Many respondents to The CPA Journal’s 2022 Practice Management and Tax Practice Survey (see p. 28 of this issue) reported that they have adopted new practice management tools to increase the efficiency of remote or virtual office operations. The helpful technology tools that facilitate remote work activities can also open the door further to cybersecurity risks, such as phishing and malware attacks, thus requiring new security resources to protect both client and firm data. Most survey participants who worked remotely indicated that they had added cybersecurity resources and considered themselves sufficiently protected for the present. Two-thirds of respondents, however, had greater concerns about cybersecurity attacks on CPA firms and personnel than in prior years, and the percentage reporting problems due to phishing or malware e-mails increased substantially from previous years. Similarly, clients notifying tax professionals of phishing or malware e-mails also noticeably increased.

Thank you for reading this post, don't forget to subscribe!

More than one-third of the 2022 survey participants reported that the integration of practice management, office workflow, or client data management software with their tax and other software was important to their accounting practice. Two accounting software and application providers with whom many readers may already be familiar—Right Networks and Office-Tools—have some excellent cybersecurity information and best practice suggestions publicly available on their websites. This month’s column looks at a selection of these resources.

Right Networks

Right Networks (https://www.rightnetworks.com/) provides accounting and tax application cloud hosting for QuickBooks, Lacerte, Intuit ProSeries, and Drake Software, as well as other information technology services. Right Network’s “Resource Library” (https://www.rightnetworks.com/resources/) offers articles, e-books, checklists, videos, and webinars on a variety of accounting, tax, technology, and practice management topics. Many of the Resource Library materials require an initial free sign-up to access. The archived webinars generally run approximately one hour and are recorded from live CPE sessions. The e-books are typically eight-page PDF documents.

A good place to start in the Resource Library is the “CPA Cyber Security 101: Your Role in Protecting Your Firm” archived webinar (https://bit.ly/3jgt9JF), which covers current security headlines and threats, phishing e-mails, what to do if you suspect a breach, 22 cybersecurity tips, and security resources. Another introductory webcast is “Cybersecurity Checklist Essentials for Accounting Firms” (https://bit.ly/3VoYAit), which summarizes recommended firm infrastructure to minimize risk, IRS requirements for information security, and suggested security resources for employee education. An excellent companion for these videos is the “CPA Cybersecurity Checklist” (https://bit.ly/3HJj9CU), which highlights critical security checkpoints for firms and explains how to ensure data security and deal with security threats.

In addition to good governance and legal requirements to maintain data security, tax practitioners must also follow the IRS “Security Six,” summarized in IRS Tax Tip 2019-117 (August 27, 2019) as: anti-virus software, firewalls, two-factor authentication, back-up software or services, drive encryption, and virtual private network. Additional IRS resources are listed in the Sidebar, IRS Security Six. Right Network’s Resource Library includes “Straight Talk on Security Six: Securing Your Firm and Your Clients’ Tax Data” an on-demand webinar (https://bit.ly/3YwPpiD) that presents a panel discussion of a practicing CPA and an IRS executive addressing the most concerning cybersecurity threats facing tax practitioners, how to identify common areas of risk, how to meet IRS guidelines for data security and protection, and how to reduce a firm’s cybersecurity risks. A related e-book is “Security for Accounting Firms: How to Comply with the IRS ‘Security Six’ and Keep Client Data Safe” (https://bit.ly/3v2HhZv), which provides details on the IRS Security Six, summarizes IRS requirements for CPA firm compliance, and makes several suggestions beyond the IRS minimum.

Right Networks also offers the Right Networks Blog (https://www.rightnetworks.com/blog/), which can be sorted by the same topics as the Resource Library. The blog articles are presented in webpage format and do not require a free sign-up. They also include hyperlinks to original source material or related items on the Right Networks website.

“Key Cybersecurity Takeaways from Right Networks Security Leaders” (https://bit.ly/3G3aav7) provides insights into the cybercrime “industry” and the “vendors” that offer cybercrime services and tech support. Right Networks staff believe that phishing e-mails are one of the biggest sources of cyberattacks faced by CPAs. Two-factor authentication, as required by the IRS, is a necessary but not sufficient protection against incursions, especially because users grow tired of the procedure and cut corners. Nothing can replace regular employee training to defeat cybersecurity challenges.

