Three years ago, the server at the author’s firm was hacked by a Russian scammer who got into the system by sending a phishing email that a team member clicked on. The worm in the email encrypted every Microsoft Word and Excel file in the system with a password; the firm had to pay a ransom in Bitcoin in order to decrypt the files. Worse, the files were not backed up properly (the firm thought they were backed up on a second offsite server, but this turned out not to be the case). After this attack, which costs thousands of dollars in productivity and time, the firm decided to revamp the entire security system to make sure this didn’t happen again. All documents from the server were moved onto Box.com, a cloud document storage system that automatically backs up all documents in multiple locations. In addition, the firm changed email servers to Google Apps for Business, now called G-Suite, to make sure all emails were backed up properly. It took a real attack for the firm to wake up to the severity, cost, and importance of cybersecurity. And really, the attack could have been much worse; only internal Word and Excel documents were compromised, not anything with clients’ personal data.
Cybersecurity and securely protecting client and firm documents is probably the most important issue faced by modern firms. It is also most likely the issue that most firms spend the least amount of time thinking about or preparing for. The following are important steps a firm should take to minimize its cybersecurity risk.
Get Cyber Insurance
The first rule of cybersecurity is that it is impossible to protect against everything. If a hacker wants to access data badly enough, he will probably find a way to do it. That’s why firms need to make sure they have cyber insurance to prepare for this eventuality. The premiums are not that expensive—the author’s firm’s premium is around $1,700 per year—and they cover many of the costs, including data loss coverage, extortion loss coverage, crisis management, and even the letters that must be sent to clients in case of a data breach.
Educate Staff on Cybersecurity
A system is only secure as its weakest link, and that is often older employees who do not fully understand cybersecurity and how attacks happen. The most common type of attack is via email scams, which often seem like legitimate emails from clients or friends but ask the reader to click a link or download a file to view a “document.” These are easy to spot if one knows what to look for—but most people don’t. (This is how John Podesta, Hillary Clinton’s campaign chair, was hacked.) Firms should spend time educating staff on what to look for and what to do when they receive a phishing email. It is also important to educate staff on creating strong passwords and properly logging on and off of their computers and the firm’s internal system each night.
Back Up Everything, Every Day
If all of the firm’s important documents and emails are stored on a single server, it should be backed up daily to a secure offsite location. For a longer-term solution, firms should move all documents to a HIPAA-compliant, web-based document storage solution, such as Box.com, Google for Business, or Microsoft 365. These companies spend millions of dollars making sure that the data entrusted to them is protected, backed up, and secure.
Turn on Security Alerts
It is important to know every time someone changes an e-mail or document storage password or downloads a bunch of files in bulk. Every time the author receives a security alert about these or other security-related activities, the employee in question is asked if they were really the one who did so. This is the fastest way to catch a hack.
Use a Secure Password Generator
Most people use the same password for all of their accounts. This is not secure for a multitude of reasons, the main one being that if someone accesses one account, he can then access all of them. The most secure passwords are the ones even the user doesn’t know. There are now applications that will generate and remember passwords for users; the most popular is LastPass, which only costs $12 per year. There is also an enterprise edition, which allows a system administrator to control all aspects of cybersecurity and customize the system to the firm’s unique needs and standards.
Don’t E-mail Secure Documents
If there is any personal information on a document (Social Security numbers, dates of birth, employee identification numbers), that document should not be sent via regular email. Instead, a portal or encrypted email solution should be used to send these emails. Many services offer this, including Citrix and all the major tax software vendors.
Consider Two-Factor Authentication
Two-factor authentication requires two different passwords to log into a device, often a secure token that changes every 30–60 seconds and a password known to the user. For example, when accessing an account from a new device, the system might require the user to input a security code sent via text to the user’s smartphone. Two-factor authentication is currently the most secure way to log into any application.
Firms and individual CPAs cannot afford to ignore cybersecurity. It is extremely important for the profession that documents and client data remain safe. Failure to take cybersecurity seriously inevitably results in attacks like that suffered by the author’s firm—or something even worse.