Updating your CPA firm’s data security plan for 2022
Progressively common cyber attacks have elevated the need for cybersecurity from a luxury to a necessity, particularly when it comes to businesses with large amounts of private data, like accounting firms. Additionally, since it takes an average of 228 days for a company to recognize that its system has been breached, it is critical for CPA firms to take a proactive approach to protect both the firm and clients. Being reactive is no longer a feasible or affordable option. As services are migrated to the cloud, developing effective accounting firm security policies that focus on protecting client and firm data becomes increasingly complex.
9 data security risks accounting firms need to be aware of
The risks associated with cyber security challenges are numerous and extreme. Here are 9 risks CPA firms need to address when it comes to cybersecurity.
Risk #1: Remote Work Vulnerability
Hackers are becoming increasingly sophisticated and cybersecurity attacks are increasing by the thousands. The FBI’s Internet Crime Complaint Center (ICCC) reported in 2020 that there were 3,000 to 4,000 cyberattacks being reported daily to the agency. The COVID-19-powered shift to remote work is also impacting the breaches, causing a direct impact on the cost of data breaches. The average cost of a data breach was US$1.07 million higher where remote work was a factor in causing the breach. (IBM Cost of a Data Breach Report 2021)
Risk #2: Client Personal Identification Information Leakage
Accounting firms must guarantee the safety of information in their care. Accounting practitioners and firms hold some of the most sacred data, from social security numbers to bank logins. Breaches of this information are not only costly but detrimental to the client’s identity. Accountants need to be especially aware of the increase in Android banking malware since many accounting practitioners log in to their clients’ bank accounts on a regular basis. In T1 of 2021, this banking malware rose by a massive 158.7%, and in T2 saw a continued growth of 49%. This should be considered a worrying trend since banking trojans (malicious programs disguised as legitimate) and malware have a direct impact on the financials of their targets. (ESET Threat Report T2 2021)
Risk #3: Human Error & Negligence
Cyber attacks are often the result of avoidable issues and human error. Accounting firms need to educate not only staff but also their clients on the risks of sharing data insecurely. Sending private data and passwords over email, text message, and other insecure methods makes clients and firms an easy target. Additionally, public wifi and other unprotected servers can lead to breaches in security.
Risk #4: Financial Risk
The financial consequences of cyberattacks are considerably higher than most people assume. According to the 2020 Cost of a Data Breach Report, conducted by the Ponemon Institute, customer personally identifiable information (PII) has an average cost of $150 per record per breach and the average cost of a data breach in the United States is $8.6 million, and these numbers are only increasing. 2021 saw the highest average cost of a data breach in 17 years, with the cost rising from US$3.86 million to US$4.24 million on an annual basis. (IBM Cost of a Data Breach Report 2021).
Risk #5: The Hacker-next-door
As hacking becomes increasingly easy, it no longer requires a national cybersecurity team. This boy-next-door hacking trend has seen increasing success among the novice. It doesn’t help that all a hacker needs is to break a cell phone, since the the most common cause of data breaches is pilfered user credentials, responsible for 20% of breaches, with these breaches causing an average cost of US$4.37 million. (IBM Cost of a Data Breach Report 2021)
Risk #6: Increase in Ransomware Attacks
Though the concept is not new, the attacks are increasing exponentially. In a ransomware attack, a person or company steals data and locks it so the randosomed has to pay to get it back. In 2021, IT management software provider Kaseya had its systems compromised by the Sodinokibi ransomware, with the perpetrators asking for a US$70 million ransom – the largest ransomware fee demanded yet. (ESET Threat Report T2 2021). If it can happen to a well-protected IT company, it can happen to a small-to-medium size accounting firm. Additionally, as with many cyberattacks, there has been a significant increase in the overall costs of remedying a ransomware attack. While in 2020 the cost was US$761 thousand, in 2021 the overall cost of remediating a single ransomware attack skyrocketed to US$1.85 million. (ENISA Threat Landscape 2021).
Risk #7: Crypto Risk
Cryptocurrency investment scams remain as popular as ever, but they are not the only threat. Accounting firms working with clients in the Crypto world need to be increasingly aware of such threats and inform their clients of the dangers. Between October 2020 and May 2021, victims were scammed out of more than US$80 million. The actual number is expected to be higher since many people are ashamed to admit they have been scammed. (United States’ Federal Trade Commission). Cryptocurrency has been the preferred method of payment for cybercriminals for a few years now, especially when it comes to ransomware. As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants. (FinCEN Report on Ransomware Trends in Bank Secrecy Act Data)
Risk #8: Reputational Loss
The risk to an accounting firm associated with a customer data breach is greater than ever. In prior generations, it would require human conversation to spread the news, but today, all you need is one client with influence or a social media following to completely destroy the reputation of the firm and its employees.
Risk #9: Compliance
As the US introduces new consumer privacy regulations, it will be up to businesses to stay compliant with the enhanced state privacy laws. States including California, New York, Massachusetts, Maryland, Nevada, Maine, Hawaii, Virginia, North Dakota, and New Jersey, have already enacted privacy regulations to protect consumer information, with others not far behind. As privacy regulations increase, there will be an increasing need for cybersecurity insurance. Keeping track of the ever-changing legal landscape for data privacy could be a full-time job, so keeping business data protected and encrypted from the beginning could be both time and money-saving for firms.
