Cybersecurity’s Role in Compliance for CPAs
What unfortunately constitutes cybersecurity, from a compliance perspective, has been left relatively vague. Without an all-encompassing and constant approach to cybersecurity, a CPA firm could see themselves vulnerable (and consequently out of compliance).
A data security plan means protection for your firm, for your clients and for your clients’ shareholders, as well as other related companies and individuals. Given this, it makes sense that cybersecurity is a major component of a CPA firm’s compliance portfolio.
Most CPA firms have the basics of cybersecurity covered: firewalls, antivirus protection, email encryption and the like. A data center/Security Operations Center (SOC) and perimeter defense system also go a long way toward cybersecurity fortification.
Time and again it’s been proven that the weakest part of a network is the individual user (especially true when all the other cybersecurity basics are covered). CPA firms should be aware of this and think about how to strengthen this aspect of the network.
The key to doing so is training and education – a consistent approach to training and education. Some firms or their managed service providers will only offer training once or twice a year, which is virtually worthless. The reality is CPA firms should be engaging their employees in some kind of cybersecurity training every day. This amount of training is sometimes challenging to get buy-in on. After all, many people believe the idea of “I’ll see it,” when it comes to a phishing attempt or other malware intrusion.
Unfortunately, hackers are becoming so clever that the average accounting professional – who may be distracted by a slew of deadlines, discrepancies, and other data – is a sitting duck. If firms are running into an attitude of “I’m too smart to be caught,” they should run a trial simulated phishing program and see what percentage of people fall for the email – chances are, the results will show that more training is needed.
Of course, part of the hesitation may come from the perception of the training – that it will be classroom-style set up in a conference room or held on Zoom, taking away precious time from clients and projects. In fact, some training techniques are rather subtle, and can give a good indication of specific areas future training should focus on in just a matter of seconds.
Beware of Simulated Phishing
Simulated phishing is one tool in particular that not only shows an organization where additional security focus is needed, but also demonstrates that employees may not be as perceptive to cybersecurity threats as they think they are. Simulated phishing is not a required component of a CPA firm’s cybersecurity policy, just like a nightlight isn’t a required component of walking around your house safely in the dark – but it’s highly recommended. After all, more than 80 percent of all hacks and viruses come through email – but they’re only activated if someone opens the email and clicks the link.
Much like phishing, where realistic emails are sent in an attempt to trick recipients into sharing passwords and other sensitive information, a firm can use software (either on their own or through their managed services provider) that sends a simulated phishing email. Should an employee click on the link, rather than the potentially disastrous consequences associated with a real phishing attempt, instead a 90-second video pops up, revealing that the email in question was phishing, and then highlighting what the user should have noticed to recognize its potential danger.
These phishing tests can be sent out every week or two, and are randomized for maximum effect. For example, if a CPA firm has 75 employees, simulated phishing software can be programmed to send out 75 different emails to all employees, at different times and even on different days. (This prevents one employee from telling others what to be on the lookout for.) Additionally, for the busy accountant in the middle of someone’s taxes during tax season, a user has the option of watching the 90-second video right then, or letting a few build up and watching them all at once in the not-too-distant future.
The benefits of incorporating a program like this into a firm’s cybersecurity policy cannot be understated. When phishers or spear phishers (who use personal information to directly target an individual) succeed, they can wreak havoc on the individual and the organization.
Once they’re in someone’s system, they can sit back and get a sense of their writing styles, the types of requests they normally receive, and who they’re most likely to respond to without question or hesitation. As a result, we’ve seen hackers encourage their targets to send out phony invoices, buy $20,000 worth of gift certificates, or wire funds to an untraceable account. A simulated phishing program can help prevent both financial and reputational damage to a firm.
Of course, simulated phishing goes hand in hand with other security systems and educational efforts put in place to protect your firm. While none of these are specifically mandated by compliance, compliance should serve as the road map of what the organization is doing to stay secure. These types of efforts also benefit a firm another way too – demonstrating a strong cybersecurity posture may result in better rates for cybersecurity insurance, credit cards, and other operating commitments.
Remote Worker Safety
Another security (and therefore compliance) concern much more common these days is the remote worker. Many employees may think they’re protected behind their firm’s firewall even though they’re extending the network out to their home and personal computer.
If they’re connecting to the office from home, and their undefended home server is hit, the whole network is in jeopardy. Since remote working is a reality through the foreseeable future, and some are committing to the concept post-pandemic in an effort to potentially increase productivity and enhance employee retention, firms should invest in secure work-from-home solutions.
Each remote employee should have a security system in place that belongs to the firm, and if an organization decides to allow for personal devices to be used for work purposes, it must be made clear that the organization’s information security team can access that device at any time. After all, if these work situations don’t conform to a firm’s Written Security Plan, then the firm is out of compliance.
In recent times compliance may have been seen as just a nuisance, but now, it’s as important to the security of a CPA firm as locks on the door. Enhancing an organization’s security with added efforts like simulated phishing and remote protection are crucial to ensuring the highest levels of compliance and cybersecurity for a CPA firm – and for overall piece of mind!