Is your firm following best practices to prevent and respond to a cyberattack? Unfortunately, many smaller businesses—including CPA firms - mistakenly believe that their technology is unlikely to be breached. A total of 56% of small business owners said they weren’t worried about being hacked in the next 12 months and 59% believed they would be able to quickly address any attack, according to a CNBC/Momentive Q3 Small Business Survey. But while it’s true that a ransomware or other attack on a large organization may be more profitable, hackers also target small businesses because their defenses typically are much weaker, making them easy marks. Since it’s clear that firms need to stay diligent, follow these steps to protect your practice.
Get insured. Many firm owners get cyber insurance to protect them against possible threats. That’s a smart idea but remember that the insurance will cover damages related to breaches that can lead to client losses and reputational harm after they have occurred. Firms also need to take proactive steps to prevent problems in the first place. Cyber insurance is available as add-on coverage under the AICPA Professional Liability Insurance Plan, and Private Companies Practice Section (PCPS) members receive a 5.5% premium credit, of up to $400 for CPA Value Plan policies and $600 for Premier plan policies.
Know the dangers. Being familiar with what you’re facing is one such step. For example, phishing—or fraudulent emails sent from a supposedly trustworthy source in an attempt to steal confidential information or gain entry to a system—has long been a top problem for all businesses. Firms can easily face attacks when a phishing email is opened by someone on staff who doesn’t recognize the threat it can pose. According to the FBI, this issue has become more prevalent recently as new phishing scams exploit the pandemic by sending fraudulent emails appearing to offer related information or seek donations.
When organizations constantly monitor for breaches, they can often minimize the damage, but most small firms don’t engage in real-time monitoring. Once a problem has occurred, even insured firms may face some related costs. They will have to identify what happened and how and notify clients and regulatory agencies. For those who aren’t insured, the impact can be material.
To fully understand the dangers your firm faces, you may want to get an assessment by a cybersecurity professional on your firm’s weaknesses and the best way to tackle them.
Address the risks of remote work. As many firms adopt hybrid work arrangements, they should keep in mind that employees working at home may not have the same built-in safeguards that are available at the office. When a staff member downloads a client file while working at home, from a coffee shop or while in transit, that can inadvertently expose that data or your system to hacking. “There are simply too many remote workers who click on untrustworthy links and use devices that are not properly patched, managed and secured when they access their company networks,” according to Network Depot, which identified remote worker endpoint security as a top cyber threat for small businesses this year.
Move to the cloud. The fees for cloud hosting services include the provider’s own security, constant monitoring and resources that can take firms to a higher level of comfort. When my former six-person firm moved to the cloud, it reduced a great deal of anxiety about cyber threats. We still had our own firewalls, but we knew our data would be protected. The cloud service also updated our software automatically, so we were able to focus our time and energy on serving clients securely from wherever we were. That allowed us to build better relationships and be more productive and efficient. With firms facing greater risks than they have before, this step can bring great value to the firm.
Make a plan. Staff education about issues such as phishing should be part of an overall plan that sets guidelines for keeping up with cyber threats, taking steps to prevent them and preparing to deal with their impact when they occur. Remember that the plan should also address changes driven by the pandemic and remote work. To get started turn to the Private Companies Practice Section's (PCPS) CPA cybersecurity checklist and the recently created PCPS Cybersecurity journey resource, exclusively available to PCPS members, to make sure you’ve covered all the bases. It doesn’t have to be complicated, but it’s critical for even the smallest firm. If you get started today, you’ll be in a much better position to respond to threats when they arise.
Have questions for Carl? Contact him directly at 651-252-4618. And be sure to sign up for Carl’s Small Firm Update webcasts.