A cybersecurity breach can constitute a major reputational hit for accounting firms and CPAs, even more so than for other types of professional service companies given the sensitive nature of the information involved.
While preventative activities should be ongoing, there is no such thing as complete protection. Forecasters agree that information security issues are on the rise, and we expect to see cyberattacks increase on businesses beyond major retail and financial institutions, expanding to include companies that may not have been targeted before.
However, a cyber breach need not be a fatal occurrence, and there are steps that every company can take to offset the risk.
As a basic first step, every accounting firm should have a plan for responding to a data breach. Organizations that recognize the eventuality of a data-oriented issue and plan, prepare and practice for it are in a much better position to retain trust.
Surprisingly, many companies still don’t prepare. It often gets pushed to the bottom of the priority list. But a well-crafted plan will prevent a potentially devastating loss of client trust and revenue.
Most companies that experience a cyberattack recover, but the speed and cost of that recovery are dependent upon having a plan in place.
In terms of network security, a VPN (virtual private network) is a good place to start. As a private, encrypted connection to the internet, it makes it one step harder for cyber criminals to target your information. However, all VPN providers are not equally security conscious themselves. It’s important to read industry reviews, check whether the VPN company keeps logs of user activity, and assess how and when user information is disclosed or shared.
Of course, human nature is also a critical component of an accounting firm’s data security. In many cases, hackers exploit phishing techniques to gain sensitive information or get employees to click on a false link. It’s critically important to educate staff about data security on a regular basis. Human error is often a hacker’s best point of entry into your IT systems.
We also continue to see ransomware attacks targeting companies of all sizes. In today’s world of inexpensive storage and backup, there really isn’t any reason that a company be a victim of this type of attack. There are a range of companies providing data storage, backup and recovery for every type of business.
Accounting firms should consider this a basic operational necessity. It’s particularly important to pay attention to the recovery component of this formula, called failback, and ensure the vendor you choose can have systems restored to ensure business continuity.
Cybersecurity breaches are different from other types of crisis incidents in that it is one of the few incidents that has the ability to impact all stakeholders (employees, clients, vendors, partners, etc.) at the same time. Further, breaches may not come to light until weeks after an incident, and companies may not be aware of them until notified by a customer or vendor.
For these reasons, the first steps taken after a breach are critical to mitigating reputational damage.
Once you become aware of an issue, it’s important to communicate with those impacted, whether they be employees, clients or others.
The sooner people in a position of vulnerability are aware of the issue, the sooner they can take steps to protect themselves. A system for two-way communication about breach should be established, whether it’s a dedicated email address, phone number or point person.
At the same time, an immediate investigation as to the cause of the breach should be initiated. Once this is understood, steps can be taken to ensure it doesn’t happen again, and these, too, should be shared with key stakeholders.
Clients will be quicker to forgive an organization that has been clear about its protocols and protections prior to an incident, responds to an incident with speed and transparency, and demonstrates corrective action going forward.
One option we’ve seen some companies employ is to take out insurance in case of client data loss. At the point a breach occurs, the insurance policy provides the client with a credit report and fraud monitoring service for up to one year at no cost. Steps like these can go a long way to restoring client confidence and avoiding a devastating loss of reputation and revenue.
Whether or not you have experienced a cyber threat, the chances are you probably will. The activity is certain to increase. More firms are collecting more data of value. New attacks are being developed even as companies are responding to existing areas of vulnerability. Businesses are bringing new systems online requiring employee training, and companies are expanding their technology systems to personal and mobile devices. It’s better to plan for the likelihood of a cyber breach than to just hope for the best.
Laura Guitar is Executive Vice President at rbb Communications, a marketing communications agency and Champion of Breakout Brands. She leads the agency’s crisis and issues management division, Reputation & Risk Advisors, which focuses on crisis preparedness, response and issue-oriented campaigns. Laura has more than 25 years of experience...