CPA firms are becoming increasingly popular targets for cybercriminals.

Since these firms have the sensitive (and valuable) information of several companies or entities accessible via a single database and often lack sophisticated IT security measures, CPA offices become one-stop shops for digital thieves.

Last year, there were 1,473 confirmed data breaches, resulting in the exposure of nearly 165 million sensitive records. To avoid becoming another statistic, you need to be well-versed in the possible consequences of a cybersecurity incident and know how to decrease your risk.

The cost of a cyberattack
The effects of a cybersecurity incident can be far-reaching and expensive. According to the 2019 Cost of a Data Breach Report, the average cost of a data breach is $3.92 million. To put the potential impact in perspective, below is a list of all direct, indirect and opportunity costs your firm can incur in the event of a data breach.

• Detection costs: The costs associated with the discovery and subsequent investigation of the incident, including the time, resources, and personnel needed to diagnose the issue as well as execute a response plan.
• Containment costs: The expenses related to the activities that allow the firm to minimize the impact of the breach, such as the cost of applying temporary fixes until a permanent solution can be found.
• Recovery costs: The costs associated with the incident itself as well as restoring business operations to their baseline, including legal expenditures and regulatory fines.
• Productivity loss: The value of lost time from employees who are unable to perform their job while the breach is being resolved, such as any overtime required to compensate for the lost work.
• Third-party costs: The expenditures related to the use of contractors, consultants and other specialists the firm must bring on to assist with resolution of the issue.
• Business disruption: The total cost of the breach, including lost revenue, lost productivity, the cost of recovery, damage to the company’s reputation, missed deadlines, and customer churn.

Fortunately, there are steps you can take to decrease your firm’s likelihood of experiencing a cyberattack.

3 ways to enhance your cybersecurity
To get started reducing your security risk, do the following.

Draft an acceptable use policy
An acceptable use policy (AUP) explicitly outlines the rules employees must follow regarding use of the firm’s software, computers, and network. An AUP clearly states how employees should and shouldn’t use technology provided by their employer as well as any personal mobile devices they use for work.

Implementing an AUP is essential primarily because every one of your employees has the ability to either intentionally or accidentally compromise the security of your firm. IT management software provider Ipswitch found that nearly ¾ of security breaches are due to employee actions (either deliberate or inadvertent).

A comprehensive yet easy-to-read AUP can substantially decrease your firm’s risk of cyberattacks and data breaches. It’s an effective tool for educating employees on how to identify possible cybersecurity threats.

• Related resource: Sample security policy for CPA firms

Adopt cloud-based technology
Many CPA firms that prefer hosted or on-premise software solutions to cloud-based platforms cite security as the main reason they refuse to move their data to the cloud. The truth is that cloud-based solutions are considerably more secure than hosted or on-premise software.

If you have an on-site IT specialist or even an entire IT team, they may do periodic network vulnerability checks, but they also have dozens of other responsibilities. Cloud solutions providers have employees dedicated exclusively to ensuring their IT infrastructure is as strong and secure as possible.

Further, you can be confident the platform always has the latest patches and the provider has addressed known vulnerabilities because updates to cloud solutions are deployed automatically. In addition, cloud-based solutions tend to be less expensive and easier to maintain than hosted or on-premise options.

Develop an incident response plan
Ideally, your firm will never experience a data breach or cyberattack. Realistically, however, you should be prepared for the day when it happens by developing an incident response plan.

What your firm does immediately following discovery of the issue will determine just how extensive (and expensive) the damage will be. An effective incident response plan includes the following steps:

• Appoint an incident response planning team.
• Determine the type / extent of the incident.
• Complete initial reporting.
• Escalate the incident, as appropriate.
• Notify affected individuals and companies.
• Investigate and collect evidence.
• Mitigate further risks.
• Implement recovery measures.

Your incident response plan, along with all other security policies and procedures, should be regularly evaluated and updated as needed.

Since existing threats are continuously evolving and new threats are appearing almost daily, your firm must take a proactive approach to maintaining strong cybersecurity protections. Don’t let your practice become a cautionary tale for other firms. Stay up to date and take steps today to keep your office safe.

Callie Hinman is the Content Strategist for CPACharge, a provider of online payment technology for CPAs. She is a proud graduate of the University of Texas and is staunchly committed to following Ann Handley’s Rule of FIWTSBS (“Find Interesting Ways to Say Boring Stuff”).