How Accountants Can Protect Against Growing Cyber Threats

Cyberattacks aimed at stealing data and holding systems hostage are increasing across all industries, and accounting firms and individual practitioners are not immune. Recent surveys indicate many accountants lack basic cybersecurity protections, putting highly sensitive client information at risk and threatening the viability of their practices. 

On a recent Tax Rep Network Podcast, host Eric Green interviewed cybersecurity expert and SmartVault CISO Luke Kiely about steps accountants should take to guard against cyber threats. Below is a summary of the conversation. Listen to the full podcast episode here. 

Even Small Firms are Lucrative Targets 

Hackers want your data, and they’ll go after it regardless of your firm’s size. Tax returns contain a wealth of personal financial information that hackers find valuable – not to mention the countless other documents you have for each client.  

“If you’re an accountant…we all have tons of information that hackers would love to have. You have a candy store of stuff, from ID numbers to banking information to credit card numbers,” said Eric on the podcast. This data can allow identity theft and direct access to client funds. 

While large accounting firms invest heavily in defenses, many small practitioners built their firms around a single laptop that contains all client data. They frequently have inadequate backups on a second device in the same location. Or, they still rely on physical paper. This could all lead to some major problems.

“If you can no longer access your data…you can no longer deliver service,” Luke warned. “The business stops, and you start losing money.”  

Eric shared a story about a client who lost everything when an apartment in her building caught fire. The suppression system kicked on, and “if you’ve never been in that,” Eric started, “it’s not like a little bit of water spray. It basically destroys everything.” Their entire filing cabinet was flooded, turning their documents into “paper mache.” Of course, this happened right before they got an audit notice.  

Ransomware: To Pay or Not Pay? 

Ransomware represents a growing threat, where an attacker encrypts data and demands payment for the decryption key. Eric shared a story about an accountant who fell victim to an attack: “They demanded $10,000. She did not have any cybersecurity [defenses], and she did not have [her data] backed up,” Eric said. “And so, she paid them, and luckily for her, they actually released her data.” 

While she got her data back, experts still caution against paying ransoms. Luke noted, “The decision to pay a ransom or not has to be a business decision.” The FBI advises against payment to avoid incentivizing cybercriminals. But accountants with no backups may see no alternative if their practices are at stake. Some new laws require disclosure if ransoms are paid, adding further considerations. 

The key? Having reliable backups makes ransomware recovery possible without paying the ransom. 

Reputational Damage from Cyber Incidents 

A cyber incident can be catastrophic for an accounting firm’s reputation, even if the data is not actually compromised. Clients will see the firm as a risk and quickly move their business elsewhere, which is why experts like Luke strongly encourage accountants to be proactive about security rather than wait for disaster to strike. “Your reputation will simply tank,” Luke warned. Robust data protection and cybersecurity practices are the only way to mitigate this reputation risk. 

Follow Cybersecurity Best Practices 

All accountants should adhere to cybersecurity best practices like: 

• Comprehensive backups. Backups should be geographically distributed, not just on another device in the office (what if your office burns down?). Secure cloud services like SmartVault provide the best protection with automatic data backups. 
• Firewalls, antivirus, endpoint detection. Use security layers to prevent and detect threats. 
• Multi-factor authentication. Require more than just a password to access systems. 
• Strong, unique passwords for all services. Password reuse and weak passwords enable breaches. 
• Email security and staff training. Phishing attacks are a top threat vector. 
• Incident response plan. Know who to call if you have a potential breach. 
• Follow compliance guidance, like the IRS WISP.  

Make Security Practical  

When asked for final advice to wrap up the podcast, Luke said: “Make security practical. It is not insurmountable. It’s relevant to everyone, whether you realize it or not…Yes, it can be complex, but it’s not complicated. Just look at what technology can do to make your life easier at the end of the day.” 

Over 3 million people use SmartVault’s cloud-based document management system to securely store, collect, manage, and collaborate on documents online. Let us manage document security for you too. Schedule a demo today to get started.