The world is not a safe place—at least not for electronic data. One need look no further than current news headlines to discover that yet another large company has lost its customers' data to a cyberthief.
Large companies spend millions of dollars every year trying to defend themselves against cyberattacks, yet attacks still occur. Many practitioners might ask: If a large company dedicates vast resources to cybersecurity and can still be hacked, what hope does a small company with limited resources have?
Some practitioners may find the task of protecting a firm's electronic data to be overwhelming and hopeless and do not know where to begin, while others may feel that their data are safe and no additional steps are necessary.
When it comes to protecting data, a practitioner cannot live in a world where emotions and feelings overcome facts. Accounting firms across the country are at risk of being targeted and attacked by cybercriminals. The IRS is continually issuing alerts notifying tax professionals about scams that are targeting firms. These scams are attempting to get access to confidential client information by sending emails mimicking software providers or asking for updating of accounts for IRS e-services. Firms have a responsibility to keep their clients' data safe; therefore, it is important for companies to take proactive, defensive action.
Securing a firm's data is complex. There is no one right way to start or one correct plan of defense. Consider taking small, actionable steps rather than being overwhelmed by several big tasks. A good place to start is to think of the past, present, and future.The Past
When focusing on the past, one should ask the critical questions of what firm data might someone want and how would that person get it? While there are many answers to these questions, the following are some key areas of consideration:
Retention policy: The more data a firm holds, the more it has to protect. Consider maintaining a company policy of removing client and employee data after a specific amount of time. Ensure that the retention policy is implemented and carried through in a systematic way. If client data must be retained for longer than the stated retention policy, be sure to have an IT professional encrypt and securely store these data (and ensure that when the reason for retaining the data is gone, that the data are promptly removed).
Employee access: On an employee's last day working at a firm, it is common to collect the person's keys and promptly remove his or her access to the network. However, consider other passwords that may need to be changed as well, such as the wireless network password or the password to the conference room computer. A former employee could still gain network access through commonly accessed devices with generic passwords. Consider changing the password to your network often and allowing employees to log in to common-area computers using only their personal network logins.
Records release: Clients request copies of their records often, and firms have multiple ways to produce them. Knowing this, cybercriminals can forge emails requesting information that appear as if they are coming from a client. Consider producing records to the client only after placing a phone call to verify the request, or create a firm policy to use a secure portal to move data between the firm and the client.The Present
The process of securing data can take time and follow many steps. Consider the following actions that can be taken in the present:
Develop/review security policies: Create or perform a review of current security policies to ensure that clear expectations are established for all affected parties (employees, owners, clients, etc.). These policies should describe the responsibilities of each party, actions to be taken if the policies are not followed, and procedures to be followed in the unfortunate case of a data breach.
Train staff: No procedure will work if the procedure is not followed properly. Educate your staff about the characteristics of a strong password, what a phishing email is, and what to do if they think that the network has been breached. Once you have trained your employees, ensure that the network is set up to support these procedures. For example, the network will not accept a password that does not meet the criteria set by the administrator. Do not assume that what you consider common cybersecurity practices is general knowledge. It is not.
Review liability insurance: Although this action will not help you to secure your firm's network, it will help to secure your peace of mind. Review your liability insurance policy and identify the extent of your coverage for cybertheft. For example, would your insurance provide coverage for the ransom payment if your data were held hostage? Would it pay for credit-monitoring services for your clients if their data were breached on your server? Some insurance providers maintain a separate policy to cover cybertheft risks, which may be excluded from a general liability policy.
Review numbers: Some cybercriminals hack into CPA firms and use their software to file false tax returns. Print a log of all tax returns that the firm has e-filed in the past year and compare it to what the IRS has on file with the firm's electronic filing identification number (EFIN) and preparer tax identification number (PTIN). If the numbers are different, there could be a problem.The Future
Cyberthieves change their methods often, so it is critical for the practitioner to be vigilant and stay up to date on the current trends of cybersecurity. To help keep the firm proactive, consider the following tips:
Keep software updated: Software vendors such as Adobe, Microsoft, and Symantec maintain vast departments dedicated to keeping their software safe from breaches. If they identify a breach, they will send users software updates that can fix the breach. Encourage staff to install those updates as prompted. Also be sure to ask the firm's IT administrator to regularly update the firm's servers.
Keep going: While it can be easy to take a few steps to secure the firm's network and then think you can check that task off the list, do not stop. Continue to challenge the firm's IT professionals with keeping you updated on any additional precautions that are necessary. Not all IT professionals are cybersecurity experts; however, they will often have ideas on current trends and on how to make the firm's network more secure. These ideas may include two-factor authentication, forced password resets, secure data transfers, and firewall upgrades. While working with IT professionals can be expensive, their knowledge and expertise can be invaluable. Spending the money for safeguards and procedures to implement their suggestions is well worth it if it will save the hassle and expense of dealing with a data breach. Consider budgeting a specific number of hours for an IT professional to focus solely on securing the network.
Start testing: There are many ways to penetrate a firm's network, and new ones are created all the time. Consider periodically having the firm's security procedures tested by a third party to see how they withstand cyberattacks. Such testing will allow the firm to gather instant feedback on its progress toward electronic security.No Magic Bullet
While the world is not a particularly safe place for electronic data, there are many steps a firm can take to secure its data. There is not one easy step or solution, yet protecting client data is critical. Take proactive steps to secure your firm's data today.
Michael Crisler is a member and the chief manager of Crisler CPA PLLC in Hendersonville, Tenn. Michael Ohanesian is a tax manager with Parr & Associates in San Antonio. Mr. Crisler is the chair and Mr. Ohanesian is a member of the AICPA Tax Practice Management Committee. For more information about this column, contact firstname.lastname@example.org.