Financial service organizations are often the biggest targets for hackers. As keepers of sensitive personal and financial information, CPA firm databases are particularly attractive targets for cyber-criminals with payroll accounts becoming the latest security battleground. Payroll remains so vulnerable, in part, because companies are reluctant to make the changes needed to stay up to date in data protection.
The measures you need to take to help mitigate risk and protect the sensitive personal, payroll, and all financial information entrusted to you by your clients are essential. Taking a proactive approach to cybersecurity can make you less susceptible to breaches, lawsuits, and client agitation, ultimately helping to retain your clients, and their trust, to assure stability and future success for your firm. Skimping on IT security, safety, and defense resources or looking for ways to cut costs in the areas of security may save some money upfront, but it will only make your organization more susceptible to breaches and open the flood gates for lawsuits and negative reviews that could dramatically outweigh the costs savings from trying to keep your security operations lean.
To preserve your existing client relationships and position yourself for continued new business, make data security synonymous with your firm’s customer-facing identity, cyber-risk management and education needs to include active participation from everyone on staff, starting at the top level and work its way down to all employees, in order to become a permanent feature of your firm’s culture. To protect your firm (or when considering a firm), make sure to a formal enterprise risk management (erm) program is in place.
RISK ASSESSMENT: Conduct periodic evaluations focused on identifying major areas of weakness that could make your firm vulnerable to hacking. Address any control gaps and deficiencies as soon as you uncover them. Review your checks and balances to make sure that your control policies and procedures are still current and effective.
- Deploy and monitor intrusion detection & prevention systems. Make sure your system activities are actively monitored for malicious activities or policy violations and actually review these reports to gain visibility into existing weak entry points to help avoid possible breaches in the future.
RISK MITIGATION: Focus on training as well as talent recruitment and retention. Your firm’s ability to mitigate risk is directly related to your employees’ ability to execute the proper internal control procedures that you established during the assessment phase. Mitigating the ‘people’ risks is a key component of the erm strategy, so deploy regular anti-fraud awareness training to make sure everyone remains vigilant and informed enough to ward off threats from would-be cybercriminals.
- Consider limiting the use of outside devices while at work to keep all employees on a secure and centralized system, and work with your IT team to identify and ban applications that could be used with malicious intent.
- Enable 2FA/MFA (Two-factor authentication) on all accounts, especially in QuickBooks!
RISK MONITORING: Enlist a team of cybersecurity experts (MSP) to monitor your network activity for any potential threats and offer training opportunities and resources to help educate and protect client data and launch compliance reviews and operational audits on a regular basis to make sure your safety controls remain effective.
- Verify & test disaster recovery plan. Perform monthly disaster recovery plan drills to ensure quick response times.
- Deploy multiple AI-based security products. AI software learns user’s habits and daily activities so that it can identify when an anomaly may be present within a user’s environment, without having to have known threat signatures.
- Replicate data and backups. Establish daily backups, completed separately from the network.
- Utilize anti-spam/anti-virus prevention & detection. Reportedly, 90 percent of cyberattacks occur via email. Anti-spam/anti-virus prevention and detection is another method used to help protect client data, especially when working in email. Additionally, encryption and archiving should be enabled for prevention and detection defense.
If you still need convincing about the importance of instituting a cyber risk management program, just look at the latest numbers. The average cost for a lost or stolen record is $242 (which has nearly doubled over the last year alone and continues to rise). Multiply that by every file in your system (plus all potential legal fees), and the costs can add up quickly. Investing in data security from the get-go can save you big down the line, it’s an investment you’ll want to make.
No matter the size of your firm, you are at risk, especially small CPA firms who may not always have a budget for an in-house IT specialist. If you’re uncertain about the next steps, consult with an IT solutions partner to make sure your business is protected. By using both preventive and predictive security best practices, you can help prevent cyber threats from penetrating your network and help keep your valuable data secure, and your business up and operational.
Our goal is to provide you and your team with secure and reliable access to your data so that you can focus on doing your organization’s business. Our proven cloud solutions are backed by our multi-factor cybersecurity methodology and a team of cybersecurity experts. Braver Technology Solutions | WeMakeITWork@BraverTechnology.com
Boston 617.315.8515 | Taunton 508.824.2260 | Providence 401.484.7900