Cybersecurity for Accountants and Tax Preparers – Part 2

In Part 1 we discussed ways to minimize your risk of cybersecurity breaches. This is the most important step you can take to protect yourself and decrease the chance of attack. The Federal Trade Commission and the IRS offer suggestions to help small businesses develop cybersecurity plans. Now you have to put the plan in place and monitor compliance on an ongoing basis. If a cyberattack does take place, you will need to be ready to respond quickly to limit the damage. 

Monitor Cybersecurity Protocols and Compliance

The very best security plan is worthless if it is not followed. Make sure you and your employees know and follow the safety procedures. Create a document that all employees have access to, but keep it at work. You do not want others to know your security procedures. 

Continually remind employees of email protocols and email dangers, such as phishing scams or spear-phishing scams – emails supposedly from someone you know or trust. Malware, which destroys computers, and ransomware, which locks your technology or data until you pay a ransom, attack your computers by someone clicking on a link or opening a suspicious email. Ransomware attacks have increased in frequency in recent years. In a 2017 study by IBM Security, half of the 1621 companies surveyed had experienced ransomware attacks, and 70% paid the ransom. Of those, more than 50% paid $10,000 or more, and 20% paid $40,000 or more. This is a very serious concern. 

Frequently remind employees never to click on questionable emails, and if someone they trust sends an email requesting sensitive information, they should confirm with that person directly rather than replying to the email, as they may have been hacked. These precautions should be included in your security plan. 

It should be part of your cybersecurity protocols not to send any sensitive data or documents through email, and most particularly do not use Gmail or any Google services to communicate with clients or share data or documents. According to Google’s terms of use, they have access to all information shared on their platforms, and they mine data and use it for their own purposes – which means sharing it with vendors or anyone they want. The use of a secure, encrypted communication or document-sharing platform for all business communication should help your clients and employees avoid the use of email and other unsafe data transfer platforms. 

One of the easiest ways for bad-actors to breach your system is through mobile devices such as phones, USB drives, laptops, or tablets. As part of your protocols, you should have clear rules about using portable devices for accessing sensitive data. If you allow it, you should require multi-factor passwords or logins so that those who get hold of such devices cannot easily get into them. And, of course, never use public WiFi. Your employees and your clients both need to know and follow this advice to protect their data. Continuous monitoring of compliance with your protocols is very important. 

Manage an Attack

Having strong protocols and close monitoring may prevent you from ever experiencing a cyberattack, but you must be prepared to respond if you do get hit. Breaches can occur through vulnerabilities in hardware, software, or systems, through your employees or clients, or through vendors or contractors. It is critical to have an Incident Response Plan and Breach Notification Plan if a breach does occur. Identify all federal, state, and local laws and requirements regarding security breaches to guide you in the development of these plans.

One final note: When it’s time to upgrade your technology, don’t recycle it without removing the hard drive completely. This applies to phones and even printers, as well as computers. Hackers have ways of un-erasing data and reconstructing fragmented data. The best thing to do with your old hard drives, once you’ve transferred all critical data to secure storage, is to smash them to bits!