The AICPA released two sets of criteria for public comment this week (Sept 2016) regarding cyber security. Both focus on different elements, but the common theme is the AICPA trying to develop a common framework for audit firms to evaluate the cyber security of their clients (risks and compliance). While this will prove to be very helpful, it got us thinking at Fluid: Do CPA firms themselves have a framework for their own security? Are CPA firms adequately protected from data breaches of their client’s financial information? Are accounting firms prepared to react to and recover from a malicious threat that may cause data loss or temporarily impact the productivity of the team?
Data security is a pressing issue for CPA firms given the rising level of attacks and the sensitive financial data accountants work with. A few data points –
- Over ½ a billion personal records were stolen in 2015
- Phishing campaigns targeting employees rose 55% in 2015
- Ransomware increased by 35% in 2015 (362K reported cases)
- 1 in 220 emails sent contain malware (431M new malware variants found)
While developing your own cyber security framework may seem daunting given the rapidly shifting threats, the task at hand can be greatly simplified if you break it down into the components parts (and work with professionals). At Fluid, we support our clients in 4 primary areas that each firm must address to have a comprehensive security plan.
1) Compliance Management:
Does your firm understand all levels of compliance required given the data your firm interacts with? This can range from data retention compliance standards to data-center configuration standards. Often great compliance management starts with proper documentation, but rely on staff training and monthly monitoring to ensure/validate compliance.
2) Perimeter Management:
Think of your IT perimeter like the physical perimeter of a secure building. Are all entries and exits secured and guarded? Firewalls, cloud services, and email are major vulnerability points that should be managed and monitored for security purposes. BYOD and the proliferation of mobile devices has extended this perimeter, but these additional problem have solutions if they are approached systematically.
3) Vulnerability Monitoring and Threat Response:
You may know your weaknesses today, but that will change tomorrow; you need to monitor for attacks and have an active response if any attacks are detected. Much of this can be automated, but some expert oversight can make sure you don’t have any unintended gaps.
4) Cloud Backup and Disaster Recovery:
Even the best-run IT Departments may run into an occasional problem, ranging from accidental data loss to a malicious breach. We’ve found from our experience with clients that having a robust, offsite backup in a secure cloud environment can minimize the impact of most problems and greatly improve recovery times.
Whether you know it or not, your firm has ongoing IT activities in each of these 4 areas, which require ongoing focus and continual improvement – security is never ‘one and done’.
If you want to review your security practices, give us a call. We can help.