According to the Identity Theft Resource Center (IDTheftCenter.org), as of August, 2016, 26 accounting and tax entities have reported security breaches in their organizations which exposed personally identifiable information of employees and clients. This number is most likely only a fraction of the actual accounting entity breaches, but highlights the stark reality that accounting firms and vendors are increasingly becoming targets for computer hackers as tax files contain lucrative personally identifiable information for them to profit from. This is something which firm owners need to consciously understand and take seriously. While management used to push off computer security as the responsibility of the IT department, this is no longer the case as owners have a fiduciary responsibility to protect the information they have been entrusted. Business owners are expected to be aware of the responsibility to ensure client information is protected in today’s digital information-based environment.
During technology reviews with CPA firms, it’s often found that firm personnel focus their security efforts on the physical and virtual components of their network infrastructure managed by the IT department and forget about the human error aspects, which are often the root cause of the IT security breaches and malware infections. To minimize the exposure caused by this human error, it’s recommended that firms require all personnel attend a security briefing which educates them on the firm’s IT policies, explains current threats, and guides them as to how to respond so they minimize the firm’s exposure. This mandatory security briefing can be conducted by firm IT personnel or outsourced to third parties that provide this service to businesses and should be repeated annually. Below are seven considerations for your firm to create and deliver your own security briefing with the intent of educating your personnel so they are part of the solution in minimizing your firm’s risk of being another cyber-victim.
- IT Policies: Most personnel are exposed to their firm’s internet, computing and IT policies on the day they were hired and then never exposed to them again. In many cases, these polices have not been updated in years and may not address current considerations such as social media, telework, and BYOD (tablets, smartphones, home devices). Firms considering adding remote workers should also discuss digital confidentiality in their policies as well as the use of collaboration tools such as Skype for Business and FaceTime.
- Awareness: In addition to newspaper headlines and resources such as Verizon’s annual Data Breach Investigations Report (available for download at VerizonEnterprise.com/DBIR2016), personnel should be made aware of the impact of breaches on accounting firms which they can pull from the IDTheftCenter.org website. The cost of a data breach can be substantial and vendors such as AON (aoncyberdiagnostic.com) and IBM (ibmcostofdatabreach.com) have developed cost calculators to help firms estimate the financial impact of getting hacked. Finally, the AICPA’s Information Management and Technology Assurance Section (IMTA) has made a conscientious effort to make accounting firms aware of security considerations through their Top Technology Initiatives survey which included (#1) Securing the IT Environment as their top issue that past year and included (#3) Managing IT Risk and Compliance, (#4) Ensuring Privacy, and (#7) Preventing and Responding to Computer Fraud as topics where they delivered content and resources to members.
- Secure Equipment: Firm personnel must be taught and reminded how to properly secure any devices that connect to the firm’s network including home computers, tablets, smartphones, and USB flash drives, in addition to their firm laptop. All devices that could contain confidential data locally should have access controls (passwords, screensavers, etc.) and have their drives encrypted with tools such as BitLocker, Intel/McAfee, Sophos, Symantec, etc. Firms also need to remind personnel to never leave equipment unsecured and that it is best to keep it in their possession when in transit.
- Limit Access: The 2016 Verizon Data Breach Investigations Report (2016DBIR) found that just under two-thirds (62%) of data breaches occurred because passwords were compromised (which means they were either stolen, weak, or the default password was not changed). Today’s standard is at least eight characters requiring an upper and lower case letter, a number, and a special character which should be changed at least four times per year (without repeating any previous passwords). Firms should configure their networks to lock out users for at least 30 minutes after five failed attempts and to disallow using the same passwords in multiple applications. Hackers know that once they have an employee’s password, they will attempt to use that password for other potential access. To make it harder for hackers, firms should consider the use of password “wallets” such as LastPass and Keeper, or utilize dual factor authentication tools such as RSA and Duo. These tools not only require the employee login with a password, but sends an access code to their smartphone or a fob which the employee must have in their possession to be able to connect to the network.
- Conscientious Connection: Employees must be reminded regularly on how to securely connect to the firm and that they should not use public wifi (client wifi, hotel, coffee shop, etc.) for firm access unless a secured Virtual Private Network is configured and all Internet traffic is encrypted. Better yet, firms should consider the use of the digital cellular connections from their smartphone or mobile hotspot which has been configured by the firm’s IT department.
- Threat Awareness: Today’s top security threat perpetrated upon firms revolves around phishing emails, which download malware or ransomware when the employee opens them or clicks on a link in the email. According to Verizon’s 2016DBIR, cyber criminals are using much more sophisticated phishing emails that are customized to the recipient with the percentage of opened phishing email messages increasing from 23% in 2014 to 30% this past year, with 12% clicking on an infected link or downloading a file containing malware. Firm personnel should be shown how to validate the sender when they receive a suspicious email and to retype the website addresses in their Internet browser rather than clicking on links from unknown parties. Each year the IRS lists the top cyber scams during busy season and the security companies such as McAfee and Symantec provide education on holiday scams which should be shown to employees. There are also security companies (PhishMe, Duo, and Wombat Security) that will test employees by sending them phishing emails to educate them on this threat. Firms wanting to develop their own training can use resources from the security companies previously mentioned, as well as websites such as StaySafeOnline.org and SANS.org.
- Breach Response: Employees should also be made aware of what to do when they experience unusual activity on their PC, suspect a breach, malware infection, or when a mobile device is no longer in their possession. This includes specific instructions on how to shut down/disconnect the device, who specifically to notify, and how to document what happened so the firm’s IT team can respond.
Protecting the firm and its clients is everyone’s responsibility. In today’s rapidly evolving technological landscape it is more important than ever to provide ongoing and updated training to all firm personnel and a mandatory annual security briefing is a solid step in that direction.
Roman H. Kepczyk, CPA.CITP, CGMA, LSS BB is the Director of Consulting for Xcentric, LLC and works exclusively with CPA firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of the 2016 Edition of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which is available to PCPS members.