In the past, many CPAs assumed that cyber breaches were limited to large corporations and retail establishments. However, it has become all too apparent that CPA practices and other small businesses are just as vulnerable as large multinational organizations. Moreover, the financial and private nature of financial data and client records many CPAs are responsible for can make them an even more rewarding target for cyber criminals.
It’s vital to protect yourself and your company with best practices to avoid a cyber breach. While these five tips can help minimizing threats, CPAs should always keep it top-of-mind that they are prime targets for attacks. You must continuously be vigilant in training staff and investing in the proper safeguards. The best practices below, listed in no particular order, are just the start of a number of protections and procedures you should have in place.
1. Be vigilant in reviewing e-mails requesting fund transfers.
To avoid fraudulent requests and hackers, have a process in place that requires a second means of verification for any email requests involving fund transfers. In addition, be suspicious and examine e-mails closely, looking for red flags such as misspelled words and other inconsistencies that may indicate a fraudulent e-mail.
2. Be stringent about password rules and security.
The following best practices can help:
- Passwords should be changed every 90 days.
- Accounts should be disabled after three incorrect password attempts.
- New passwords should expire after their first use and new passwords should be established going forward.
- Passwords should contain at least ten characters.
- Passwords should include a mix of lowercase and uppercase letters, numbers, and non-alphabetic characters.
- Don’t use simple patterns in passwords.
- Don’t use common names or terms in passwords.
- Don’t use more than two consecutive characters from the user’s full name in a password.
- Try using passphrases instead of passwords. A passphrase is a series of words and is longer than a password for added security
3. Limit the removal of sensitive files from the office.
Sensitive files should not be stored on portable storage media such as USB sticks, smart phones, or tablets. If a portable device with sensitive data must be removed, the data must be encrypted. There should also be an incident notification process in place if files or devices are lost or stolen.
4. Properly disposal of obsolete computers, faxes, scanners, and hard drives.
Many cyber-breach-related insurance claims originate from the improper disposable of obsolete devices. Strict data wiping must occur whenever devices and equipment is reused, recycled, disposed of, or no longer required.
5. Never ignore or conceal the loss of personal records or sensitive data.
While state breach notification requirements vary, CPAs need to be aware of all the breach laws in the locations where their clients operate or reside. In many cases, legal counsel may need to be retained to sort out the notification requirements. In addition to clients, other affected parties may need to be notified, including but not limited to law enforcement agencies, insurance carriers, etc.