I think the main thing CPAs need to know about cybersecurity is recognizing that every single organization is at risk, and typically the risk is far greater than anyone ever, ever imagined. So just accepting and understanding and getting the conversation going about cybersecurity is really important. CPAs would never issue an audit report or a complicated tax return without some sort of a review process, so I think we need to put this oversight idea into the cybersecurity realm just like we would have oversight in an audit or another service a CPA provides.
I think the biggest cybersecurity threat today is ransomware, and this is a developing and growing threat. In a ransomware attack, the entity’s data is encrypted or locked up, and the bad guys demand a ransom. Typically, they would not pay the ransom, and the first thing that would be done is a backup of data. And so the entity would take their backup and restore it to the point before they had the ransomware. But, unfortunately, many organizations are finding that they don’t have the backup that they thought they had, and so that’s becoming a problem because the backup doesn’t have what was supposed to be backed up. Or the backup was also infected with the ransomware, and that is surprising people on a regular basis.
I think there are things that CPAs can do that are not too difficult to get in place that would greatly enhance their security, and the first of those is just education and awareness, so making sure the CPAs are aware of what the threats are, and they’ve heard of the term ransomware, and they understand the threat that’s involved with that. So education at all levels of an organization from the person at the top to the person at the bottom, and stakeholders, vendors, customers, whomever need to have some education, and that will go a long way toward recognizing the problem. So that’s the first thing I would recommend.
And then the second thing that I would recommend that I think CPAs can be very instrumental in is actually coming up and documenting and getting an inventory of what they have. It’s surprising how many organizations don’t have a complete inventory of their systems and data. So an organization should know I have 23 laptops so that 23 of them are protected. It’s not good enough to say I have 20, and so we’ve got to get very specific in knowing just what we have and what needs protecting, and similarly we have to know where the data is, and CPAs are used to doing inventory, so we just need to try to inventory our data and our assets and get that in place. So I think that’s an area for easy growth and enhancement of security. And then the third thing I’d say is CPAs just need to stop sending confidential information in unsecured email. This happens far too often, and it’s just not that expensive or complicated to implement a portal where information can be exchanged in a secure manner.