firm suddenly finds that hackers have gotten access to firm and client personal and confidential information. In another case, a 15-person firm becomes a victim of hackers and, like any organization in this situation, must scramble to notify clients—and comply with the related information protection rules of the state regulatory agencies where clients live or do business. As the former owner of a six-person firm myself, I know how difficult these types of crises can be.

Could your firm suffer a cyberattack? Many large corporations have faced hacker attacks that have resulted in mitigation expenses, lost revenue and media attention on breaches. While small practitioners may believe they’re not in danger, 43% of cyberattacks were aimed at small businesses, according to a Symantec study. If you think about it, it’s understandable that hackers might see a smaller organization as an easy target, with fewer safeguards and security protocols. In recognition of National Cybersecurity Awareness Month, here are some of the lessons I learned in my own practice--and from the CPAs I meet in my work with the AICPA--about the best cybersecurity measures.

Consider cyber threats in seemingly simple decisions. One of the hacked firms I mentioned had recently installed a new copier that it used to scan documents to email. As they investigated their cyberattack, they determined that the copier was the weak link that allowed access to the firm’s systems, since it was not as well secured as other office technology. This firm’s CPAs never expected that a straightforward purchase of new office equipment would expose their data to cyber thieves.

Be aware of your vulnerabilities. At my six-person firm, we saw technology as an important tool that gave us great advantages. Technology helped us streamline our processes and change the way we worked, but it also exposed us to greater external threats. So we took security very seriously, using tools to strengthen our defenses against hackers. We were confident in our in-house tech expertise, but we also realized that moving to virtual workstations and remote access required more complicated solutions.

We used a Sophos brand firewall system, which is similar to many leading firewall products on the market. The higher-end firewalls take a more active, ongoing approach, actively monitoring and upgrading threat definitions, and are more in the cloud. Within these security systems, you can add integrated email and VPN protection. We also used a wireless access point within the office to provide access to staff and guests. It was tied to the firewall technology and equipment, allowing for seamless upgrades and security monitoring. On another front, remote Ethernet devices allowed staff wireless internet access from their home to the office so that all traffic was going through the same internet security protocols and gateways associated with the firm.

Understand that help is available. No matter how tech savvy your firm may be, I think CPAs in smaller firms should seriously consider turning to outside assistance for two good reasons:

  1. Technology changes so quickly that it’s valuable to have expert assistance in maintaining your edge.
  2. Technology implementation can be complicated and time consuming, which can pull your attention away from the real work of the firm.

There are two options I’ve seen work for firms. The first is hiring outside information technology security experts to review your approach and recommend improvements. One logical expert to turn to would be a Certified Information Technology Professional (CITP). You can use the AICPA CPA.CITP locator tool and/or simply email a request to IMTAinfo@aicpa.org to be connected to a CITP subject matter expert who can offer assistance on any technology issue.

The second option, with which we had great success, was moving our work to the cloud. Some CPAs worry about giving up control of their data to a cloud hosting service, but security is the top priority for these companies, and they constantly identify new threats and upgrade their safeguards, working at a level that would have been difficult for us to duplicate. When I considered the time and energy we had been spending on security alone, I moved to the cloud and never looked back. The cloud also allowed us to improve our communications with clients.

Update your professional liability policy for cyber risks. Make sure your insurance covers you and your firm for the damage that a cyberattack can cause. Most insurers, including the AICPA member professional insurance coverage, offer this option.

Expand your knowledge. At PCPS, we’re excited about a new Cybersecurity Toolkit that will be released before yearend. The toolkit will provide how-to implementation guidance for firms to understand cybersecurity as it relates to their own practice and tools to assist them in starting cyber risk management advisory and assurance practices. And CPAs can ramp up their knowledge about cyber risks and technology in general at the 2016 Digital CPA Conference, a dynamic event that brings together top technology experts to offer cutting-edge insights about a range of trends and opportunities and help you align tech tools with your strategic goals.

I began by talking about a hacking nightmare during busy season, but firms can’t afford cyberattacks at any time. However, a few practical steps based on the lessons discussed here can increase your chances of avoiding these threats and enable you to remain focused on the thing you do best: serve clients.

Note: The AICPA welcomes your feedback on proposed criteria that companies can use to communicate, and CPAs can use to report on, an entity’s cybersecurity risk management program. These criteria provide a way for businesses to demonstrate due care and build stakeholder confidence in their cybersecurity risk management programs. Comments are due Dec. 5, 2016.

Carl Peterson, CPA, CGMA, is the AICPA’s Vice President of Small Firm Interests. Have questions for Carl? Contact him directly at
cpeterson@aicpa.org or 651-252-4618, and tune into his free Small Firm Update webcasts.