9 cybersecurity risks CPA firms need to address ASAP
The risks associated with cyber security challenges are numerous and extreme. Instantly download the infographic that outlines 9 risks CPA firms need to address when it comes to cybersecurity.
How to develop an effective accounting firm data security plan
As protection from the above risks, it is critical for accounting firms to have proactive systems in place. Since cyberattacks & breaches are often the result of avoidable issues and human error, educating staff and clients on the risks and best practices can protect everyone involved. For CPA firms and accounting practitioners, having a data security plan is critical. When planning for cybersecurity, firms should consider all components of accounting technology, including email, servers, cloud solutions, and employees. Here are some best practices for a well-rounded cybersecurity plan.
#1 Invest in a practice management system with a cybersecurity solution
The best and easiest way to protect your firm is to bring in the experts. These solutions can cover everything from patch management; to technology auditing, which can identify vulnerabilities; to penetration testing, which helps assess where there is exposure. Additionally, they can protect your network perimeter and architecture to ensure security and operability. Having both eyes and firewalls monitoring your firm’s activity can help detect intrusions quickly and reduce risk.
#2 Understand the importance of backups
CPA Firms should have a plan to back up their data, operating systems, and applications, especially during tax season, when they can’t afford a single snafu. Automated nightly backups can protect businesses and data from glitches or strikes. Having files archived offsite using virtualization is an easy way to quickly restore anything that’s been lost in the case of a cyberattack or other issue. Backups not only protect against cyberattacks, but also network or technical glitches, natural disasters, or computer theft. Knowing data is safe and secure creates immeasurable peace of mind during the stress of a potential cybersecurity breach.
#3 Email Security
When it comes to cybersecurity and CPA firms, the best option is to message team members and clients within a platform or portal. However, if email is the only option, consider implementing application security or email-layer protection. In phishing, hackers use your email to attack the firm or the clients. In 2021, phishing attacks were connected to 36% of breaches, an increase of 11%, which in part could be attributed to the COVID-19 pandemic, since these hackers tweak their phishing campaigns based on current events (Verizon 2021 Data Breach Investigations Report).
#4 Passwords & Authentication
Password pilfering is a major cause of breaches. Accounting firms should have strict password policies and secure storage in place. Clients and Employees should be informed as to password best practices, like how to create strong passwords that include numbers, special characters and both upper and lowercase letters. According to Swizznet, a cybersecurity protection and hosting company for accounting solutions, if firms only did one thing to protect their company from cyberattacks, it should be to enable multi-factor authentication. Multi-factor authentication typically requires users to submit a known factor, such as a password, and an unknown factor, such as a system-generated passcode, Captcha, or third-party verification application. When combined factors are used, it is much more difficult for hackers to use stolen passwords alone to access your information systems.
#5 Encryption
Encryption protects data from outside forces. This is usually a service provided by cybersecurity solutions and platforms. Look for encryption services with Site Safe SSL certifications and a $1,000,000 user guarantee. Additionally, one that is PCI-compliant will help your business safely process credit card data. If hiring an encryption service, look for one who continually validates their systems with vulnerability scanning.
#6 Permission Controls
One simple way to protect data is to assign permission levels. In this case, each user or employee is only able to access the information that is critical and appropriate for them. It also gives managers the ability to easily lock accounts when an employee is terminated or there is no longer a need for them to see specific data.
#7 Employee training
Firm owners and accounting practitioners need to ensure their employees are following privacy protocol 100% of the time. In addition to educating employees on risks and protocols, Practice Protect, a data security firm for accountants, recommends having employees sign a policy agreement about what they should and shouldn’t do when it comes to cybersecurity.
#8 Cyber security insurance
Cybersecurity insurance will soon be required, but until then, at minimum, it can be a literal lifesaver for CPA firms. Cybersecurity insurance protects businesses against financial losses caused by cyber incidents, including data breaches and theft, system hacking, ransomware extortion payments and denial of service. Among small businesses with fewer than 250 employees, the average reported cyberattack cost was about $25,600, according to a 2021 report from Hiscox Insurance. According to Nathan Little, vice president of digital forensics and incident response for Tetra Defense, a cyber risk management company, “Hackers often programmatically look for targets and attack small firms because of certain vulnerabilities, not because they’re set on attacking a specific company.” There are two main types of cybersecurity coverage: first-party and liability. First-party provides financial assistance in the recovery costs, and the most common first-party coverage is data breach insurance. Liability coverage, on the other hand, covers damages to clients and their data should your compromise affect them. This coverage also covers attorney and court fees, settlements, and fines for non-compliance. How much coverage does a firm need? Most small businesses carry about US$1 million in cybersecurity coverage limits but talk to an insurance agent to determine the right coverage for your firm’s needs.
8 accounting cybersecurity best practices
When planning for cybersecurity, firms should consider all components of accounting technology, including email, servers, cloud solutions, and employees. Instantly download the infographic of best practices for a well-rounded cybersecurity plan.
Upleveling your firm’s data security doesn’t need to be difficult
One of the easiest steps accountants can take to make their firm more secure is investing in an accounting practice management system that natively includes many cybersecurity features. As a member of the Cloud Security Alliance, CARET solutions, like OfficeTools, are equipped with the latest in accounting cybersecurity features and compliance controls.
For more information on how you can securely manage your firm with OfficeTools, give us a call at 858-882-4879, or request a demo today.