I am often approached by Los Angeles accounting professionals who share their questions and concerns about how to protect their accounting technology and computer systems from malware and other cyber crime threats. This is an understandable worry considering that cyber crime has been reaching record numbers each year, with 2017 experiencing the highest number of cyber attacks.
Malware (short for malicious software), in particular, is a cybersecurity issue that has been increasing in terms of both the number of occurrences and the breadth of attacks over the past several years. In addition to stealing your sensitive information, these insidious attacks also can result in your computer systems being destroyed and your money or resources being sold to other cybercriminals on the dark web.
What people from small- or medium-sized businesses (SMBs) tend to wonder is whether their firms and data are at risk due to the size of their business. The answer, unequivocally, is yes for three main reasons:
- It doesn’t matter how small your firm is, it can still be targeted by cybercriminals who want to access or sell data belonging to your clients or your firm;
- You handle clients’ sensitive data and personally identifiable information (PII), which is not only worthy of being protected but also is REQUIRED to be protected; and
- Once cybercriminals gain access to your systems, they can use your firm as a platform to launch future attacks against others, including your clients.
Certified professional accountants (CPAs), for example, are ethically and legally bound to safeguard information that is “obtained or used to prepare a tax return” — this includes everything from the physical security and storage of data on various forms of CPA technology to the way the information is transmitted and by whom.
But, how can you tell whether your firm has adequate protections in place? I’ve put together a few things you can do to determine your organization’s risk regarding these virtual threats and ways you can begin stepping up the cyber crime prevention efforts of your firm.
Conduct an IT Risk Assessment
A good place to start for determining the preparedness of your accounting firm is to conduct a technology security assessment. The purpose of this type of assessment is to identify any flaws or weaknesses in your network, servers, and devices that could potentially be exploited by cybercriminals. These gaps in your security can come in many forms, including:
- Unpatched or outdated systems;
- Non-adherence to security-related policies or a lack of policies altogether;
- A lack of visibility into your network and any devices connected to it;
- A lack of awareness of cybersecurity best practices; and
- Non-existent or outdated data backups.
There are positives and negatives aspects to focus on in these multifaceted security assessments. Three main areas to consider as part of FPA’s technology security review project (TSRP) include policies, processes, and systems.
Based on more than 25 years of experience as IT and cybersecurity experts, FPA’s team of experts break the assessment process into six phases:
- Security Compliance Assessment
- Network Security Assessment
- Network Penetration Testing
- Wireless-WLAN Security Assessment
- Remote Access Assessment
- Physical Risk Assessment
I’d be remiss if I failed to mention that not all organizations will require all six steps. Instead, each firm will be evaluated on an individual basis and a plan of action will be created based on the individual requirements of your organization.
While there is no way to prevent 100% of all cybersecurity and malware attacks, you can at least begin taking steps that can help to decrease the number of attacks and slow down your attackers, giving your systems time to identify threats and stop them in their tracks.
Roll Out Cybersecurity Awareness Training
Human error is one of the most significant ways that hackers are able to spread their chaos to your accounting technology. One of the most common ways that malware can gain access to company systems is by taking advantage of unsuspecting or uninformed employees. This can be accomplished through phishing or by encouraging users to simply click on a link or open a document that’s sent through a seemingly innocuous email.
This is where cybersecurity awareness training can come in handy — it is an incredible form of cyber crime prevention. Now ask yourself: Do you know where your LA accounting firm rests on the five cybersecurity awareness training levels? This can range from the first stage, which means that your cybersecurity awareness is non-existent, all the way up to stage five, which means that you have a metrics framework in place to improve your systems and demonstrate awareness program success.
By creating and implementing cybersecurity awareness training, you can begin addressing gaps in employee knowledge regarding online safety best practices and helping them to increase their vigilance.
Implement an Organization-Wide Computer Use Policy
Creating and enforcing an effective computer use policy is a way to ensure that your employees are abiding by your firm’s technology use standards and rules of engagement. This offers your firm some legal protection by placing the responsibility of data security into your employees’ hands. It also helps to ensure that they understand what is considered acceptable or unacceptable uses of your firm’s computers and other related accounting technology.
Not sure where to begin when trying to create a policy? That’s okay — you can create one on your own or you can use an experienced managed IT services company, like FPA, to handle the task for you.
While different forms of malware are not the only cybersecurity threats facing Los Angeles accounting firms today, they are still among the most dangerous. I hope that you have found this information to be helpful and informative.
What is your accounting firm doing to protect your CPA technology from malware attacks? Do you have any other recommendations for ways that accounting firms can protect their data? Be sure to share your thoughts in the comments box below or send me an email if you’d like to more about this topic.