Grow Your Firm

10 Steps to Guard Your Accounting Firm Against Cybersecurity Threats

Gusto Editors  
Employee scanning a bar code with their phone

Could your accounting firm be in danger from cybersecurity threats? How do you prevent cybersecurity attacks? What are the benefits of cybersecurity to your accounting firm and even clients? These aren’t always easy questions to answer, but we’re here to help.

Cybersecurity doesn’t have to be complex, and today, we will take you through some simple steps you can start doing today to secure your firm. 

Gusto partnered with CPA Academy, where Daniel Moshe presented a webinar on cybersecurity—you can listen to the entire webinar here—in which he shares 10 steps to guard your accounting firm against cybersecurity.

Daniel Moshe is the founder and CEO of Tech Guru and an EOS Professional Implementor. He helps leadership teams leverage practical tools that enhance all business operations. Daniel’s expertise lies in technology advising and budgeting, managed IT services and cloud tech, systems administration and technology, and projects management, among many other things. Daniel is also a well-known speaker, podcaster, host, and teacher known as “the Caring Entrepreneur.”

Before we get started, we have a couple of important disclaimers to share: 

  • The content is by no means a comprehensive list of things you need to do to protect your firm. There are other things, but the ten steps we’re sharing are the best that fit into a 55-minute webinar.
  • It’s also important to know that applying these steps doesn’t guarantee you won’t get hacked. We can say they help prevent attacks and make you a less interesting target to criminals. These steps help make your firm a tougher target to get to. 
  • Lastly, please check with any regulatory bodies, insurance providers, and any technology professionals in your business for their final say on if one of these methodologies are right for you.

With that, let’s get started!

Step 1: enable two-factor authentication

You may be wondering, “What is authentication?” It’s what happens when you log into your account or app with sensitive information, either for the first time in a while or at some system-defined interval, and you get a notification to verify who you are on a separate device to prove you have that device with you. 

There are various types of two-factor authentication, examples are the “approve” button on your app for Office 365 or Google, or having a code texted to you—either one minimizes the  amount of hassle for the added security. Setting up two-factor authentication takes as little as two to three minutes, but it means that if set monthly, you will be prompted 12 times a year for this approval code to prove you are who you are. 

“If a bad actor tries to access that account from another part of the world, Microsoft, Google, or any of these providers [will] prompt you for that code. That person is not going to have that code, so even though they may happen to have your password, they don’t have that code [and] they’re not getting in—your account is safe, and you stop them at the first attempt. Once they get into your email account, anything goes at that point.”

Daniel Moshe

Bad actors are known to monitor email activity and imitate the victim using the victim’s clients to wire money somewhere else. Changing passwords all the time is no longer a best practice—it doesn’t work well, which is why we recommend finding an account that doesn’t already have two-factor authentication already enabled and turning it on. 

Gusto already offers two-factor authentication—and we make sure all our clients turn it on. 

Step 2: cybersecurity awareness training 

Most cybersecurity incidents happen due to human error, hence the need for cybersecurity awareness training—it’s inexpensive and easy to start, only requiring minimal work on your part. 

We recommend a product by WebRoot that sends simulated phishing attacks to your employees and analyzes who clicks on it for you. Additional training is then given specifically to vulnerable staff to understand the types of phishing attacks that could crop up in the future. Repeating this on a regular basis when none of the staff see it coming is recommended. 

“You repeat and provide training on the latest threats. It’s a monthly subscription [with a] free 30-day trial [for up to 50 staffers]. It works, and we use it for all of our clients [because] it provides experiential learning by getting pinged once in a while with a simulated phishing attack and provides [staff] the opportunity to learn more about [what will] help them be safe.”

Daniel Moshe

We suggest mastering this practice internally before you start encouraging your clients to do this too, but it can become part of your education with your clients as part of your service to introduce the benefits of cybersecurity.

Step 3: replace Windows 7 and Server 2008

Microsoft continues to innovate and upgrade its products. Unfortunately, that means there comes a time when older products are no longer supported. Microsoft can’t forever provide support and updates for all of their legacy operating systems and software. What that means is, as new security holes are discovered in Windows 7 or Server 2008, they are no longer being patched and plugged. That makes any company using it a sitting duck and any information on that computer extremely vulnerable. It should be replaced, or at least the operating system upgraded to the latest version of Windows as soon as possible.

