August 16, 2022 min read
Darren RootChief Strategist, Rootworks
One click. That’s all it takes. One click on an email link and your firm’s data (including your clients’) is breached.
Did you know hackers target small businesses? And what type of small business contains a treasure trove of personal and financial information? Accounting firms.
Because accounting firms are responsible for highly sensitive information, it’s on you and your team to safeguard client data. While the work dynamic has shifted to cloud-based applications, firms must create and maintain a culture of security awareness.
Awareness is key in recognizing security threats and thwarting attacks, which is why we’re going to walk you through the top five security threats facing accounting firms in 2022.
One of the biggest cyber threats facing firms today is phishing. With phishing threats, end users are typically tricked through emails from what appear to be known senders, but are in reality spoofed email addresses made to look legitimate. The emails are labeled as urgent and play on the user’s emotions, enticing them to click a link to update a password or re-enter personal information like a credit card number or bank account details.
Hackers have gotten even smarter with phishing attacks by using text or SMS (i.e., smishing) to trick people into clicking on a malicious link. These attacks lead to ransomware, leaving firms unable to access data until a ransom is paid. Even then, there’s no guarantee that data is returned, and there’s always the risk of data exposure.
Employees must do their due diligence: Check the sender’s email address to confirm it isn’t spoofed, mouse over links to see if the website looks legitimate, and if something looks fishy, always reach out directly to the sender to confirm that the email, links or attachments are legit.
Many firms have shifted to a remote or hybrid workspace but haven’t taken the precautions needed to prevent security threats. Failing to require strong passwords (i.e., at least 10 alphanumeric characters), not implementing mandatory password resets every 90 days and lack of enforcing automatic inactivity timeouts can lead to unauthorized access—even at home.
And speaking of remote workers, companies must implement multi-factor authorization (MFA) for applications that contain personal data (at the very least!) and make sure that employees’ devices are up to date with antivirus software—including mobile devices and tablets—with regularly scheduled updates.
Firms must create and adhere to a remote work policy for rules and regulations regarding sensitive information, only doing business on secure connections (i.e., not connecting to public Wi-Fi and using a virtual private network, aka VPN), and maintaining security awareness at all times.
Failing to ensure end-to-end encryption is an oversight that allows attacks to occur. Workers should always make sure websites are secure (e.g., web addresses contain HTTPS, websites have a padlock icon next to the site name) and use encryption to safeguard data.
Firms must ensure that devices (e.g., computers, tablets, phones) are encrypted to safeguard from Bluetooth, hotspots or radio frequency identification (RFID) in public settings, such as coffee shops, hotels or airports. If employees travel, they should disable Bluetooth while in public settings to prevent hackers from gaining access to their devices.
If your firm still sends and accepts documents (i.e., financial statements, tax documents) through email instead of using an encrypted file sharing solution like WeTransfer…or a dedicated firm portal, you’re not only risking your accounting firm’s security; you are putting your clients’ data at risk.
Firms that lack consistent security training are highly vulnerable to cybersecurity threats. Without regular training, employees can become complacent and open the firm (and the firm’s clients) to ransomware attacks just by clicking on an infected link.
Employees need to practice security awareness, and that’s what consistent security training provides. Investing in a tool like KnowBe4 takes the guesswork out of training staff. They need to know how to spot scams and social engineering attacks by staying educated and vigilant.
Platforms like KnowBe4 provide ongoing security training, along with simulated phishing attacks, to keep employees aware of possible cybersecurity threats. Staying informed through consistent security training is a big step in data security.
One final top security threat comes down to third-party vendors. While firms must focus on internal and remote security, they must also partner with third-party vendors who have security systems and protocols in place.
Third-party vendors who offer downloadable software instead of cloud-based applications cannot provide software updates in real time. Scheduling downtime for a security update can leave your firm and your clients vulnerable until necessary updates are made. Vendors with cloud-based apps can make critical security patch updates in real time.
Ensure that third-party vendors follow strict requirements, such as password-protected logins, mandatory timeout periods, 90-day password resets and data recovery protocols. Your clients have every right to expect that your trusted vendors will also maintain the utmost in data security.
While there’s no zero-security-risk guarantee that your firm’s systems will never be breached, employee awareness is your biggest asset when it comes to data security. Put systems in place now to safeguard your firm and protect your clients’ data.
For more information on how to keep your firm safe in the remote workplace, download our Cybersecurity eBook today!
Please complete the following:
Rootworks members can now use an early access version of Insights, which delivers customer segmentation and pricing data as well as reports for your firm and clients. Connection to QuickBooks Online is required for firms and/or clients.