Data security threats have become like living on the U.S. coastlines: It's not a matter of if you will be hit by a big storm, it's when and, moreover, how prepared are you to handle it?
Having a written plan is good, but that's really just table stakes at this point. For the sake of your firm, and your clients, doing all you can to fortify your data against the ever-growing threat of attacks has become essential. It is also good business sense, which doesn't mean you need to overspend, but know about services (as well as tactics) available to you to keep that data as safe as it can be.
One of the most common ways that firms are leaving themselves vulnerable to data security breaches is the fact that much of the prevention comes from behavior. Firms get comfortable in their processes and are not always willing to change, which is a threat in and of itself.
Common threats
First and foremost, you need to know what you are up against if you are going to have any hope of protecting that which is most vulnerable. A cybersecurity attack can come at any time, or over time, and in various forms, especially from within.
Here are the top six forms of internal threats, currently:
1. Outdated software. One little-considered fact with the software you work on is that if it's not in the cloud, it may be outdated. And when that happens, it leaves the door open to all kinds of cybersecurity threats from annoying viruses to more debilitating malware or ransomware. The fact remains that many small and even midsized firms are not running on the latest versions of their software or, even worse, they're on systems that have been sunsetted and no longer receive regular updates or support.
2. Your own staff. This may not be new, but the reality is that one of the greatest threats to the data in your firm is your own staff. If you or they are engaging in unsafe behavior (i.e. sharing emails with sensitive data in it, clicking on links you don't know, downloading or opening unfamiliar attachments, or even sharing or accepting documents via email) you are putting your firm and your clients' data at risk.
3. Lack of oversight. Just because you run a small firm doesn't mean you can't act like a larger practice that has expensive security systems, regular training, and a full IT department or even a CIO. The fact is, regardless of size, you can have regular oversight of your processes and have a risk assessment conducted. Unfortunately, most small firms do not.
4. How data is shared. As indicated above, how data is exchanged within the firm or between you and your clients can be the crucial difference when it comes to cybersecurity. Use of email as the primary form of communication remains prevalent. As such, things like sharing bank statements, tax documents, and other similar sensitive financial data as email attachments are a ransomware attack waiting to happen.
5. Remote access. While working or accessing firm data remotely has become more the norm these days, particularly after the pandemic, and offers some conveniences, it comes with its share of data security risks. Remote data access without the use of proper systems and services is a sure way for hackers or lurking malware and ransomware to enter your systems.
6. Poor passwords. We've all heard the stories about how, at least at one time, the most common computer and software password was "Password" in some form or another. While this may not be the case at your firm, the temptation to use passwords that are "easy to remember," and often on multiple platforms, remains strong. Weak passwords, while initially convenient, are simply an unlocked door to a hacker and among the worst ways to keep sensitive information safe.
Enter managed security services
Given how common the above threats are, one of the best ways CPA firms (especially small to midsized ones) can work against them is through having a trusted hosting provider overseeing the systems and data within. Essentially, if you are one of the many firms that still have, and prefer to work with, on-premises software and systems, one of the better options is cloud hosting and the managed security services they can (hopefully) offer.
In reviewing such providers, you want to look for those that can offer your firm at least some of these features and services:
- Zero-time endpoint protection;
- Advanced vulnerability management;
- Centralized policy management;
- Threat intelligence and prediction; and,
- A 24/7/365 security operations center.
There are certainly more factors to consider, but it may ultimately depend on your firm's specific cybersecurity needs. Coming into the conversation with a provider knowing at least the basics, and treating potential threats and your client's data with the highest importance, will go a long way towards prevention and protection.
It is understood that some of the more protective measures can be perceived as "inconvenient" for staff and clients alike. In addition, a lot of firms simply don't know what they are up against. Or, even worse, they will weigh risk over convenience and take their chances, thinking a data breach or hack is not likely to happen to them.
For all these reasons, and many more, your firm should strongly consider a hosting partner that offers a high level of managed security services, such as