Is it safe? 10 steps to better firm security

With CPA firms a prime target for cybercriminals seeking sensitive information, and those bad actors only growing more sophisticated in their attacks, accountants need to make sure they stay ahead of the next big security breach. Mark Burnette, partner-in-charge of information security at Tennessee-based Top 100 Firm LBMC, outlined the 10 best practices he shares with colleagues and clients alike, and we asked a roster of fellow CPA security experts to add their insights.

(For more on the threats firms face, see our feature story.)

1. Conduct a cybersecurity risk assessment

Thumbnail for Video: Malpractice Risks to Watch Out For
By evaluating and prioritizing the biggest internal risks, firms can refine their cybersecurity efforts and structure firmwide policies. “All organizations have cybersecurity risks but most companies don’t know where to focus their attention, and where to direct their limited resources to have the biggest impact,” said Burnette.

2. Inventory and account for sensitive data

data-ten.jpg
Nikita Gonin/ninog - Fotolia
“Be able to account for the nature and types of sensitive data you store, process and transmit,” advised Burnette. “Sit down and interview business leaders to understand the types of things the business does, the various business operations, identify the nature and type of data being used in operations. Inventorying that data gives a starting point for security efforts. That’s what you want to secure — sensitive data is where all the risk is.”

3. Require strong passwords and implement MFA

password-ts.jpg
“Implement multifactor authentication as much as possible, at a minimum,” said Chris Williamson, CIO of Houston-based Regional Leader McConnell & Jones. “Anything is better than nothing. Things you can’t implement multifactor for, have a strong and robust password policy. Make sure people can’t put in a four-digit password, or 1234. I’ve been trying to do this for years, to get people to go with pass phrases and words that don’t go together.”

4. Patch systems and update software regularly

p1a8uj3af6k6td7o1a6ecc413998.jpg
rf/alexmillos - Fotolia
Staying on top of these updates will keep employees, and consequently the firm, ahead of any security vulnerabilities and holes that appear.

5. Implement security monitoring capabilities

St. Louis-based Top 100 Firm Anders shared an example of their security monitoring efforts. “We do continuous vulnerability scans,” said CIO Theresa Stearns. “We are constantly monitoring emerging threats, and once they are identified, [the threat] automatically gets scanned, [showing] this server could have this type of vulnerability. And we can go into action.”

6. Create a third-party monitoring program

p1a285vrbr1ja31rb01fh5md2vca.jpg
viappy - Fotolia
For their security monitoring efforts, Anders outsources to a third-party company that Stearns deems a necessary investment: “I look at it as, even if I went and hired a security expert, they couldn’t monitor my system 24/7 … . An annual investment, the budget for this type of monitoring is far less than we’d pay an individual. It is a lot of money, but you have to do that today. You have to have a budget — people understand the risk is there.”

7. Train employees on an ongoing basis

Training session
Picasa/Rawpixel.com - stock.adobe.com
Firms generally understand the importance of regular security training. In a recent survey by Accounting Today’s parent company, Arizent, providing cybersecurity training to existing staff was identified as the third-biggest concern of accounting professional, at 32%. But security experts agree that annual training is not sufficient, and should be supplemented by other tests, like simulated phishing attacks, and regularly communicated updates on the latest threats.

8. Develop an incident response plan

Part of every firm’s security program should be a set of information security policies and procedures that you can use to identify, contain and eliminate cyberattacks. “Many [organizations] don’t have an incident response plan: what to do when something happens,” shared David Hammarberg, partner at Camp Hill, Pennsylvania-based Regional Leader McKonly & Asbury. “An incident response plan involves IT and senior management — just like a business continuity plan.”

9. Develop and test a continuity plan

p1ab1clj9efph42n6475r1hkk8.jpg
designer491 - Fotolia
Just as essential as an incident response strategy is the business continuity plan, outlining a system of prevention and recovery from any potential threats.

10. Audit your security measures periodically

Firm’s security policies are only as good as the accountability behind them. In addition to IT professionals regularly testing these measures, employees should be made aware of the important part they play in keeping the firm secure. “The important part is having them reviewed annually — if they are not reviewed annually, it’s not going to do anyone any good,” advised Hammarberg. “A lot of companies have policies and procedures on their drive and they are not distributed … . I like the procedure of having employees sign off on them annually; it gives them more responsibility and they take it more seriously if they sign off on it.”
MORE FROM ACCOUNTING TODAY