Tax & Accounting Blog

Accounting Firm Cybersecurity: Training Your Staff and Protecting Your Business

Accounting Firms, Blog October 18, 2017

Please note:
Not Intended as Legal Advice: The contents of this blog should not be construed as, and should not be relied upon for legal, tax or security advice in any particular circumstance or fact situation. No action should be taken, or avoided, in reliance on the information contained in this blog and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this blog to the fullest extent permitted by law. You should consult with your legal, tax and technology security advisors for advice on legal matters, tax matters and data security practices applicable to your business.

It probably won’t surprise you to hear that tax identity theft is on the rise. In response to this increase in tax-related ID theft, last year the IRS rolled out new security requirements that recommended multi-factor authentication (MFA) for tax and accounting software.

While MFA has shown to be an effective tool in combating fraud, there’s an equally important supplemental strategy that all tax and accounting firms should employ: educating their staff.

That’s because humans — no matter how well-intentioned — remain the weakest link in the data security chain, as proven when a recent cybersecurity report revealed that approximately 95% of security breaches are caused by human error. So let’s take a look at some of the changes that tax and accounting firms are making to improve awareness among employees.

Employee training: Simple, inexpensive, impactful

In 1794, Voltaire said, “Common sense is not so common.” Today, we could update that quote to read, “Network security common sense is not so common.” That’s why it’s imperative that your staff is trained before they interact with your information systems.

It’s good practice to update your training regularly to include new and evolving data security challenges. Luckily, there’s no need to design a training program from scratch. Most information security companies have great presentations written and ready to go, or white papers that identify points to cover in employee training. You can even go to the Department of Homeland Security and IRS Awareness Campaign websites and download their cybersecurity training resources.

Since every single employee in your firm is a potential source of a security breach, everyone in the firm should go through security training, from the firm owners to the frontline employees — including the IT staff. Due to the ever-evolving nature of cybersecurity threats, experts recommend at least annual training (although more often is always good).

Awareness is key

Hackers thrive on ignorance — they want everyone to assume that life is safe and no one’s out to get them. So it’s a good idea to periodically ask your employees questions including — but not limited to — the following, to help them remain aware of potential security vulnerabilities.

    • Do you have company email or other company data on your mobile device or portable drive?
    • If so, do you have appropriate security precautions in place, such as data encryption and multi-factor authentication?
    • How many of you are aware whether all the devices in the organization have the most recent updates for operating systems and security software?
    • At work, do you lock your computer when you walk away from it, or do you leave it open and accessible to others?
    • Could your passwords’ security access questions be easily deduced from a look at your social media?

While this is only a start, it’s an important one. Use the tools and resources mentioned above to educate your staff and close the door to hackers. We can work together to take steps to improve security in our industry.

iIBM’s Security Services 2014 Cyber Security Intelligence Index Report