3 steps to protect your accounting firm from cyberattack
With all the sensitive, personal information your accounting firm holds about your clients, you’re a juicy target for bad actors. Cybersecurity should be a top priority for your firm’s protection — and your clients’.
When it comes to attacks like ransomware, most accounting firms are woefully unprepared. A 2022 survey of small and medium-sized firms by CyberCatch showed that:
- 14% have no written Incident Response Plan.
- Of those with a plan, 29% tested the plan over 6 months ago.
- 31% have no backups offline.
- 27% don’t perform phishing testing of employees.
- 48% would survive only 3 days from a ransomware attack.
The data loss stemming from cyber attacks is more than just a hassle. It starts a cascade of trouble, including loss of productivity, diminished client trust, decreased revenue, and even state and federal regulatory actions and fines. If you want to do everything you can to avoid a data disaster, it’s time to prepare.
Step 1: Plan
Whether you have your own IT staff or work with a consultant, a written plan is a must. It should be readily available to the entire team, and everyone should understand the role they play.
In your plan, make sure to include these components:
- An inventory of hardware, software, and data sources.
- Passwords and other authentication information.
- A directive for what’s most critical and in what order systems should be restored.
- The location of your data backups — ideally you’ll have both on-premise and cloud backups.
- The schedule and procedures for your backups so you can restore them accurately as quickly as possible. Your backup plan should include both full and incremental backups.
- The timeframe in which you expect to be partially and fully operational.
These are just a few of the building blocks your disaster recovery plan needs. Other aspects will depend on your size, your systems, and how your firm operates.
Step 2: Practice
Now that you have a plan, make sure it’s practiced regularly. Company leaders should practice — and have prepared — the communication they’ll send out to employees and clients, if necessary. Leaders should also know which regulatory authorities need to be informed and how to contact them.
The IT staff, if you have one, should practice the order and urgency of each step in their process and be prepared to communicate with leaders about their progress and status. If you don’t, you need a list of designated people who are responsible for immediately contacting your managed services firm.
Don’t forget your accountants and support teams. With remote work, every employee needs to have a fast, direct way to reach your IT staff or other designated staff member. They should all practice calling or emailing the appropriate people and knowing which systems should not be used in the event of a cyberattack.
If you work with an outside firm to manage or co-manage your IT services, review your agreement to be sure they’ll be available to respond quickly. Any service provider you work with should be available to help you with a data breach or other cyberattack 24/7. Every moment counts, so ensure you can get a response in minutes — not hours.
Step 3: Test
The best case scenario is if you don’t have to deal with disaster at all, of course. You can stave off threats with frequent, random testing for your team. While you should have software in place to block phishing, bad actors have been known to get past even the top software.
To test your team’s attention to potential phishing, implement tests that simulate real phishing attempts. These tests will help you identify the employees who need more cybersecurity training.
But be cautious — some tactics can backfire. Harvard Business Review reports that companies who have dangled bonuses or prizes to get users to click bad links found that those users became distrustful of their IT group in reaction. Users thought they were getting rewarded and found themselves being punished instead.
Your goal in testing should be to make preventing phishing a collaborative effort. Make users feel comfortable reaching out to you. Another experiment gave users a button to alert their IT group to a suspicious message. This connection to the IT team led users to correctly report 68% of the test emails. In this situation, users got to view themselves as helping out instead of being put on the spot.
Mimic a variety of situations in your phishing tests. Many attacks start with a fake email from a company leader requesting sensitive information. Others look like they’re from a bank or social media site requesting password information. Determine which are most likely to affect your firm and test employees with those tactics.
Take every precaution — and get help where you need it
Your firm should be protected by the best practices we’ve discussed and many more — like penetration testing, compliance audits, and network security monitoring — but it’s not easy to do without a robust IT team. Many firms have a tech staff of one — or none — making keeping up with it all nearly impossible.
Managed cybersecurity solutions from Cenetric experts can ensure all your bases are covered to deliver the best protection for your firm. Working with accounting firms in Kansas City and beyond, Cenetric has the experience and availability you need to protect your business.