IT Expert Shares 5 Cybersecurity Tips for Accountants

While every modern business has data that needs to be protected from cyber criminals, accounting professionals must be especially vigilant about protecting their data. Because of the amount and value of personal and financial data that accountants possess: 

1. A data breach could be especially devastating to a small firm and its clients, and

2. Small accounting firms are high priority targets because of the value of this data.

But as an accounting professional for a small business, your resources may not allow you to deploy the same level of technology and outside support that a larger firm might have available.

In this article, we’ll go over a step-by-step cybersecurity plan based on a three-pronged approach consisting of software tools, organizational training, and maintenance policies. This plan is designed so that even small firms can ensure effective protection against cybercriminals.

To inform this guidance, we spoke to Tony Wang, director of IT Risk Management for Williams Adley CPA and management consulting firm [1].

Let’s begin.

At its heart, Wang says, cybersecurity for accountants is really no different than cybersecurity for other types of organizations.The stakes may be higher when a lot of sensitive financial information is on the line, but the methods of protecting that data are essentially the same.

And while technology is an important piece of any cybersecurity plan, as we’ll explore below, it ultimately comes down to the people in your organization.

Now, let’s look at how you can put this plan into action.

1. Start with training and education

According to our Data Security survey (methodology below), careless employees are the number one security vulnerability for businesses. This means you need to train your employees to adopt a culture that understands and practices data protection (not opening suspicious email attachments, not giving away passwords, etc.) as the most important and effective way to keep your firm’s data safe.

Our research backs this up. Our survey also found that the rate of employees clicking on phishing links in emails has increased by 88% in the past three years.

As cyber criminals get more creative and manipulative [2] with their tactics, it’s especially important that all of your employees go through cybersecurity training during onboarding, and then refresh this training periodically. The best way to organize this training is through your LMS (learning management system). Most LMS platforms generally include course libraries.

2. Use regular vulnerability assessments

Vulnerability scans are a bit like security guards for your digital property, systematically patrolling your computer systems on the lookout for anything suspicious.

A vulnerability assessment is an automated test that scans your entire network to identify weak points that would allow malicious actors to gain access to your system. A vulnerability assessment can also classify vulnerabilities based on their severity to help with prioritization. 

This is also known as risk assessment. For example, one vulnerability might have a very small chance of becoming a problem, while another vulnerability might require immediate attention upon discovery.

Remember that the purpose of a vulnerability assessment is not to fix vulnerabilities, it’s to identify them so that they can be addressed by a network administrator or engineer before becoming a bigger issue. For example, the assessment might identify out-of-date software that needs to be updated to ensure the integrity of your system, or it might call for installing a new firewall [4].

A full vulnerability assessment should cover onsite servers and connected devices, wireless networks, databases, and all applications used by employees on your network.

So, how exactly do you perform a vulnerability assessment? One method is to ask your network service provider to run the assessment and share the results with you. Wang says that his firm’s service provider runs quarterly vulnerability assessments. For smaller, self-managed networks, your network security software should include vulnerability scanning as a standard feature.

3. Use password generation tools

As we mentioned in the first section, people are the biggest vulnerability to any network. But even with proper training and education, a predictable password is essentially an unlocked back door for cybercriminals to walk through. The most obvious solution to this problem is to create longer, more complicated and less predictable passwords. As anyone who uses passwords knows, password fatigue is a real issue and can cause even the most well-intentioned employee to save passwords on sticky notes.

This is where password generation, also known as password management, tools come in. These tools are essentially secure lockers for passwords. Your employee just needs to remember one long but easy-to-remember master password to access the tool, and then the tool creates complex, random, unique passwords for all of the accounts that the employee needs to access.

Not sure whether your company can afford a password management tool? Some of the best options are affordable or even free.

4. Use two-factor or multi-factor authentication

In the arms race between cyber criminals and data protectors, multi-factor authentication (MFA) has been a major advance for organizations trying to protect their data.

Multi-factor authentication requires users to regularly confirm their identity via a second source in addition to their password, such as clicking a button in an email, entering a code received in a text, or even scanning their face on their phone camera.

A few years ago, multi-factor authentication was more of an “extra-mile” kind of consideration for security conscious businesses. But in the year 2022 it has become so prevalent that it’s virtually a must have. In fact, our Data Security survey* found that 92% of U.S. companies are now using two-factor authentication (2FA) for at least some of their business applications.

Of course, even with multi-factor authentication it’s still important to ensure regular training. Cyber criminals haven’t simply raised the white flag when faced with multi-factor authentication, and especially persistent and persuasive thieves have been known to badger victims into sharing their MFA one-time codes.

5. Have a data breach action plan in place

So now you've trained your employees to not fall for phishing scams, you’ve set up regular vulnerability assessments to uncover potential weak points, and ensured strong passwords and access control through password generation tools and multi-factor authentication. Your data is safe, right? Not necessarily. In fact, an IBM survey found that 83% of U.S. companies have fallen victim to multiple data breaches [6].

This is why it’s so important to have a plan in place and ready to go before a data breach happens rather than scrambling in a panic when one does occur. And if you do discover that your data security has been breached, through a vulnerability scan for example, take solace in knowing that just discovering the breach puts you ahead of the game.

Once you’ve detected the threat, it’s time to start cleaning up the mess. This means completely securing the vulnerability that allowed the threat so that it doesn’t happen again, containing the damage by recovering any lost data from backup, and then resuming normal business operations.

For more details on creating a data breach action plan, check out our complete guide here [7], with steps informed by Gartner [8].

Comments are closed.