“Just look around your office, take a look in your office. ‘Hey, is that Windows 7 over there? What are we doing on that computer?’ … Recycle it, donate it, or get it out of the office—make sure nobody’s using any Windows 7 computers. If you’ve got a server sitting in a closet somewhere running Server 2008, seize the moment [to] replace that server. There’s great new software out there that is going to be way more secure from the bottom up.”

Daniel Moshe

Don’t forget about your wireless router, switch, or any other networking device sitting quietly blinking away in a network closet somewhere or under your desk. Every device has software on it, so keep in mind those devices need to be updated too. 

Ensure either yourself or your IT professional logs into those devices frequently to update the software and ensure the devices are protected with strong passwords and not the passwords that came out from the factory

Our advice is if those network devices are three-plus years old, you can replace them with better technology available today that’ll keep you protected by keeping your devices and data safe.

Right side view of a womans face and her holding her phone to login securely

Step 4: secure your devices

Step four is incredibly important, especially given how much we love our devices. 

We recommend every portable device follows these steps: 

  • Enable device location tracking. This is usually not turned on by default, whether it’s Find My iPhone, which is built into Apple devices, or Find my Droid in Androids. You can log in from another computer and do three important things: Track your phone and know its exact location, remote wipe your device if stolen, and make your device play a sound if lost. 
  • Track the serial number. If you lose your phone, it’s serial number is the first thing your carrier is going to ask for. Write down or at least take a picture of your serial number from a different device because carriers do not have that information.
  • Enable screen lockout and timeout. If your phone’s sitting on a subway seat or table, after a minute or two, you want that screen to shut off and lock, requiring the passcode, face ID, pattern, or fingerprint to unlock it again. 
  • Back up your data.
  • Affix an asset label. This is the last effort to hopefully get that device back if lost. Stick a label on the back with a phone number to contact if found. 
  • Utilize mobile device management. If you have Office 365 or Google Apps, you already have this functionality available to you. 
  • Use a mobile device policy. An IT professional can deploy everything that I’ve just mentioned in a policy for any device that has your company’s accounts activated. 

“Securing your mobile devices is not just [for] smartphones, but tablets, laptops—anything that you’re carrying around with you. This is a great checklist to make sure every device is safe on the go and on the road.”

Daniel Moshe

Step 5: make an incident response plan

Seventy-percent of us have experienced some type of attempted cyber attack. Even if you haven’t yet, it’s not a matter of “if” but “when,” so having a simple incident response plan that is a one-page document with bullet points is a must. Think ahead to the type of things that we’ve talked about thus far, and think through what you want your team to do if something like this happens.

“I’ll tell you what you probably don’t want them to do—start communicating to clients that something happened. That could set off a chain reaction that could be really bad. Keep it simple [with] contacts [listed for] who to call. This is critical: Even if you suspect something might be ‘funny,’ [make sure you know] who to talk to and when to start the incident response plan, because words like ‘data breach’ can really alarm people and cause a negative chain reaction.”

Daniel Moshe

There are templates online, but the bottom line is to think about how you’d want this type of incident to be dealt with and get it in writing. The key is to have everybody trained on it and reminded on a regular basis. 

Step 6: new hire and termination checklist

One of the best things you can do to protect yourself and your client’s data is use a detailed new-hire and termination checklist, and it’s the perfect opportunity to educate new employees on data security tips. 

The new-hire checklist sets everything up for the termination checklist by making sure that you undo or remove access to that employee. The checklist follows the employee’s journey through the company, moving through not only access that was granted from the beginning but throughout the course of the team member’s time working with you and your clients.

“Key things to track [are] devices that have been deployed that need to be returned or accounts that have been installed on people’s individual devices that need to be removed. Any kind of access to data or apps that are licensed may need to be removed. … A mobile device policy, particularly when you have a bring-your-own-device program at your organization, spells out the expectations of these individuals for using their devices to access your company’s data.”

Daniel Moshe

Allowing access to your data after the last date of employment is an unforced error that can be avoided. Make a checklist on one page that’s simple to follow, and start using it to maintain your firm’s security when hiring or losing employees. 