“Meet IRS Cybersecurity Requirements with a Data Security Plan” (https://bit.ly/3BLKEYP) lists the IRS Security Six, describes the cybersecurity requirements to obtain a Preparer Tax Identification Number (PTIN), and suggests ways to develop a qualifying data security plan. Also, “5 Cybersecurity Predictions for Accounting Firms” (https://bit.ly/3WrJSIm) presents scenarios for 2023 that are the most likely to affect accounting firms. These include cybercriminals using “deep fakes,” such as sophisticated voice and face replications, as well as the increasingly destructive capabilities of ransomware. There is also an expectation of increased government regulation, vendors that offer an integrated menu of security services, and third parties that require cybersecurity assurance before engaging in transactions.

IRS Security Six

IRS Tax Tip 2019-117

https://www.irs.gov/newsroom/tax-pros-follow-the-security-six-steps-to-help-protect-taxpayer-data

Tax Security 2.0: The Taxes-Security-Together Checklist

https://www.irs.gov/tax-professionals/tax-security-2-point-0-the-taxes-security-together-checklist

E-file Security, Privacy and Business Standards Mandate

https://www.irs.gov/e-file-providers/irs-e-file-security-privacy-and-business-standards-mandated-as-of-january-1-2010

Publication 4557: Safeguarding Taxpayer Data

https://www.irs.gov/pub/irs-pdf/p4557.pdf

Publication 5293: Data Security Resource Guide for Tax Professionals

https://www.irs.gov/pub/irs-pdf/p5293.pdf

Publication 5709: How to Create a Written Information Security Plan for Data Safety

https://www.irs.gov/pub/irs-pdf/p5709.pdf

OfficeTools

OfficeTools (https://www.officetools.com/) is a practice management software provider for accounting and tax firms. Its products include all-in-one client, project, task, document, time, and billing management, in on-premise or in-the-cloud formats. OfficeTools’ “Resource Library” (https://www.officetools.com/library/) presents infographics, booklets, white papers, videos, and webinars. The infographic “8 Accounting Cybersecurity Best Practices” (https://bit.ly/3PFsuxj) summarizes cybersecurity considerations for accounting technology, including e-mail, servers, cloud solutions, and employees. Examples of best practices including scheduling multiple back-ups, assigning different permissions to different users, and mandating employee security training.

Perhaps as an incentive to follow OfficeTools’ best practices, “9 Cybersecurity Risks CPA Firms Need to Address ASAP” (https://bit.ly/3G6eDxe) outlines some obvious and less obvious risks that accounting practices face. Among the more well-publicized concerns are remote work vulnerabilities, client data risks, financial risk, and ransomware attacks. The less expected issues are human error and negligence, the “hacker-next-door,” and reputational loss.

OfficeTools’ Accounting Blog (https://www.officetools.com/blog/) offers several posts on cybersecurity, such as “Addressing Accounting Cybersecurity Challenges in 2022,” which summarizes the importance of being proactive, why cybersecurity is a top priority for accountants, and recommended best practices (https://bit.ly/3BNZWfD). “Updating Your CPA Firm’s Data Security Plan for 2022” (https://bit.ly/3BO0dzb) is a must-read that covers the nine data security risks and the eight best practices (mentioned above) in more detail, with hyperlinks to underlying source data or external websites.

“IRS Ramps Up Efforts Against Identity Theft in Accounting and Tax Preparation” (https://bit.ly/3WvhTre) lists common methods of tax identity theft, such as phishing scams and stolen mail. “Know Your Data Privacy Acronyms: GLBA and CPRA” (https://bit.ly/3hxlsOR) is a useful summary of the Gramm-Leach-Bliley Act (GLBA) and the California Privacy Rights Act (CPRA). The post includes a link to a practical “Accounting Firm Technology Checklist” (https://bit.ly/3WdfiCs), which includes questions such as whether a firm’s client and financial data is secure.

Susan B. Anders, PhD, CPA/CGMA, is the Louis J. and Ramona Rodriguez Distinguished Professor of Accounting at Midwestern State University, Wichita Falls, Tex. She is a member of The CPA Journal Editorial Advisory Board.