Join us on January 19th for more information on the IRS WISP requirements. You can sign up for our 30-minute lunch and learn a webinar HERE or subscribe to our YouTube channel for the replay.
Following the IRS Security Summit last August, all new requirements for written information security plans were released. The checklist of items that firms must address as part of their security plans is lengthy.
Before viewing these compliance requirements as yet another time-consuming task, consider the risks to your firm and why it’s so critical to avoid them. Below are three of the most prevalent and concerning security risks facing CPAs.
1. Natural disasters
Think Florida filing extension. Imagine your office or home office is underwater one day. Natural disasters happen all the time and are completely outside of our control. But your firm needs to be prepared for how you will deal with them, not only to get your office back up and running should something happen, but also how to protect your client information in the process.
Unfortunately, even if your computer floats away in a flood, you’re still responsible for protecting any client information that might be able to be recovered from it. A written plan that tells you and your team the steps for protecting information and rebooting an office or hot spot in the event of a natural disaster is critical to have before you need it.
2. Technology failures
Another one that happens all the time, yet we don’t think it will happen to us. Computers crash, power outages occur, and servers fail. Just like with natural disasters you have a two-fold problem when technology fails. The first is you have a business run and you need the fastest most efficient path to getting back to work. The second problem is making sure information is secure.
The simplest example of this is when one of your remote employees takes their laptop to the nearest coffee shop to work while their home is out of power. Seemingly harmless and you appreciate the dedication, until your client protects information from a laptop connected to an unsecure coffee shop network. You need a detailed written list of all the ways you and your team can appropriately deal with these circumstances and also a written list of inappropriate fixes.
This is probably the one we worry about the most although all of these examples are important to think about. CPAs are traditionally targets for cyberattack simply because of the information we house. Skimping on cost when it comes to information security and monitoring is never a good idea, and yet many firms don’t have a beefy budget for this line item.
In addition to having systems on your computers to protect from attack, employing an IT team that offers 24/7 monitoring is highly recommended. Our firewalls and such are not foolproof and don’t always indicate a problem right away, but a professional monitoring your system would help with this.
WISPs are part of required compliance now as practitioners, but beyond just compliance, part of protecting our business is continuity if there ever were to be an issue. Taking the time to carefully consider areas of weakness for data loss, or inability to continue workflow will help to minimize issues should an event occur.