Accounting Firm Security Risks Are Escalating—Now What?
It used to be the case that very small businesses (VSBs) and small to midsized accounting firms could take basic measures to prevent data breaches.
This often entailed storing personally identifiable information in locked file cabinets or in-office safes. You could also store data on floppy disks or thumb drives for portability.
During this period, a threat actor would have to bypass an accounting firm’s physical security to steal its information.
Let’s fast forward to the present—the new normal…the here and now.
Today, sophisticated cybercriminals can employ several styles of cyberattacks—from phishing to malware trojans—to illegally obtain money-making info. Sadly, this information is often sold on the dark web for a hefty price, making the practice lucrative. Adding insult to injury is that many of these criminals may never be caught.
Understanding Accounting Firm Security Risks
We looked at two recent surveys to understand how small and midsized accounting firm leaders feel about the security risks facing them in 2022.
The first was conducted by CNBC and includes data points from accounting firms and their small business clients.
Interestingly, or perhaps, shockingly, the CNBC|SurveyMonkey Small Business Survey found that just 5% of 2,000 small business owners found cybersecurity to be the most significant risk facing them in Q2 2022.
“The smallest of small businesses are the least concerned about cyberattacks: Just 33% of owners with zero to four employees are concerned about experiencing a cyberattack within a year, compared to 61% of small business owners who have 50 or more employees.” – CNBC Small Business Playbook
When you look at the other risks business owners were presented with (supply chain disruption, inflation, COVID-19 and labor shortage), you begin to see that maybe, in 2022, it’s not so surprising that cybersecurity is the last thing on the minds of business owners.
However, it should be on their minds, and it shouldn’t be at the bottom of the list.
The reality of the risks business and accounting firm owners face is presented in another survey conducted by AdvisorSmith.
Here are a Few Fast Facts from the Survey, Which had the Goal to “Understand Their Experience with Cyberattacks and How Their Businesses are Preparing for Cyberthreats.”
- 42% of small businesses experienced a cyberattack.
- 69% of small business owners are concerned about becoming the victim of a cyberattack.
- 72% of small business owners have implemented cybersecurity measures.
These numbers are a bit more reassuring than the CNBC|SurveyMonkey Small Business Survey—yet, upon further digging, it doesn’t seem as though any of these surveyed businesses understand what it takes to be fully secured from cyber intrusion.
And why should they? Their expertise is in the goods or services they provide—not ransomware, Trojan horse attacks, data encryption, multifactor authentication (MFA), etc.
Of the businesses surveyed, the cybersecurity measures implemented include items such as the following:
- 21% have implemented a strong password policy.
- 16% regularly train employees on cybersecurity.
- 9% hired a cybersecurity consultant.
Their cybersecurity preparations also include MFA (20%), data encryption (17%) and cybersecurity software (16%).
Every one of those preventive measures is essential, and good for the small businesses that do have some tactics in place. But the stats are still alarming.
Implementing just one of those measures won’t cut it. Every business, every accounting firm, and every accounting firm client needs to approach security holistically.
Protecting Personally Identifiable Information Matters
As evidenced by the above data points, accounting firms have yet to: 1) fully understand the cyber risks faced by their businesses on a daily basis, or 2) properly secure their business’s technology.
And considering the implications of threat actors stealing their clients’ personally identifiable information (PII), the aftermath of a security breach can create devastating effects that will leave a lasting consumer impression.
“Any cyberattack—even one that is quickly resolved—can have a long-lasting negative impact on a business.” – CNBC Small Business Playbook
While clients could be a bit more forgiving of a breach depending on the size of the firm, they will be hesitant about entrusting their PII to a business that failed to take steps to protect customer data.
How to ‘Solve’ Security
Unfortunately, security is a day-to-day consideration, which makes it nearly impossible to “solve.” New threats emerge every day, and new variables are constantly introduced to your business, especially every time a new hire walks through the door (or, more likely in 2022, signs onto their laptop remotely).
That being said, you can lower your cyber risk by coming up with a solution before you need it—before you are ever presented with a problem.
1. Lower the human error risk
Verizon’s DBIR (Data Breach Investigations Report) indicates that over 80% of small business data breaches occur due to their staff members’ lack of knowledge of what to look out for. This is problematic because your staff is the first line of defense when it comes to handling customer information properly.
It’s critical to provide continuous training for your staff on the numerous dangers that lurk in cyberspace.
A comprehensive training program helps teams learn how to mitigate risks associated with:
- Phishing attacks
- Malware and ransomware
- Known Trojans
- Credential harvesting and reuse
- SQL injections
- Denial of Service (DoS)
- Cross-site scripting (XSS)
- Man-in-the-middle strikes
- Insider threats
While the latter threat may sound the most ominous, the infliction of damage is done innocently in most cases. Far too often, an insider threat occurs due to a lack of knowledge of how to prevent a malicious and effective data breach.
In the rare cases where the attack is intentional, it is often the byproduct of a disgruntled employee’s access to sensitive data.
2. Work in the cloud
The second way to establish accounting firm security is to work—whenever possible—in the cloud.
The cloud provides a triple whammy of security, flexibility and portability, from office to home and travel.
We can’t speak for all cloud hosting providers, but our QuickBooks Desktop hosting packages offer security benefits like:
- An end-to-end, fully redundant IT infrastructure with 99.999% uptime
- Multifactor authentication
- Multi-layered firewalls and malware detection
- 24/7/365 onsite data center security
- 90-day data backups
Learn more about the full benefits of working inside the cloud vs. not in “Why the cloud is an absolute necessity.”
3. Secure your computer
The third way to lower your cyber risk? Secure your computer. We’ve discussed how the cloud secures your cloud-based applications and software, but what about every other program?
Chances are, you’re not accessing your Outlook from within the cloud; you may have a few applications or pieces of software that aren’t hosted (yet), which means work may sometimes take you outside the cloud environment.
But just because you’re working outside the cloud doesn’t mean you can’t get the security benefits of the cloud for your local environment, too.
Protect your local device (computer, laptop) with solutions that offer:
- Antivirus threat protection—antivirus technology to keep files safe from cyberthreats
- File and folder backups—automated data backups in the event of accidental loss or deletion
- Drive encryption—further protection for your data with measures that make it unreadable to bad actors, should the data get stolen
- Unlimited support—24/7 access to a fully vetted, expert security team in case you have any questions or concerns
Cybertheft is lucrative and shows no signs of slowing down. But using solutions like cloud hosting, MFA (included in all Right Networks cloud hosting packages), local computer security and regular security awareness training will help protect client PII alongside your firm’s finances and reputation.