Every year during tax season, finance professionals handle an influx of sensitive financial and personal information passed along by their clients. Although most CPAs and accountants excel at processing this information, as well as other data related to their field, they're typically not experts in cybersecurity.
As our technology-driven world grows increasingly complex and evolves more rapidly over time, the more important it becomes for financial institutions to take precautions that safeguard their clients' sensitive information (and also their own). Bad actors are always working to get a step ahead of protection tech and services, and take advantage of the habits of employees who may not be aware of the latest cyber threats.
The best CPAs and accountants tend to be naturally inquisitive, perhaps to the point of skepticism — and their clients should thank them for it. Because when it comes to finances or cybersecurity, speaking as someone with professional experience in both spaces, those characteristics are superpowers. As cyberattacks become increasingly frequent and sophisticated, financial professionals should be encouraged to maintain a healthy dose of suspicion and lean into hypervigilance. From small accounting operations to large, enterprise-level firms, organizations and their employees must understand and embrace the importance of cybersecurity and its best practices.
Tax season is busy and a potential cybersecurity weakness
It's critical for financial organizations to observe and maintain cybersecurity best practices, even (and perhaps especially) during tax season. Increased workloads during the busy season may push cybersecurity and network infrastructure down the list of priorities, but bad actors often look for such openings to exploit.
CPAs handle an influx of sensitive financial information and personal information during tax season, which could make them a more attractive target for cybercriminals. Failing to strengthen and maintain cybersecurity technology and protocols could lead to even more chaos and stress during what can already be a nerve-wracking time of year for the industry.
Building client and firm cybersecurity protocols
There is no one-size-fits-all approach to cybersecurity and instituting best-practice protocols, but one of the best methods in the financial services space is to separate cybersecurity into a two-pronged issue: client information and firm information.
Because clients — like CPAs — are rarely cybersecurity experts themselves and, in fact, often operate under the expectation that a financial firm has the proper tools and protocols in place to protect their information, it's vitally important that nothing be taken for granted on this side.
Key areas of focus for client information
- Email: Email is inherently insecure for the exchange of sensitive financial documents. Once an email is sent, a firm has little to no control over where it ends up — possibly forwarded, intercepted or left in an insecure inbox. Email is also a primary attack vector for phishing. Clients might accidentally open malicious attachments or click on links in phishing emails disguised as legitimate requests. It can be clunky, too, as some email providers block certain file types that could be necessary for tax preparation, and size limits may prompt clients to use insecure methods, such as unencrypted file-sharing services or breaking files into multiple emails — a significant data security risk.
- Secure portal: The best antidote to publicly available email is a secure portal. A private, secure portal provides a financial firm with a controlled, encrypted environment for file sharing, minimizing the risk of breaches. Encryption protects data in transit and at rest, and access controls allow a firm to decide who gets access to which files and set permissions (view, download or edit) for further guardrails. Additionally, portals often log activity and provide an audit trail of who has accessed and modified files.
- Guest Wi-Fi networks: Guest networks are essential for accountants and CPAs in order to protect client data and their own systems. Strong passwords, encryption and network segmentation are crucial components of a secure Wi-Fi network. For extra layers of security, consider hiding your guest network's SSID (network name), restricting guest network access to internet-only (blocking access printers and file shares) and creating a separate access point, further segregating it from your main network.
Internally, protecting firm information requires a multilayered approach that encompasses technology, policies and ongoing employee training. Strong access controls, encryption and data backups are fundamental security measures, but accounting firms should also partner with cybersecurity experts to create a comprehensive security program that accounts for employee awareness training and builds a strong security culture.
Key areas of focus for firm information
- Device security: All company devices and storage media, including hard drives and USB drives, should be encrypted to prevent data loss and theft. Install robust endpoint security software (antivirus, anti-malware and intrusion detection) on all company devices that access firm networks and client data. Implement mobile device management solutions to secure company-issued mobile devices and enforce security policies.
- Data security: Firms should use data loss prevention tools to prevent sensitive data from leaving the network without authorization. Secure file-sharing platforms and encrypted email for internal and external communication protect sensitive data. Meanwhile, a comprehensive data backup and recovery plan helps ensure business continuity in the case of adverse events such as a ransomware attack or even a natural disaster.
- Employee training and awareness: In addition to new employee training, regular security awareness training for all employees should be conducted to educate a firm's workforce about cybersecurity threats, company security policies and best practices (including recognizing phishing emails and following strong password habits). Run simulated phishing attacks to test employee awareness and reinforce their training, and develop and regularly practice an incident response plan so that, if all else fails, employees know how to react in case of a security incident. This can significantly mitigate lost time, revenue and reputational impact in the event of a cyber attack.
- Physical security: Implement physical security measures to protect office space and equipment, including old-school and analog methods. That may include security cameras, visitor logs and physical locks that limit access to control systems. Be sure to shred and securely dispose of sensitive documents to prevent data breaches.
Cyber attacks, no matter the time of year, can have significant financial and reputational costs. Organizations that lack the time or resources to bolster or sustain their cybersecurity and network infrastructures — again, especially during the upcoming busy season — should consider partnering with external cybersecurity specialists to ensure their clients' personal information and network security stay protected. As always, better safe — and secure — than sorry.
