It should come as no surprise that, as large aggregators of sensitive client data, CPA firms are primary targets for cyber criminals. While breaches and ransomware events at large firms and businesses make for enticing headlines, small and midsized firms should not get a false sense of "security by obscurity."
Cybersecurity researcher Alex Holden demonstrated in 2018 that Russian hacker collectives were specifically targeting small CPA firms and sole practitioners due to the outsized amount of personally identifiable information in their possession. Even if a firm is not specifically being targeted, it may fall victim to a breach or ransomware event because of what is perhaps the most common reason for a breach: human error.
Remote work is another factor that poses many issues. Even before the coronavirus pandemic, remote work was becoming ever more popular. As mobile and cloud technologies enabled workers to telecommute, firms often saw an increase in productivity and worker satisfaction. In addition, those same firms were able to widen the search for qualified staff throughout the U.S. and other countries to fill crucial vacancies.
Remote Work Making Security More DifficultYet, with the good comes the bad. Employees working remotely are not directly being overseen by managers as in the past. Unlike any other time in history, one remote worker can cripple or bankrupt the entire firm by clicking on the wrong link, downloading an infected attachment, or sending files over an unsecured public network. When employees do return to the office, they are increasingly using personal devices to connect to the firm's network. This makes security that much harder, as implementing and enforcing mandatory cybersecurity measures on personal devices range from difficult to impossible. Thus, ensuring that staff are security conscious is more important than ever.
Regardless of the method used to infiltrate a business, phishing attacks, malware email attacks, and employee error will continue to be leading factors of breaches for years to come. As David Cumberland, CPA/CGMA, manager at Kerkering, Barbario & Co., said, "Each email we get, we've got to be thinking about that security training and looking at who is this from, does this make sense — just going through all those different steps they talked about in the security training to vet an email."
Regulatory and Legal RequirementsFinally, it has not escaped regulators that employee training is key to minimizing the odds of a data breach. At the federal level, CPA firms fall under the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). While the list of requirements is lengthy, the Federal Trade Commission (FTC) emphasizes mandatory employee training. The FTC states that all firms should be "Regularly reminding all employees of your company's policy — and the legal requirement — to keep customer information secure and confidential."
Notably, the FTC measures the "reasonableness" of businesses' security efforts by comparing them to the National Institute of Standards and Technology's Cyber Security Framework (NIST CSF). The NIST CSF section pertaining to employee training states that firms should "Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner."
The FTC has gone after large businesses, small businesses, and individuals for non-compliance. As the nation's primary cybersecurity and privacy enforcement agency, the FTC enforces compliance via a notoriously expensive process that notably bankrupted one company. Typically, companies will sign consent decrees that require 20 years of security measures, including regular — and expensive — security audits, security awareness training, and pages of other measures. Companies ignoring reasonable security measures do so at their own risk.
State RequirementsNotably, the GLBA Safeguards Rule is just one of several that require a firm to implement employee training. Many states reference "reasonable" cybersecurity requirements that include regular employee training, such as those found in the California Consumer Privacy Act and the New York SHIELD Act. Firms are generally required to comply with the law that attaches to the client’s residency status, not necessarily the law where the business resides.
Take for example a firm in California that prepares the tax returns of an Oregon resident. The firm must comply with Oregon's law, which states that "[a] covered entity and a vendor shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information." Later in the statute, Oregon law advises that a covered entity will be deemed to be in compliance if it "implements an information security program that includes: ... Training and managing employees in security program practices and procedures."
The requirements mentioned above are just a few examples of the litany of privacy and cybersecurity rules facing today’s CPA firm. As such, firms are encouraged to seek additional guidance on which laws may apply to their unique circumstances.
Training Program BenefitsTo combat the threats from human error, hackers, and regulators, every firm should consider implementing a formal cybersecurity awareness training program. These programs are well known to provide the following additional benefits:
- You'll lay the groundwork for more competent, capable staff. With effective security awareness training, your team can feel confident using technology appropriately. They'll know what to do and what not to do to better protect the firm from constant threats.
- With formalized and ongoing training, cybersecurity will become a priority for your staff as they see it is a priority for firm partners and managers.
- You can save significant amounts of time and money. Responding to a breach is far more costly in both time and money than avoiding the breach outright.
- You can minimize the odds of having to notify clients of a breach of their personal information. The percentage of clients leaving a firm following a breach is on the rise. In these difficult economic times, it is easier and more cost effective to retain existing clients than to search for new ones.
To address these risks and promote a cyber-safe culture at its member CPA firms, CAMICO has teamed up with HailBytes, an industry leader in providing cybersecurity awareness training to CPA firms and businesses throughout the country. As a CAMICO policyholder, you are eligible for a 50% discount on monthly cybersecurity awareness training for your staff by using the discount code CAMICO.
HailBytes began in 2018, when founder David McHale recognized a persistent pattern while consulting for companies that found themselves repeatedly decimated by security problems. Since human error is the single greatest contributor to cyber incidents, McHale developed infrastructure and training tools to help turn users into champions for security to help protect small and medium-sized entities from the most common and damaging cyber-attacks.
In addition, policyholders can visit https://hailbytes.com/CAMICO for a free phishing security test to discover what percentage of staff members are clicking on potentially malicious links that could lead to breaches. For questions regarding the cybersecurity training options available to your firm, please contact David McHale with HailBytes directly at David@hailbytes.com, or call 833.892.3596.
McHale’s brief cybersecurity video tips are also available for viewing on his Twitter page at https://twitter.com/hashtag/60SecondCyberSecurity and on LinkedIn at: https://www.linkedin.com/feed/hashtag/60secondcybersecurity/
Joseph E. Brunsman is an author, speaker, and insurance broker with Chesapeake Professional Liability Brokers, Inc. A graduate of the United States Naval Academy with a degree in Systems Engineering (Robotics), he worked as an IT professional specializing in database management and network security. In 2019 he completed his Master of Science in Cybersecurity Law (MSL) at the Carey School of Law. As a Naval Officer, he held multiple positions on various warships, ranging from Electronic Warfare to Combat Information Center Officer. Joe uses his technical background to specialize in solving complex cyber security and insurance problems for businesses across the country. He is the co-author of three books: True Course: The Definitive Guide for CPA Practice Insurance, Open Before Crisis: Cyber Insurance for CPA Firms, and Damage Control: Cyber Insurance and Compliance. He can be emailed at: firstname.lastname@example.org.