We all know that cybersecurity is a must for tax practices and CPA firms. With the inordinate amount of personal data we collect in tax preparation processes, tax practices are a major target for cybercrime.
Many firms believe they are protected with basic firewalls and virus scanning software. Cybersecurity, however, is much more complex than it seems, and most firms don’t have the resources to address it properly. A recent report from CPA Practice Advisor noted that most firms are out of business within six months of a major cyber-attack.
So, how do you better prepare?
1. Utilize free resources
The AICPA (American Institute of Certified Public Accountants), CPA Practice Advisor and other organizations all offer free whitepapers that outline cybersecurity requirements and recommendations and even provide checklists for your firm to use to evaluate your level of security. These are a great place to start to self-audit your firm’s current security measures and build an action plan for addressing any holes.
2. Enforce security controls
At a minimum, your firm should have an update to date security plan in place that includes password changes and control measures, data backup and storage plans, and monitoring procedures. Limit access to information to only those users who actually need it.
Make sure software, computers, and other electronic databases require users to regularly change passwords. Ensure that two-factor authentication is turned on whenever available. Basic protocols being followed can help to reduce risk.
3. Create a response plan
Outline what the procedures are if a breach occurs. If your team does not know who to turn to when an issue pops up, you could lose precious time to contain the threat. Make sure everyone knows exactly what the next steps are if they believe any data has been compromised or if computers or laptops appear to be experiencing a data breach.
How will you communicate any breaches to clients? What remediation will you make available? Cyber breaches can feel like a full-blown emergency response plan, but just like a fire drill, making sure everyone knows exactly what to do and where to go can help minimize casualties.
Many firms believe they are protected with basic firewalls and virus scanning software. Cybersecurity, however, is much more complex than it seems, and most firms don’t have the resources to address it properly.
4. Obtain cyber insurance
A cyberattack is too financially devastating for the firm involved. The liability for not protecting critical data or not having proper security in place can be enough financial burden to sink even a strong business. Cyber insurance can help. While it does not replace a strong security system, it can provide the necessary financial support when an incident occurs even in spite of your best efforts to prevent it.
5. Hire an expert
I am one CPA who has no problem saying that my tech knowledge does not extend far beyond my ability to hit the power button on my laptop. I know what my strengths are and I know what they are not. Having an expert IT team is critical to making sure your system is as secure as possible. I highly recommend you hire an IT team who is used to working with other CPA firms, or, at a minimum, work with other businesses who retain HIPPA protected information.
Cybersecurity can easily become out of sight, out of mind for many busy tax practices. After all, your virus scanner is working, so you should be all set. But technology is fast advancing and way more complicated than just avoiding links in suspicious emails. Having controls in place is more than just protecting your clients’ information, it is about protecting your life’s work, too.