Why Having a Written Cybersecurity Plan Isn’t Enough
See if this sounds familiar: While she was preparing to participate in a recent SmartVault webinar, Elizabeth Manso, CEO of progressive accounting firm Brigade, reviewed her practice’s cybersecurity measures and found something startling.
"Before this webinar, I thought…we were on top of it [cybersecurity]. In preparing for this, I found out we weren’t as organized as I thought!" So, what vulnerability did Elizabeth uncover and how did she address it? Continue reading to find out.
Operating Without a Written Plan
Finding a vulnerability is not to say Brigade, a small, 12-employee, global accounting firm with team members in Miami, the Philippines, and Serbia, doesn’t have any safety measures in place. Elizabeth was one of millions of employers around the globe who took the opportunity during the pandemic to go 100% remote.
Going remote—whether you ditch the office completely or let people work from home a few times a week—is something that greatly increases your cybersecurity risks, cautions Luke Kiely, former law enforcement officer and current CISO of SmartVault.
Elizabeth took these increased security risks seriously. "We have cyber insurance, and we do training at the firm once a year," she says when Seth Fineberg, owner of Accountants Forward and accounting profession consultant, asks her what cybersecurity measures Brigade has in place. "We also have an amazing IT company that has firewalls to protect us. I just [concerned] before the webinar because I never saw a document and didn’t know if we had [a formal cybersecurity plan] in place."
She and her team took the opportunity to draw up a rough draft, and as they did so, they took inventory of the best practices they follow. As it turns out, they’ve been keeping up with many of the measures Kiely, a frequent participant in cybersecurity-related webinars and a staunch safety advocate, often tries to hammer home to accounting and finance professionals.
Among other things, Brigade uses LastPass, the password manager and vault app. The team uses multi-factor authentication (MFA) and has Google Authenticator on their phones. "Even though we’ve never had to use some of these safety measures and everything goes up in price every year, I still pay for it," relates Elizabeth. "We’ve come a long way from encrypting an Excel file, which is how we started!"
A Cybersecurity Plan Promotes a Security Culture
Cybersecurity experts often chide the accounting profession for not doing enough to protect itself from would-be thieves. And while yes, there are many firm leaders who are definitely leaving themselves exposed to threats, there are also a lot of accountants who are taking the right steps to protect themselves, like Elizabeth. So, why the fuss over not having anything written down?
While it’s great to have a cybersecurity plan in place, if it’s not written down and communicated to clients and staff, you’re only doing part of the work, Luke and Seth agree.
"Security sells. It sells your digital relationship, and it sells trust with your clients," Luke says. "Be proactive about letting people know you’re taking steps to keep the data at your firm secure."
"When you do something right, shout it from the rafters," Seth adds.
As for your employees, communication is key not only so team members know how to keep the sensitive data they work with safe, but also so they’re encouraged to let you know if something happens or if they make a mistake.
"In the Philippines, sometimes they work on a VPN. We instruct our team to only open things inside the server. And because we also monitor what everyone does—we have a monitoring system so we can confirm what team members are doing—we noticed one person was opening bank statements outside of the server," Elizabeth says. "We addressed it right away. He complained his internet was slow. We said, just tell us and we’ll fix whatever you need. The culture of offshoring, I realized, they don’t want to speak up sometimes because they think it’s bothersome. They don’t want us to get upset. But we encourage communication and for them to let us know [if something happens]."
The Importance of Ongoing Communication
Communication should be ongoing, and experts stress being as transparent as possible with staff. In fact, both Seth and Luke recommend making talking about your cybersecurity plan a part of the onboarding process, both when you bring on a new team member and a new customer. While it’s crucial to have a written plan in place you can refer to, "it’s not enough to just send it to people or tell them, ‘Go see this plan,’" Luke says. He recommends keeping in mind that everyone learns differently, and that cybersecurity training for employees should be offered more than once a year.
Furthermore, Luke emphasizes exercising some caution when you’re telling clients about your plan. Unfortunately, it’s not entirely out of the question for some clever hacker to pose as a potential new client and ask you things just to learn about your accounting firm’s defenses.
"Share things that are generic," he suggests. "I might withhold technical aspects, like the fact that your policy is to have employees change their passwords every 30 days. If you tell them things like, ‘We say passwords have to be X amount of characters,’ you’re really giving them [cyberthieves] ammunition. I also wouldn’t disclose your business continuity plan, which is the sequence of events you’d follow if something happened. Keep what you share basic." While employees will, of course, need to know the details of plans to do their jobs properly, for clients, it’s okay to stay vague about specifics.
And as you share information with your employees, try not to overwhelm them. "This is all a learning process," says Seth. "There are new things that do happen every day. As proactive as you want to be in cybersecurity, unfortunately, you do have to be reactive at times! This is a journey."
Continue Learning: Watch the Webinar
Building and maintaining a security culture in your practice requires effective, ongoing communication that ensures everyone understands and takes accountability for keeping data safe. But, like we just learned, telling people to simply read your plan isn’t enough. Watch this on-demand webinar to learn key tips and insights on how to communicate your program to your staff and clients alike.