5 ways to protect your firm against cyber threats

Executive Summary

• Explain the current state of cybersecurity to your team, then detail the different steps you’re taking as a business to protect against these threats.
• Implement a structural element to keep your data permissions as sparse as possible.
• Regularly back up your data. Having backup copies can provide a recovery path, even if your current data is stolen or deleted.

Running a business takes a lot of work, and tax and accounting professionals in small- to medium-size firms wear a lot of hats. Whether you work 100 percent in the cloud or have a hybrid practice, information technology (IT) often falls on the owner or firm management to take care of, and that includes keeping data safe.

The problem is that there are a growing number of cyber-attacks taking place on businesses, including firms just like yours. In 2022, 1,291 data compromises produced 160 million fraud victims, leaving a large majority of owners worried about protecting their businesses from future attacks.

Compounding the issue is that these attacks often target employees. Cybercriminals go after staff for multiple reasons: employees often have access to data, they work remotely in unprotected environments, and are less prepared or informed than business owners or IT experts.

Federal law requires all professional tax preparers to create and implement a data security plan. The Security Summit group, a public-private partnership between the IRS, states, and the nation’s tax industry, determined that many tax professionals continue to struggle with developing a written security plan. As a result, Summit partners recently unveiled a special new sample security plan designed to help tax professionals, especially those with smaller practices, protect their data and information.

In addition to creating a plan, there are steps you can take to protect your firms—and your clients’ data—from increasing cyber threats. Here are five ways any business owner can take, even with limited time and resources.

1. Educate employees

Your employees are the prime target of most hackers because they have access and control to all the information and infrastructure at your organization. 

A well-communicated GRC (governance, risk, and compliance) program can help you simplify your efforts, while reducing cybersecurity risks. One of the first steps any owner can take is to teach their employees about the threat of cybercrime. Educate employees about the dangers you face as a business, and help them see the value of investing in taking care of your company’s data.

For example, when your employees are working at an airport, on a flight, at a cafe, at a restaurant, or any public location, they should be using a remote access VPN service to securely connect to the internet and access your company network on an encrypted connection prevent data breach attacks through a public Wi-Fi network.

Start by explaining the current state of cybersecurity to your team, then detail the different steps you’re taking as a business to protect against these threats:

• Only specific roles at your organization should have access and rights to control different types of data. For example, an IT intern should not have admin rights to your web hosting portal for your website. A contractor you hired to help write blog posts for your site should not have access to edit all of the pages and the entire blog on your website. 
• The data you store about your customers or business affairs should be free of errors, consistent, and accurate. You can read more about this on CMSWire’s guide on good data hygiene.
• Avoid duplicate files with the same information.

Unprotected sensitive information isn’t just an IT responsibility! Maintaining good data hygiene is something that everyone in your company should be aware of and contribute to making better.

2. Limit employee access to specific tech

Just because you have a tech tool doesn’t mean everyone in your company should use it. On the contrary, a limited number of people should have access to an e-commerce store, shopping cart, or online banking portal, for example.

This doesn’t have to be a sign of mistrust on the part of your employees. As you explain to them the perils of cybercrime, make sure to add that the greater the number of people who get access to sensitive data, the more opportunities it creates for a security breach. You can create preview environments with the data to make sure everything works correctly, and a variety of employees can give feedback on the product. This could prevent certain employees from having access to a main site of a company.

Also, it’s a good idea to implement a structural element to keep your data permissions as sparse as possible. Implement roles and use privileges to guide who has access to what. Make sure to tie each data point to a specific role, and then distribute access only to those who serve in that function.

3. Establish firewalls and encryption

Firewalls and encryption remain critical pieces of the cybersecurity world. In fact, the FCC specifically recommends using encryption and firewalls in different capacities throughout your business activities.

For example, the FCC suggests using a firewall on your operating system to prevent sketchy outsider access to data. This should be in place on in-office and at-home computers.

It’s also suggested to secure Wi-Fi networks by encrypting them. Encrypting mobile data on business phone systems, work phones (or personal phones used for work) is also highly recommended.

4. Use other tech tools

Firewalls and encryption aren’t the only tools you can use to combat cybercrime. For example, whenever you need a password, make sure employees are creating strong passwords and that they aren’t reusing them.

Multi-factor authentication (MFA) is a data access tool that includes at least two separate factors to verify someone’s identity. This typically includes a username and password, as well as either a personal possession (cellphones) or biometric data (fingerprints). The degree of MFA used can depend on the importance of the data in question.

5. Create a response plan

With so many cyber threats taking place, guarding against them shouldn’t be your only strategy. You also want a plan in place to respond if an attack does take place.

This should start with an intimate understanding of your current passwords and tech tools. In the event of a data breach, you can respond immediately by changing passwords, replacing company credit cards, and other measures.

It’s also wise to regularly back up your data. Having backup copies can provide a recovery path, even if current data is stolen or deleted.

Protecting your data is a top priority

It isn’t easy to invest in cybersecurity when you’re a small business owner. However, you don’t need to break the bank or invest copious amounts of time in a solution. 

Instead, take small steps to protect your data. Encrypt your devices. Set up firewalls. Teach your staff about data hygiene. Create a response plan. That way, if an attack does occur, you can rest in the fact that you’re as prepared as you possibly could be with the limited resources at your disposal.

Editor’s note: For more security tips and trends, check out Roman Kepczyk’s article “Tax and accounting tech forecast for 2023 and beyond.”