As a result of the COVID-19 pandemic, working remotely has made available new potential access points and vulnerabilities for hackers to exploit. CPA firms are already prime targets for identity thieves, and these new vulnerabilities exacerbate the profession’s cyber-related challenges. Now, more than ever, data security is an urgent concern for the accounting profession.

Clever hackers have devised many ways to exploit accounting firms trying to timely meet tax filing deadlines. This is especially true for firms who have outdated software, vulnerable email systems, and inattentive employees. As the sophistication of hackers and other cyber criminals increases, so do the types of threats and the number and scope of data breaches.

CPA firms are not alone in facing a surge in ransomware attacks on businesses and institutions, ranging from small and medium-sized entities to large organizations. For example, Michigan State University and the University of California at San Francisco have both been victimized, according to media reports. MSU opted not to pay the ransom demanded, a decision that culminated in personal information and financial documents being published online. UCSF opted to pay a $1.14 million ransom demand in June to recover malware-encrypted data. A June cyberattack also brought Honda car manufacturing to a halt around the world.

Cyber experts have been scrambling to provide security for businesses employing thousands of employees now working from home. With employees connecting from a variety of locations and devices, suspicious activity is difficult to monitor, creating more opportunities for hackers to launch attacks. Ransom amounts demanded by hackers have also been increasing.

Take Action Now

It is critical that firms be extra diligent to follow established security measures and safeguards. Remind all employees of the importance of strict adherence to security protocols and established safeguards.

Although not meant to be all-inclusive, the following basic best practice measures are extremely important and should be prioritized:

• Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.
• Frequently back up all important data and information and verify your backups. Regular backups reduce the likelihood that critical data is permanently lost in the event of a cyberattack. The backups should be protected in a remote or external location, outside of your network, where they are safe from ransomware or other hacks that seek to encrypt all available files including backup copies. Periodically verify that your data backup process is working properly to assure that your data will be recoverable if an incident or disaster occurs.
• Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them. Experts recommend the use of 16+ characters to help prevent a brute force attack and also recommend limiting the number of login attempts.
• Use multi-factor authentication. This adds an extra level of security to help prevent an account hack, especially when employees work remotely.
• Slow down to avoid being yet another “phishing scam” victim. Take the time necessary to validate suspicious or unexpected email. And do not click a link, pop-up or attachment without first hovering your cursor over the link to display the URL to assess its legitimacy. If there is an urgent call to action, rather than clicking on a link, consider a different way to validate the request such as speaking with the sender to get verbal confirmation that the communication is legitimate, or visiting the purported sender’s URL.
• Maintain strong work-from-home cyber hygiene. Reinforce with employees the cyber protocols to be followed when working remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls, etc.)
• Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Next Steps — Review and Update the Firm’s Information (Data) Security Plan

The IRS requires tax return preparers to comply with the Safeguards Rule under Gramm-Leach-Bliley Act’s (GLBA), which establishes minimum requirements for protecting sensitive client data. One such requirement is to have in place a written Information (Data) Security Plan (ISP), and to periodically review the effectiveness of the program and reassess the risk factors as well as any material changes to the firm’s operations.

Periodically assessing the appropriateness of your security measures and safeguards, given any changes that you may have had to your firm’s operations, as well as any changes to potential internal and external security risks, are critical steps to ensure your firm’s overall cyber preparedness. Set aside some time yearly to review your firm’s safeguards and make changes necessary to ensure that you have the right measures in place to protect your clients’ information.

Special attention should be given to ensure that your firm continues to prioritize appropriate firm-wide cybersecurity awareness training. Your scheduled training may have been interrupted due to the pandemic, or the training may require updating to address perceived pandemic-related threats to your existing protocols and infrastructure.

In addition, review and enhance, if necessary, your firm’s incident response plan (IRP). There is no substitute for taking appropriate cybersecurity precautions, but it is also important to plan for the worst (a breach) and have in place a comprehensive IRP so that the firm can reduce the effects and control the costs of the breach.

Note that a firm’s efforts to comply with the GLBA Safeguards Rule is an organization-specific initiative. Therefore, CAMICO recommends that each firm work with its IT/data security specialists and legal counsel, as appropriate, to modify and tailor the firm’s incident response plan to ensure compliance with GLBA’s Safeguards Rule and other applicable laws.

Additional Resources

Refer to the IRS website for detailed guidance here. You can also refer to the IRS Publication 4557, Safeguarding Taxpayer Data and IRS Publication 5293, Protect Your Clients; Protect Yourself, as well as the section on The Security Summit for additional guidance. This information provides details for critical security measures for all tax professionals.

Randy R. Werner, J.D., LL.M./Tax, CPA, is a Loss Prevention Executive with CAMICO (www.camico.com). She responds to CAMICO loss prevention hotline inquiries and speaks to CPA groups on various topics. Werner has Big Four public accounting experience in federal and state tax as well as regional accounting firm experience. She practiced as a sole practitioner in estate planning beginning in 1984.

Join Randy at the Fraud Virtual Conference on December 10, where she will discuss cybersecurity best practices for CPA firms. Learn more about the conference here.