« The One Vulnerability Cyber Thieves Are Desperate to Exploit | Main | 3 Tax Technologies You Shouldn’t Ignore »

4 Steps to Fortifying Your Cybersecurity

Cybersecurity 4Small businesses are “unprepared or poorly prepared for a cyberattack” according to 75% of the 307 insurance and risk management advisors surveyed through the Advisen and Experian 2017 Cyber Risk Preparedness and Response Survey. Unfortunately, no organization is immune to cyberthreats. These days, most companies should have some basic form of cybersecurity program in place. If yours doesn’t, or if you need a refresher, here are four steps you can take to establish a stronger foundation.

Step 1: Create a Comprehensive Set of Cybersecurity Policies

What resources does your organization have that are at risk? Think beyond the obvious. On-site computer systems, laptops, tablets and mobile phones are immediate suspects, but bring your own devices (BYOD) and wearable technology such as smartwatches can also be compromised. Determine what controls you need in place to ensure information is kept secure. Set your rules for communicating, working with, copying and distributing sensitive data; and document those rules and make sure everyone in the organization receives a copy. Necessary policies typically include an IT policy, information security program (including a risk assessment), employee acceptable usage policy, business continuity and disaster recovery plan, and an incident response plan. 

Step 2: Follow Best Practices

Putting your policies into practice is easy when you develop good habits. Inventory your data, just as you would physical inventory, so you understand what you have. (This is a critical step that is often not completed accurately.) Maintain your software, applying the latest patches and updates as soon as they are available to help combat security holes and malware attacks. Filter web content known to carry malware, such as pornography, gambling sites and social networking. Keep your user list current, purging old and unused accounts. Review who has high-level access privileges and ensure these are the users you want having that access. Utilize multifactor authentication for all cloud systems, including email. Back up your data regularly. Finally, have an independent service test your security for vulnerabilities and repair any weaknesses they identify.

Step 3: Use the Right Tools

It’s difficult to stay ahead of cybercriminals, but establishing layers of controls and using the right tools can help. Encrypting your emails and files for transmission is something your applications should allow, whether they are cloud-based or locally hosted. Be sure to use a mobile device management (MDM) system to enforce and manage system-wide controls such as inactivity timeouts, forced passwords and remote wipe capabilities in the event of a stolen or lost device. Consider organization-wide controls for password management such as password vaults or the use of single sign-on. And be sure to have a robust backup plan that keeps sensitive data safe and recoverable in the event of a ransomware attack, such as “WannaCry.”

Step 4: Thoroughly Train Staff

Establish a culture of cybersecurity starting at the very highest levels of management. Your policies, practices and tools should all be familiar to your staff and users. Be sure to keep all users updated on any changes to the system or your cybersecurity plan as soon as they occur. Refresh all employees at least annually on policies and practices, and make cybersecurity in your organization part of the onboarding process.

You can find more information, resources, tools and events related to cybersecurity—including links to the AICPA’s new cybersecurity risk management reporting framework and the Private Companies Practice Section (PCPS) cybersecurity toolkit, plus Information Management and Technology Assurance (IMTA) Section resources—at the AICPA’s Cybersecurity Resource center.

Lisa Traina, CPA, CITP, CGMA, led a lively session at AICPA ENGAGE, assessing some of data’s biggest threats, highlighting the gaps in coverage that organizations need to address, and offering key best practices any company can deploy immediately. She is a partner at Traina & Associates, a CapinCrouse company, and is based in Baton Rouge, Louisiana.

Cybersecurity courtesy of Shutterstock.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily