Someone in your firm needs to be literate on security and managing your risk, because the number of security risks are increasing. This article won’t be a comprehensive list, but a good reminder of fundamentals that need to be done by all firms. Being realistic about mitigating security risks will notably reduce your exposure and prevent unnecessary expenses.
You will probably need to get some professional help to implement some of the ideas that we discuss, and others simply will take good procedures, diligence and consistency. Again, the intent is not to name all risks, but to provide a reasonable checklist that you can use to improve your firm’s safety.
When you reflect on your risks, think through the security issues like you might be working a business continuity or disaster (BC/DR) plan. Frankly, many security risks should have responses as part of that plan, but we’re betting most of you don’t have an active, updated BC/DR plan.
What are some risks? What can we do about it?
Let’s consider the impact of some risks in your office. Don’t take this table as comprehensive, but as an example of what can happen. This list only contains items that we know happened to CPA firms in the past twelve months. For that matter, update this list to fit your own view of the risks. Add risks that keep you up at night. Note also that this list is focusing primarily on security items, not other elements of a BC/DR plan, such as losing power, weather impacts or having a hard drive crash.
Recall that breach reporting rules are in force in almost all states. Our standard rule to eliminate breach reporting is to encrypt all devices everywhere and have passwords or pin codes on them. However, if you have an incident, you should contact your legal counsel, followed closely by legal authorities and your insurance company. Consider the following:
Again, this table was not intended to be comprehensive, but simply examples. We have to put our firms in a position to protect against common security problems.
So, What Should You Do About This?
First, you can solve some of these issues by better procedures and training. Many security breaches could have been avoided if team members had just not clicked through a link, read a message or copied a file. Consider your policies related to BYOD technologies, using public or client network connections or copying files from USB, hard drive or cloud sources.
Second, you can solve some issues with the appropriate software. Open license Microsoft Windows so you can use BitLocker encryption. Alternatively consider encryption products like PGP or Tru-Crypt. Make sure that your software providers have great security. For example, ShareFile and SmartVault are portal and file transfer products that have strong encryption in motion and at rest. Consider an email encryption product like Zixmail or Secured Accountant.
Third, remember that the best security is physical security. Even though you may be practicing in a safe, small town, consider what physical security makes sense. Many firms have chosen to lock all doors from their lobbies back into the practitioner’s office spaces. Others have implemented automatic lock systems on certain doors. Everyone should have their computer server room locked. Motion sensing, night vision cameras can be installed over all doors and the lobby waiting area.
Finally, recognize that most security issues have at least some level of soft cost and lost productivity. When reportable breaches occur, it costs money to notify and monitor the losses. Some firms have purchased CyberSecurity insurance for this purpose. What can you do to mitigate the risk of a security issue in your firm?
Mr. Johnston is executive vice president and partner of K2 Enterprises and Network Management Group, Inc.
He is a nationally recognized educator, consultant and writer with over 30 years’ experience. He can be contacted at firstname.lastname@example.org.