Cybersecurity threats to your clients, firm
Tips to safeguard your work
October 2018 Footnote
CPAs are increasingly dependent on technology -- and minding our bytes has become everybody's business.
To be concerned about cybersecurity means protecting yourself from people who want to use your passwords and identity to steal money from you and others. The problem is not as amorphous as it sounds, though; you can divide your focus among five distinct areas and create clear initiatives for each. By considering the potential risks of your physical space, people, apps, mobile devices and networks, you and your team can take steps to make your everyday interactions safer. Here's how.
It's the seemingly innocent place you and your co-workers bill hours, but even a small oversight can lead to significant losses in hardware and data. Strong security controls of physical environments are a critical foundation for your firm.
Protect yourself: Start simply by locking your network closet and other sensitive locations. Use high-security locks and numbered, physical keys with restrictions on duplication. If it makes sense for your firm, have video surveillance at entrances and exits. Don't trust your memory -- maintain a device and computerinventory.
Numerous people encounter your firm's data, including full- and part-time employees, contractors, interns, board members and clients. Anyone who has access to business devices, spaces and apps is vulnerable to unwittingly giving away information.
Protect yourself: Call your broker and confirm your cyberliability insurance is adequate. Show the team what's expected with regularly scheduled and new-hire security awareness training. This can run the gamut from theft prevention and minimizing data leakage, to protecting sensitive data and what to do in the event of a suspected breach.
Social engineering penetration testing is also recommended. This system brings awareness to scams, password breaching, phishing, malware and ransomware. A service is hired to contact your employees via emails, calls and even texts to get them to divulge sensitive information. Lookalike names or email addresses will ask the employee for passwords or to click on an attachment. If the employee falls for it, the administrator receives a notification and additional security awareness training opportunities are identified.
Applications (apps) may be cloud-based or stored on devices. While it can be challenging to manage the many apps people use on their devices, there are best practices for keeping data away from the people who want to use it against you.
Protect yourself: This is an expected practice for all apps that offer it: two-factor authentication. Make sure you're keeping data access close to the vest by restricting app permissions to only the few people who should really have it. Apps are most secure when you automate updates. Lastly, enable security notifications so suspicious activity, such as adding a new user, doesn't go unnoticed.
Smartphones and tablets hold most -- if not all -- of your most sensitive data. Working remotely is gaining popularity among CPAs, and with that comes a responsibility to learn how to treat your devices like the highly valuable possessions they are.
Protect yourself: In case of loss or theft, enable remote wipe and location tracking on your tablet and smartphone. Working in a public space? Use only trusted Wi-Fi, VPN or your mobile hotspot. Open access on your device does not bode well for a secure future, so be sure you require a password, PIN or biometrics to unlock your phone. And, because there will be sensitive documents and email on your device, be sure you've enabled local data encryption, though it may be turned on by default.
Networks connect all our devices and apps to each other and to the internet, and networks are composed of firewalls, switches, wireless access points and more. They rely on regular attention to stay secure.
Protect yourself: For the visitors and vendors who occasionally need to use your network or internet connection, create separate guest and private networks. Do a little research or ask a trusted IT expert and use the latest Wi-Fi encryption standards. Finally, so much of network security is about management. Know which employee has what equipment by logging and auditing access to devices. Don't wait for disaster to strike; proactively monitor, manage, update and secure devices, along with creating strong passwords.
Don't go it alone
Does taking on cybersecurity in your CPA firm feel overwhelming? It all comes down to good processes. The process is the component that ties it all together, keeping everyone on the same page and the entire organization secure and compliant.
One example of a process is the steps to take with new and terminated employees. When onboarding new employees, follow a new-hire checklist:
- Note what equipment the employee is given (keys, laptop, mobile devices).
- Notify your IT provider of the new hire.
- Record what logins the employee receives.
When terminating an employee, run the checklist in reverse:
- Return all key, equipment and company credit card.
- Notify your IT provider:
- Give advanced notice if the termination is sensitive and requires disablement of devices at a certain time.
- If they have a mobile personal laptop or device that uses company information, you can and should require that information be removed by the IT provider.
- Sometimes, it makes sense to buy personal devices from the employee.
- Disable any other shared passwords and documents.
- Forward their emails to an administrator.
Further, assign willing team members ownership of various security roles in your organization, i.e., user training and business/technology liaison. For example:
- Schedule cybersecurity training by talking to your IT professional or your cyberliability insurance person.
- Make sure you have an updated and accurate list of equipment that is out and about.
- Use a password management tool, like LastPass.
Together, you can implement consistent safeguards, starting with the low-hanging fruit first. Decide who is going to do what between you, your leaders and your IT providers. With a little time and persistence, maintaining your safeguards will become routine for everyone in your firm.
CPAs can't be too vigilant when it comes to cybersecurity. The threats will always exist, but facing them head on is half the battle!
Daniel Moshe is the founder and CEO of Tech Guru, LLC, a technology firm helping build the CPA firms of the future. You may reach him at 612-235-4895 or firstname.lastname@example.org.