Strong Cybersecurity Starts With Sound Strategies
By Samantha Mansfield
October is Cybersecurity Awareness Month. For 18 years, the U.S. has devoted a month “to raise awareness about the importance of cybersecurity… ensuring that all Americans have the resources they need to be safer and more secure online.”
Some think not deploying cloud technology is a sound defensive strategy, but the internet is part of every component of our lives. We are already online everyday, from the way we watch TV (streaming services) to the way we communicate (email and text) to how we learn (online classes and research tools).
A more effective defense is being informed on where vulnerabilities are and how to prevent a breach.
Out of necessity, the adoption of cloud technology in the corporate world grew tremendously through the pandemic. The permanent transition to a blended (remote and onsite) workforce is in the works. PwC announced 40,000 of their 55,000 employees will have the choice to work remotely; the reason for this change is to stay competitive for talent and keeping the well-being and needs of their employees at the center of their focus.
Firms around the world are making similar announcements. This leaves some organizations feeling nervous and vulnerable when it comes to cybersecurity. They are asking questions like:
- How do we keep data secure and private?
- What rules should we make about staff using their own devices (i.e. smartphones) to access client data in apps and cloud solutions?
- How do we keep our systems safe with staff connecting through their home networks?
When everyone works in the office, it may feel like the system is more secure, but this really may be a false sense of security. Research shows 81 percent of hacks are through weak or acquired passwords. Phishing attacks have been growing year over year. Business Email Compromise, where criminals send an email that looks like it is from a known vendor making what seems to be a legitimate request, is one of the most financially costly online crimes, according to the FBI. These major weak spots exist inside an office as much as they do when working outside the office walls.
Hope is not lost. “Today there are so many best practices coupled with technologies that help minimize risks,” said Jim Bourke, CPA, CITP, CFF, CGMA, managing director of advisory services at Withum. He further encourages professionals to “embrace the tools and technologies that help you safeguard your cloud experience.”
So, where to start?
Education, Education, Education
Protocols, network setup, cloud vendors, outdated cybersecurity tools and an accounting firm’s processes are all culprits in cybersecurity breaches, but data shows the human factor is perhaps the biggest chink in the online defense armor. Various surveys have shown 40-50 percent of breaches have been the result of human error.
A study by Standford University professor Jeff Hancock and Tessian released a report on “The Psychology of Human Error” to explore why the mistakes happen. They reported 33 percent of workers rarely or never think about cybersecurity at work, while “52 percent of employees make more mistakes when they’re stressed, and 43 percent are more error-prone when tired.”
By educating, we create better awareness, keeping it front of mind, and fostering more vigilance in defending the organization. Sharing the impact of one simple error can also keep the team more alert. Accidentally sending an email to the wrong person has resulted in lost clients and financial losses. Be careful to not be too punitive when a team member admits an error. You want to ensure the team is forthcoming when a situation arises.
Consider these topics as places to begin training your staff on how to prevent a breach:
- how to recognize a phishing scam
- how to be safe while using WiFi
- importance of updating software tools so security holes are fixed
- best practices for password policies
This training can be dry, so Bourke suggests making things fun to keep the team engaged, like some fun videos.
Deb Rood, CPA, risk control consulting director at CNA, shares additional tips on ways to protect your firm in the article, “Don’t get victimized by a cybercriminal.” Here are some of the many resources available to build your knowledge and defenses against cyberattacks:
- National Institute of Standards and Technology U.S. Department of Commerce - Cybersecurity
Reach out to your insurance company, associations and IT professionals for many more resources they may have to train your staff on how to detect and avoid a cyberbreach.
Integrate Cybersecurity Technology
Training staff won’t do it all. Use various tools to help you keep your data and systems safe. Implement tools like a password keeper so staff don’t create weak, but memorable, passwords, or write them down. Tools like LastPass can be used across the organization so passwords to shared systems and logins can be securely shared without emailing or writing them down, while giving them a secure place to store their own passwords.
Get team members sharing files and communicating with clients through secure portals instead of email. This can prevent sending information to the wrong recipient. When you and the client use the portal to transfer files, you reduce the potential for business email comprises as well. When everyone knows files are only transferred through the portal, not through email, flags will then be raised when you receive emails with attachments.
The cloud-based software you use can also be a line of defense. When selecting a cloud solution provider, Bourke suggests asking if they have had a SOC2 engagement performed. Bourke describes it this way: “A SOC2 report is intended to meet the needs of a broad range of users. These individuals need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of certain systems - those that are used to process users’ data and to ensure the confidentiality and privacy of the data.”
Many professionals use personal equipment when outside the office to access apps and data. Bourke suggests only allowing a “Bring Your Own Device (BYOD) policy if you implement a mobile device management tool like VMWare. You should also provide staff with VPN solutions for when they are on WiFi and public networks.
These are just some of the tools and strategies you can use to keep your clients’ data secure in this digital, mobile world we live and work within. Having a healthy concern over the threats is good, as long as you ask the right questions and take the necessary precautions to set up a sound defense.
CaseWare Cloud offers iron-clad security that gives accounting firms the peace of mind they need to conduct their business with confidence. Learn how it can meet your specific engagement needs with security on par with large banks and financial institutions.
Samantha Mansfield is a Michigan-based consultant, public speaker and founder of Samantha Mansfield LLC. She has been in the tax and accounting technology industry for over 20 years, consulting firms on implementation and business model transformation.