Demand for effective cyber risk management is so strong that the AICPA is developing common criteria for CPAs to use as they help clients evaluate their programs and efforts. Meanwhile, accountants themselves understand the importance of good cybersecurity practices in their own offices, given recent reports of attacks by identity thieves targeting client names and IDs.
As information security experts will attest, the top vulnerabilities for an accounting firm or any other business are less likely to be tied to equipment and technology hardware on the premises than they are to the numerous individuals using that equipment and hardware. That means that some of the most important actions a firm can take are those that reinforce good practices among staff members—even if those actions elicit eye rolls.
“I know a lot of people do not take security awareness seriously, but for Sageworks, the No. 1 thing that has helped our organization is making people aware of the potential vulnerabilities,” says Emily Larkin, Sageworks’ information security officer and a Certified Information Security Systems Professional (CISSP) and Certified Business Continuity Professional (CBCP). “A lot of us know how to protect the perimeter of our facilities, but it is people clicking and downloading that can pose the biggest threats.”
Information security has to be viewed as a responsibility for everyone in the company, not just the IT team, says Larkin, adding that this is especially critical for firms like Sageworks and accounting firms working with financial data. A central method for creating a strong cyber security culture is generating awareness. Here are eight actions Larkin and other IT pros recommend to build awareness and reduce risks:
1. Ensure leadership buy-in. For many companies, top executives or boards are involved in IT only insofar as approving capital spending on technology. They need to be plugged in on the topic and have a full understanding of the risks, since they are ultimately responsible for protecting the firm and clients against those risks. Larkin says regular presentations to boards or top executives (as well as documentation of leadership’s involvement through meeting minutes) can help protect the firm from problems and can limit liability if problems arise. “It’s taking information security out of the server room and bringing it into the board room,” she says. “The whole company has to take responsibility for it, and that trickles down through the awareness.”
2. Develop a security awareness program. “This could be a two-page handout you give new hires. It could be something that is done every quarter or every month,” says Larkin. “Put something in the employee newsletter each month, or make employees read and sign an annual agreement to comply with cyber security efforts. Rather than see security awareness as something to be checked on a form, focus on continued awareness training for the most benefits.”
3. Make the topic ubiquitous. As part of an awareness program, look for ways to inject the technology topic into meetings of all kinds—staff meetings, team meetings, board meetings. Larkin does this by providing reminders and new information on cyber security at monthly staff meetings. Updating teams on new risks and rehashing steps to protect against cyber threats keeps the topic front-of-mind.
4. Test employee awareness and compliance. Simulate a phishing attack and use the results of employee responses as a training tool. Various sites can help you conduct these tests, which can give employees first-hand experience reacting to situations that could put information security at risk. Utilize other approaches, such as quizzes in employee newsletters or “white hat social engineering” experiments.
5. Ensure you have the right people in place, even if it means getting help from outside. This sounds simple, but firms might be tempted to slap the title of information security officer on someone who is already handling critical functions at the firm, yet that person may not have sufficient bandwidth for the role. This can especially be an issue at small firms that have 10 employees, for example, and can’t afford to hire a separate person for cyber security and technology issues. Protecting firm and client data requires having someone who knows the regulatory requirements and who is implementing programs and documenting everything.
6. Stay current with software patches and antivirus/malware updates. This is one of the biggest weaknesses of small firms, even though patching Microsoft programs doesn’t cost money, Larkin says. “The firm is relying on individual employees to install updates and patches, but it can be a pain,” she says. “An employee may say, ‘I don’t want to upgrade Internet Explorer because the last time I did it, it slowed everything down,’ for instance. People are probably exchanging convenience for security.” Firms themselves may put off switching from Windows XP, for example, even though Microsoft stopped supporting the operating system with critical security updates long ago.
7. Consider utilizing web-based software. Firms using web-based software receive automatic updates and user support, eliminating the need for nontechnical staff and managers to download software updates and to play the role of technical support or technical police. Some accountants may have concerns about web-based platform vendors’ security protections for client and firm information, but those concerns are often unfounded, according to research firm Gartner. "[M]ost breaches continue to involve on-premises data center environments,” the firm says. “The majority of cloud providers invest significantly in security technology and personnel and realize that their business would be at risk without doing so." Utilizing properly vetted web-based software narrows your accounting firm’s responsibility to the workstation and the internet connection to the software.
8. Check your website for over-sharing. Many businesses have reported phishing scams that utilize basic information available on a company’s website: The cybercriminal spoofs the email address of a top executive or finance official and sends an urgent directive to the accounts payable staff to deposit funds to a supposed vendor. Check your website from the perspective of someone looking to do your firm harm. How could they utilize information to target you?
Protecting your accounting firm from cyberattacks and data breaches requires much more than an occasional reminder to staff not to share login information and to change their passwords regularly. But boosting awareness more broadly and creating systematic checks on cybersecurity can provide the practice and its clients with peace of mind and confidence.
Mary Ellen Biery is a research specialist at Sageworks