Cybersecurity is something people are talking about a lot – and with good reason. High-profile data breaches are a small fraction of the security issues faced by businesses of all sizes every day. Ransomware, for example, is expected to reach $11.5 billion in 2019, according to Cybersecurity Ventures.
Tax and accounting professionals still hesitate to play a more prominent role in protecting their clients’ data, as well as their own. However, as tax and accounting professionals, we are often a business’ most trusted advisors. For example, in our client meetings, as we help our clients reach their goals, we often discuss far more than just the bottom line. Since data breaches have a direct financial impact on a company, data security discussions may become more common. Clients are increasingly interested in not only managing their company’s assets, but protecting them as well.
Taking advantage of the opportunities in cybersecurity is vital for modern tax and accounting firms. A minimum requirement is to have enough expertise to avoid becoming a liability to your clients. Ensuring your firm is secure and implementing the best digital security practices is a vital first step. Firms that offer cybersecurity risk assessment as an advisory service increase their value to existing clients, as well as attract new clients.
This opportunity presents some challenges, especially to smaller firms that may not have the expertise on hand, and may need to outsource or partner with other companies. If you decide to collaborate with a cybersecurity company, be sure you understand how to choose a cybersecurity partner. If such collaboration isn’t feasible for your firm, you can still advise clients on the best data security practices. According to Keeper’s 2018 State of SMB Cybersecurity report, only 28 percent of companies consider themselves adequately prepared to mitigate vulnerabilities or a breach’s ramifications.
Protecting Your Firm and Client Data
The first and most important step we can take is to ensure we are not the source of a breach. Since we have valuable financial data, firms are discernible targets for thieves. Your firm needs to follow robust cybersecurity best practices to reduce the risk. These include the following:
- Requiring the use of a strong password or passphrase, unique to each application and changed at least four times a year. The use of password managers can help ensure that employees can keep track of their passwords. Better yet, use multi-factor authentication tools such as biometrics or two-factor smart device authentication (a code sent to the employee’s phone).
- Protecting physical assets, including servers, tablets and laptops. Mobile devices should be set up with the ability for IT and the employee to initiate a security wipe if the device(s) are stolen.
- Updating all operating systems on all devices to include the latest security patches. All devices should have antivirus and anti-malware software installed and updated.
- Using secure systems to transmit data. All outgoing email should be encrypted, including non-sensitive messages; only encrypting important data tells hackers where to look.
- Training employees on how to properly protect client data. Ensure all employees are up to date on current threats, including ransomware, phishing and their variants. Spear phishing or whaling are tactics often used against accountants because of their access to sensitive client information. Verify all requests for financial information through multiple communications channels, internally and when dealing with clients. Avoid clicking on suspicious links in email, social media messages and text messages. The weakest link in cybersecurity is usually your staff.
- Ensuring you’re ready when a client asks about cybersecurity. A key finding in KPMG’s 2019 CEO Outlook survey was that 44 percent of executives dealing with new technologies were concerned primarily about cybersecurity. The National Institute of Standards and Technology (NIST) provides a helpful cybersecurity reporting framework that may help you guide your clients toward an improved security posture. There are also many cybersecurity certificates emerging that focus on our role in advising companies in matters of cybersecurity. Resources like these may prove helpful to you as you consider this added-value service for your firm.
Steps for a Cybersecurity Risk Assessment
A typical cybersecurity risk assessment needs to go through several stages, all of which are laid out in the NIST framework.
- Have your client describe their existing risk management program. This initial analysis is the first step toward assessing their current risk profile. Describing their current plan will help you spot any holes. The company should go through a formal risk assessment, such as the framework.
- Identify problems with the existing risk management program and begin putting together a program for improvement. Identifying these problems may require specialized knowledge of cybersecurity. The company can then create, with your help and/or your cybersecurity consultant, new policies, training and system upgrades to mitigate problems with the risk assessment.
- Help the client define clear metrics and goals to keep the program on track. For example, it’s critical to establish a policy on how often phishing awareness training should be repeated.
- Encourage the client to perform proper testing of their cybersecurity systems. Testing might include penetration tests and tabletop exercises to help executives go through potential events. Companies should be continually drilling and checking their procedures. Hackers keep developing their tools! Companies need to keep up.
Trust is Key
Our role as tax and accounting professionals can be very helpful to our clients, if we commit ourselves to continually evolving our knowledge. Our clients already trust us with the responsibility of managing their company’s assets. Helping ensure these assets are secure is a natural progression in our journey.
We have an opportunity to help ensure our clients have a proper cybersecurity risk management system in place. Combining our experience in financial strategy with risk management, we can provide immense value to companies of all sizes. We can be a trustworthy and experienced advisor our clients need for an evolving era.