“Did you ever grow anything in the garden of your mind?” It’s been many decades since the beloved Mr. Rogers posed that question, and many decades since we each left childhood behind. We got older, we went to college, and a few of us — perhaps you? — found growth in one particular idea: we were going to be accountants. We’d start our own firm, don our finest pair of Wellington boots, and wade deep, deep, deep into the numbers (row by row).
You built this great business of yours out of the garden of your own mind. Why would you leave it unprotected; freely accessible to all the metaphorical rabbits and chipmunks who’d love nothing more than to scamper off with all your client data? The answer is… you wouldn’t.
Cybersecurity in accounting is not a theoretical requirement. Though it’s easily explainable through metaphors that approach nursery rhymes, protecting the sensitive data you manage for your clients is serious business. An absolute, unequivocal necessity. The sheer volume of Personally Identifiable Information (PII) accountants have access to makes you a very popular target of cyber attacks.
Here are just some of the PII that your firm is likely to have in its possession for a given client.
Date of Birth
Place of Birth
Social Security Number
Mobile Phone Numbers
Mother’s Maiden Name
Credit Card Numbers
The list is enough to make anyone nervous, but a security breach at your firm won’t just cost your clients big time: it could cost you your practice.
Whether the consequences are direct or indirect, the amount of damage that can be done with the data lost in the wake of a breach is, to put it simply, staggering. Not only do you risk the good ‘ole mainstays of identity theft, fraudulent tax returns, and credit card fraud, but if your clients are larger corporations, a breach on your end could snowball straight through their walls. We’ve talked about social engineering before. Armed with even a small amount of data, a hacker can easily lie their way into accessing the data of millions. It’s happened before!
A compliance-breaching attack leaves you open to an entire domino effect of problems. If an investigation finds you were non-compliant with the Gramm-Leach-Bliley Act, you could face penalties of up to $100,000 per violation, and officers may face fines of up to $10,000 for each violation. On top of the penalties in the offing, accounting firms can expect to be held accountable for damages and litigation costs as lawsuits start pouring in. Think it couldn’t get any worse? Even if you do manage to weather the storm, you’re all but certain to face rising insurance premiums on top of everything else.
Your entire livelihood and reputation depend on the trust of your clients, and something as damaging as a breach could take you years to recover from. Think you’re too small to be a target? Don’t. Half of all data breaches happen to small businesses. A Ridgefield, CT accounting firm with less than ten employees found this out the hard way after the data of 900 residents was stolen in 2013. Pretty soon the U.S. Secret Service, the Internal Revenue Service, and the IRS’s Criminal Investigation unit were all involved. The hacker, according to Secret Service agents, wasn’t related to the company in any way — not as a current or former employee, or as a current or former client.
Though we couldn’t say exactly how this outside attack was perpetrated against Lyons & Lyons, we do have a sneaking suspicion: 91% of cyber attacks begin with an email. (That is, a phishing attempt.) Recognizing these types of emails, or even ones that contain a malware payload, has almost become a full time job. The scary thing is that too many accounting firms see themselves as “small potatoes” to consider it as such. Just think about how easy it would be to send a fake email posing as a potential client. What are the odds you would click on it? What are the odds you would view the supposed “tax documents” they’ve attached?
Understanding the threats you face, and how they might present themselves, is only one half of the battle faced by accounting firms today. The other half is developing a company policy for cybersecurity, keeping it up to date, and sticking with it. Why the italics? Because 65% of companies that have an existing password policy do not enforce it.
One of the biggest things an accounting firm can do to keep its clients’ sensitive data safe is to move their business to the cloud. While cloud computing will not erase your overall cybersecurity risk in its entirety, it will reduce it — but in doing so, password policy and network security become critically important. As luck would have it, assisting companies with the development and strategic rollout of all things policy and practical is something we’re pretty great at.
Contact JNT TEK today to find out how you can boost your accounting firm’s cybersecurity and keep your client data safe.