5 Cybersecurity Precautions for Small CPA Firms
With busy season off to another running start, it’s important to remember that cyber attackers are busy too. With readily monetizable information on hand that can be sold easily on the black market, your practice is an especially attractive target for attackers.
Frequent news reports of breaches at large organizations and government entities might lead you to believe you don’t stand a chance if targeted. Fortunately, this is not the case. The following basic precautions can significantly reduce your risk and mitigate damage if you experience a cybersecurity incident.
- Locate, classify and separate information by risk level. The highest risk information for most firms is going to be financial account information such as bank routing and account numbers, credit and debit card numbers, and usernames and passwords for online account access. This information should be protected with a high level of security and stored separately from other client records. Because industry safeguards typically require names of authorized users, billing addresses, employer identification numbers and Social Security numbers to gain access to accounts, a system that stores information used to authenticate account numbers separately from the numbers themselves can mitigate losses should a security breach occur.
- Assess business processes. Now that you’ve classified your information, it’s time to look at your business How is sensitive information transmitted between clients and your office? A secure client portal or encrypted e-mail should be used to reduce the risk of information being intercepted. Which staff members in your office have access to sensitive information and why? Access should be restricted to those who have a specific business need for the information. Your system should automatically create a log entry every time sensitive information is accessed. Because hackers increasingly circumvent security measures by deceiving staff members who have legitimate access, it’s important to train your staff on information security policies and techniques hackers use to gain access through social engineering. You should never store your highest risk information on unencrypted portable devices such as laptops, tablets, smartphones and thumb drives.
- Review security technologies. Start with your network firewall. It should be installed and configured by a network security professional, updated automatically and reviewed annually. PCs should have virus protection software installed and be set to receive automatic updates for both virus protection and the operating system. Any portable device, including laptops, tablets, smartphones—and especially thumb drives—used to store or access sensitive information should be encrypted. If you accept credit and debit card payments, as of Oct. 1, 2015, your card terminal and processing system need to be EMV compliant to avoid liability in the event of certain types of fraud.
- Conduct due diligence on service providers. Cloud-based software providers and other service providers can be a great resource to keep your practice efficient and secure. However, they can also be vulnerable to attack. Ask to see your service provider’s SOC 2® report. Have they detected any security breaches, and, if so, how have they been resolved? And, finally, ask about how secure the connection is between your computers and their servers. Any provider still using SSL rather than the newer TLS encryption protocol is vulnerable to attack.
- Develop an incident response plan. In the unfortunate event of a security breach, you should have a plan in place to determine when the incident occurred, identify client information impacted and notification requirements. According to the National Conference of State Legislatures, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. Click here to look up the law in your jurisdiction. Although provisions vary, generally you should be familiar with your jurisdiction’s definition of “personal information,” what constitutes a breach and notification requirements. Many jurisdictions provide exemptions for encrypted information.
Access information, news and resources on cybersecurity at the AICPA’s new online resource center. You’ll learn about protecting client information and providing advisory and assurance services related to cybersecurity.
Jeffrey Streif, CPA, CISA, PCI-QSA, CFE, heads the cybersecurity consulting and assurance practice for the St. Louis office of UHY LLP. Bruce Sussman, CPA, CISA, CIPT, CISSP, is PCI Global Executive for AIG in New York. Streif is a member of, and Sussman is co-chair of the AICPA’s Information Management and Technology Assurance Section’s Cybersecurity Task Force.
Cybersecurity courtesy of Shutterstock.