Skip to main content


The Sad State of CyberSecurity

Small and mid-sized businesses are failing at security. This puts them in peril and, if they're your clients, you could suffer, too.


From CPA Practice Advisor’s Bleeding Edge Blog.

There is a lot of protection in being “off the grid” – in being so small and insignificant that no one even know you are there. And that is true even when it comes to CyberSecurity. I once ran a server connected to the Internet for three years, with mail server, web site, FTP site and more, without a single shred of protection.

I did it to show that average users don’t need to spend hundreds of dollars on elaborate firewalls, anti-virus schemes and other protections simply to access basic Internet services. Of course, the other part of this equation is that you must stay off of porn sites, social media, download sites, file-sharing sites or any other site that you do not know. And that you do not open any email that contains anything other than text.

I am not sure that the same experiment would stand up today, but I am sure of two things: small businesses believe they are protected from cyberthreats; and almost none of them actually are. That’s not just my opinion, but the results of a new survey by the National Cyber Security Alliance and Symantec. The survey, of 1015 small and medium-sized businesses, found that 77 percent believe they are protected, but 83 percent have no formal cybersecurity plan. And who is in charge of cybersecurity at these firms? Two-thirds of the time, it is the business owner.

The survey gets worse. Among those surveyed:

  • 87 percent don’t have a formal written Internet policy for employees.
  • 62 percent said they were very confident that their employees nonetheless were aware of the company’s formal Internet security policy and practices.
  • When it comes to social media: 75 percent of SMBs have no policy governing employee behavior
  • 77 percent feel their companies are safe from cyberthreats
  • 77 percent describe a strong cybersecurity and online safety posture a positive for their brand.
  • 59 percent have no contingency plan how to respond and report data breach losses.

Your average plumber or landscaping business might be able to exist in such an environment; your average accounting firm cannot. Accountants and tax preparers must of necessity have and store all of the information that data thieves most want to obtain – personal and financial details that enable them to easily commit identity theft or raid a client company’s bank account.

Which only means that tax, accounting and financial planning firms cannot ever afford to be without protection, a plan and a good set of procedures. And that the same goes for many of their clients, making a cybersecurity assessment a critical part of the annual audit of any small or medium-sized business.