Provided by CAMICO, OSCPA's preferred provider of Professional Liability Insurance
CPA firms are primary targets for cyber criminals, and firms of all sizes are subject to breaches and ransomware events. Smaller and midsized firms should not get a false sense of "security by obscurity." Even if a firm is not specifically being targeted, it may fall victim to a breach or ransomware event because of what is perhaps the most common reason for a breach: human error.
Working remotely has opened new potential access points and vulnerabilities that hackers are exploiting. Even before the coronavirus pandemic, remote work was becoming ever more popular. Now, unlike any other time in history, one remote worker can harm the entire firm by clicking on the wrong link, downloading an infected attachment, or sending files over an unsecured public network.
When employees do return to the office, they are increasingly using personal devices to connect to the firm's network. This makes security that much harder, as implementing and enforcing mandatory cybersecurity measures on personal devices range from difficult to impossible. Thus, ensuring that staff are security conscious is more important than ever.
Regardless of the method used to infiltrate a business, phishing attacks, malware email attacks, and employee error will continue to be leading factors of breaches for years to come.
REGULATORY AND LEGAL REQUIREMENTS
Finally, it has not escaped regulators that employee training is key to minimizing the odds of a data breach. At the federal level, CPA firms fall under the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). While the list of requirements is lengthy, the Federal Trade Commission (FTC) emphasizes mandatory employee training. The FTC states that all firms should be "Regularly reminding all employees of your company's policy—and the legal requirement—to keep customer information secure and confidential."
Notably, the FTC measures the "reasonableness" of businesses' security efforts by comparing them to the National Institute of Standards and Technology's Cyber Security Framework (NIST CSF). The NIST CSF section pertaining to employee training states that firms should "Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner."
The FTC has gone after large businesses, small businesses, and individuals for non-compliance. As the nation's primary cybersecurity and privacy enforcement agency, the FTC enforces compliance via a notoriously expensive process that notably bankrupted one company. Typically, companies will sign consent decrees that require 20 years of security measures, including regular — and expensive — security audits, security awareness training, and pages of other measures. Companies ignoring reasonable security measures do so at their own risk.
Notably, the GLBA Safeguards Rule is just one of several that require a firm to implement employee training. Many states reference "reasonable" cybersecurity requirements that include regular employee training, such as those found in the California Consumer Privacy Act and the New York SHIELD Act. Firms are generally required to comply with the law that attaches to the client’s residency status, not necessarily the law where the business resides. As such, firms are encouraged to seek additional guidance on which laws may apply to their unique circumstances.
TRAINING PROGRAM BENEFITS
To combat the threats from human error, hackers, and regulators, every firm should consider implementing a formal cybersecurity awareness training program. These programs are well known to provide the following additional benefits:
- You'll lay the groundwork for more competent, capable staff. With effective security awareness training, your team can feel confident using technology appropriately. They'll know what to do and what not to do to better protect the firm from constant threats.
- With formalized and ongoing training, cyber-security will become a priority for your staff as they see it is a priority for firm partners and managers.
- You can save significant amounts of time and money. Responding to a breach is far more costly in both time and money than avoiding the breach outright.
- You can minimize the odds of having to notify clients of a breach of their personal information. The percentage of clients leaving a firm following a breach is on the rise. In these difficult economic times, it is easier and more cost effective to retain existing clients than to search for new ones.
It is critical that firms be extra diligent to follow established security measures and safeguards. Remind all employees of the importance of strict adherence to security protocols and established safeguards.
Although not meant to be all-inclusive, the following basic best practice measures are extremely important and should be prioritized:
- Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.
- Frequently back up all important data and information and verify your backups. Regular backups reduce the likelihood that critical data is permanently lost in the event of a cyberattack. The backups should be protected in a remote or external location, outside of your network, where they are safe from ransomware or other hacks that seek to encrypt all available files including backup copies. Periodically verify that your data backup process is working properly to assure that your data will be recoverable if an incident or disaster occurs.
- Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them. Experts recommend the use of 16+ characters to help prevent a brute force attack and also recommend limiting the number of login attempts.
- Use multi-factor authentication. This adds an extra level of security to help prevent an account hack, especially when employees work remotely.
- Slow down to avoid being yet another "phishing scam" victim. Take the time necessary to validate suspicious or unexpected email. And do not click a link, pop-up or attachment without first hovering your cursor over the link to display the URL to assess its legitimacy. If there is an urgent call to action, rather than clicking on a link, consider a different way to validate the request such as speaking with the sender to get verbal confirmation that the communication is legitimate, or visiting the purported sender's URL.
- Maintain strong work-from-home cyber hygiene. Reinforce with employees the cyber protocols to be followed when working remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls, etc.)
- Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.
This tip is based in part on an article by Joseph E. Brunsman, MSL, an author, speaker, and insurance broker with Chesapeake Professional Liability Brokers, Inc., based in Annapolis, MD.