Torso side view of woman sitting with lap top on her knees

Step 7: business continuity planning

Business continuity planning is another type of planning to help protect your business. It involves backing up your data offsite with a system called versioning, and it’s a simple way to preserve data that is time stamped. This allows you to restore your data if your systems crash or are hacked with ease. This backup is completely separate from any of the existing systems you have. 

“People sometimes don’t think about having a backup internet connection. The more that you move your practice to the cloud, the more you are dependent on internet connectivity. That backup internet connection means simply adding another type of connection to your office, or it means, ‘Hey, we’re all on laptops, we can all work from a different location.’ Either of those is a perfectly viable solution.”

Daniel Moshe

Having a more virtual firm with your apps in the cloud gives you more flexibility and less reliance on one physical location for power or internet connection because you can work from anywhere. 

Step 8: send and receive information securely 

There are great tools out there to do this, from client portals to file-sharing tools that require some kind of authentication and encryption. When dealing with your clients, think about how to send them documents safely and provide an easy, safe way for them to send back the completed documents. 

You need to ask, “How can I make it easy and painless to share secure, confidential information with my clients?” 

“I’m sure you already have a great platform you’re using today transmitting information securely to your clients, but I’m asking you to educate your clients, and take it to the next level to help them do the same with you.”

Daniel Moshe

We recommend ShareFile to safely transfer sensitive documents between your firm and your clients. 

Step 9: use a password management tool

The future is shifting towards generating random complex passwords for all of the sites and services you use—followed by using a password management tool like LastPass to save those passwords and share with colleagues if need be. Currently, too many people use the same password on multiple websites, compromising their data.. 

“Here’s what I’ve started doing instead. Anytime I need to generate a new password or log into a site I’ve used a previous password for, I use LastPass to generate a 15-character crazy random password, and save it in LastPass.”

Daniel Moshe

LastPass allows you to share information at log-in with your assistant, and all you do is enter LastPass, click “Share” to grant access to that login, and that information is beamed securely to them so they have access to that website as needed.

LastPass has a unique encryption methodology where not even LastPass can see your password. This secure methodology means sharing and storing other confidential data like credit card information is far better than texting or emailing a picture of a card to somebody else. (Please don’t ever do that!)

Step 10: define and staff cybersecurity officer

Have somebody in your organization own cybersecurity. It sounds like overkill, but somebody in every organization should own cybersecurity. A good idea is to appoint somebody already managing the cybersecurity training tool to become a cybersecurity officer. They can own the process of staying up to date, attending webinars like this, and updating the protocols and training staff on the never-ending journey of cybersecurity.

“The other piece about cybersecurity is that, no matter what you do, you can never be 100% secure—it’s impossible. We advise our clients to coordinate with their insurance providers to insure the rest—there’s great cyber liability insurance out there.”

Daniel Moshe

Cybersecurity officers should be the ones asking questions like, “How are we going to secure this data?” when someone suggests a new app to store client data. The cybersecurity officer can run through a quick checklist:

  • How are we going to secure that? 
  • How do we make sure we’re providing a degree of diligence and security to ensure the information is safe?
  • Coordinating with technology providers and asking questions like, “When is Server 2008 getting replaced?” 
  • Remaining current on software

Learn More About Cybersecurity

Small Accounting firms and solo CPAs can begin to protect themselves from potential future threats by implementing these steps today. We’re confident that, if you do these 10 things, you’ll sleep better at night. Educate everyone in your firm about cybersecurity best practices, have protocols for how to teach your staff, and stay up to date with the latest threats. 

Here at Gusto, we’re proud to bring you what you need to protect your firm. Be sure to check out our upcoming article, “Cybersecurity for Accountants Q&A,” which answers more questions about staying protected. 

We invite you to join our partnership program and take advantage of our simple, streamlined people platform. Put more focus on growing your business by letting Gusto handle processes such as payroll, HR, and onboarding. As a Gusto partner, you’ll also get tools to help you expand your accounting practice and offer your clients new insights. In addition, you’ll get a free payroll subscription for your own accounting firm. Sign up today! 

Gusto Editors
Gusto Editors
Back to top