by Amanda Wilkie, Consultant
How we work has fundamentally changed across all industries. The barriers that once kept businesses from transitioning to remote work are quickly being removed, and many companies expect to adopt these changes permanently. CPA firms need to adapt to this changing landscape, and many solution providers are stepping up to help.
Cetrom is one of those vendors, and I recently had an opportunity to host a webinar with Christopher Stark, President and CEO, and Sherrill Hebert, National Sales Director at Cetrom. During the hour-long session, we discussed the key steps firms need to take to transition successfully, prepare for future events, and protect client data. Here are a few of the best takeaways from our chat.
Small to medium firms face emerging cybersecurity threats
Since the start of the pandemic, there has been an overwhelming increase in spyware, malware and the like. Many of these cyberattacks are being aimed at small- to medium-sized accounting firms. Hackers know these firms host a lot of sensitive client data but lack the sophisticated defense infrastructure of larger firms.
A few of the emerging threats Stark suggested firms pay particular attention to are:
Spear phishing campaigns. A spear-phishing campaign is an email targeted at specific individuals or departments within an organization that appears to be from a trusted source. The sender tries to trick the recipient into clicking a link or opening an attachment. Currently, many of these attacks reference government stimulus checks, COVID-19 guidance, or impersonate the company’s HR team.
Malware distributed via email. Many of the most widespread computer viruses have proliferated via email attachments and embedded links. The recipient double clicks an attachment and downloads malicious software. Again, many of these attacks are being disguised as COVID information, even posing as WHO or CDC representatives.
Vishing and robocall scams. Vishing is a phone scam designed to get you to share personal information, such as financial details, account numbers, and passwords. The scammer might claim to represent your bank, law enforcement, or a solution provider and say your account has been compromised.
Voicemail notifications. With so many people working from a virtual office, staff members may receive voicemail messages via email. When the recipient clicks on the attachment, it may open to show a spoofed form asking for a password. That password is then stolen and used for nefarious purposes. In other cases, clicking on the voicemail will download malware to the recipient’s computer.
These are just a few of the threats that firms and their remote teams are dealing with right now. For this reason, it’s more important than ever for firms to understand their risks and vulnerabilities and take steps to protect the firm and its clients.
Check your cybersecurity insurance coverage
Many firms have cyber liability insurance, but firm leaders might not be aware of what their policies do and don’t cover. It’s crucial to understand the difference between first-party and third-party cyber liability insurance and how each handles claims.
First-party cyber liability insurance helps the organization respond to data breaches on its own network or systems. It covers things like notifying clients that their personal information was exposed, purchasing credit monitoring services for affected clients, investigating the source of a data breach, launching a PR campaign to help restore the firm’s reputation after a data breach, reimbursing the firm for business interruption and lost revenue while handling the breach, and paying a ransom to the person holding the firm’s data hostage.
Third-party cyber liability insurance helps pay for lawsuits stemming from data breaches on a client’s network or systems. Some examples of events that might prompt such a lawsuit include recommending an insecure service to a client or failing to patch a server vulnerability that allowed hackers to access your client’s confidential information. If a client sued you over such an incident, third-party insurance would help cover your attorney fees, court costs and damages.
Don’t assume you know what type of coverage you have. Talk to your insurance agent and have your attorney review your policy before such an event happens.
If you’re online, you’re vulnerable
Even the best technology and training can’t protect your firm from every potential threat. The best we can do is reduce our exposure to cyberattacks by implementing a three-pronged approach:
Back up your data
Secure your systems
Educate your staff and clients.
If your crucial systems aren’t already on the cloud, it’s time to get them there. Small- to medium-sized firms simply can’t offer the same security as cloud vendors that invest heavily in security because that’s their core business.
Finally, every firm needs a strong disaster recovery plan in place. Without one, you’re planning to fail. Make sure your disaster recovery plan isn’t stored on your network. Otherwise, it may not be available when you need it. Document your plan and store a list of clients and vendors offline.
I really appreciated the valuable insights the Cetrom team shared, and I know our attendees on the webinar did as well. If you’re interested in connecting with other firm and IT leaders as well as top solution providers in the accounting profession, the Boomer Technology Circles are an excellent resource. Apply now, and we’ll schedule a time to talk with you about the Circles and whether you’re a good fit for this powerful peer network.
Amanda Wilkie, Consultant at Boomer Consulting, Inc., has a computer science background, but she’s not your average geek. With two decades of technology experience, Amanda has spent 13 years driving change and process improvement through innovative technology solutions working across firms of varying sizes in the public accounting profession. She has held strategic leadership positions in firms ranging from Top 50 to Top 10 including her most recent role as CIO of a Top 30 firm. Amanda is a recognized expert in the profession who regularly speaks and writes on blockchain and cryptocurrency and their impact on the profession.