Are you interested in learning how to improve cybersecurity within your firm? Are you looking for secure ways to send sensitive information via email to your clients? Cybersecurity for accounting doesn’t have to be complicated, which is why here at Gusto we’re committed to helping you and your firm—with some help from our friends at CPA Academy.
CPA Academy is a phenomenal resource where you can attend free live webinars and take self-education courses while earning CPE credits along the way. We’re proud to partner with them and support their mission of making CPA education available to everyone.
Gusto partnered with CPA Academy to present a webinar hosted by Daniel Moshe and you can listen to the entire webinar here. In this presentation, Daniel shares 10 steps to guard your accounting firm against cybersecurity.
Daniel Moshe is the founder and CEO of Tech Guru and an EOS Professional Implementor. He helps leadership teams leverage practical tools that enhance all business operations and teams. Daniel’s expertise lies in technology advising and budgeting, managed IT services and cloud tech, systems administration and technology, and projects management, among many other things. Daniel is also a well-known speaker, podcaster, host, and teacher known as “the Caring Entrepreneur.”
We covered the 10 Steps in our previous article. This article will take you through the questions and answers section from that webinar with Daniel.
To recap, here are the 10 steps to guard your accounting firm against cyber threats:
- Enable two-factor authentication on everything with confidential information.
- Implement ongoing cybersecurity awareness training for your staff.
- Get rid of Windows 7, Server 2008, and Exchange 2010, and all outdated operating systems.
- Secure all mobile devices.
- Create an incident response plan. Answer the question, “What are we going to do in the event that we think that there might be some data that could have been breached or a computer that might’ve been hacked?”
- Start using a new-hire/termination checklist, which includes disabling and changing passwords and disabling accounts.
- Get business continuity planning, which includes backup and disaster recovery.
- Start sending and receiving data securely.
- Use a password management tool to generate and manage complex passwords.
- Assign a staff member the role of cybersecurity officer in your organization to own security.
We can’t claim that implementing these steps makes you 100% safe against attacks, but they certainly go a long way to improve your security and make you less of a target in the ongoing journey of cybersecurity.
Now let’s jump in and review Daniel’s answers to the five biggest questions asked in the webinar.
“Is sharing files in Dropbox secure?”
The short answer is “yes.” If you need to share a large folder with somebody, Dropbox is a secure, safe way to do that. It’s a simple process too—invite your coworker or client via Dropbox, send them a link, and they can log in to Dropbox to access it. However, if you share a document via Dropbox by sending a link and it’s wide open (meaning they don’t have to log in) that’s okay, but don’t share private or confidential information that way. The safest way is to ensure they log in to Dropbox with their unique link.
“That goes for … Microsoft OneDrive and any of the cloud file-sharing platforms. [People receiving documents] have to log into something to get access to what you’re sending them and prove they are who they say they are—that’s the test to know that it’s secure.”– Daniel Moshe
“How do we know that One-Time-Secret is going to be secure?”
In the event that you must send somebody a password, never think, “I’m going to paste it into a text.” In fact, it’s not a great idea to “paste” secure information into anything. As an example—how many people’s texts show up on their screen even when it’s locked? Without having to unlock the phone, anyone has the ability to read potentially sensitive information. We recommend immediately turning that off—don’t let the messages show on your lock screen. You can get notified if you have a new message on your lock screen, but it shouldn’t show the content of the message.
We suggest using One-Time-Secret as a way to send sensitive information like a password on a one-time basis. The beauty of this process is that you’re sending a secret link that only works once within a certain time period and then it disappears forever. It doesn’t require any authentication, but the chance that you send a time-sensitive link to somebody waiting to receive it being intercepted is incredibly low.
“The other thing too [is that] it’s just a link with a piece of data that’s out of context. It’s hard [for bad actors] to know what to do with it. It’s almost what we call ‘security through obscurity,’ which is ‘Hey, we’re sending you a random piece of information in a link, [and] it expires in 30 minutes, and it’s encrypted.’ It’s the best way we have right now, maybe not absolutely perfect, but it’s the best way to send information to people.”– Daniel Moshe
“Is it necessary to backup your Google drive?”
While the question is specific to Google, we can use this to answer queries about a couple of options being used such as Google Drive, One Drive, or Dropbox. Whether you should back these up boils down to how risk-averse you are. Google, Microsoft, and Dropbox have drastically improved their backup methodologies, but are still susceptible to problems and outages.
“Google Drive, Dropbox, and OneDrive [enable] you to sync a copy of a whole folder or one drive to your computer, which is a backup. In the event that there’s some kind of outage or somehow data is lost, at least you’ve got a full, complete set on your own hard drive.”– Daniel Moshe
It’s important to state that you encrypt your hard drive too and turn that feature on with your computer. Now your information is safe from cyber criminals, and you keep your account secure.
“What’s the best way to make sure your cybersecurity training is effective with your staff?”
Step two in our previous article was all about how to train employees on cybersecurity. The most effective way to test how effectively you’re training your team is to use a third-party provider, such as WebRoot. What’s really effective about using them is they send fake phishing emails to simulate a real “attack”—if staff click on the troublesome links in the email, WebRoot gives you a detailed report showing the individuals who need additional training.
We recommend using WebRoot multiple times to carry this out in a random fashion and ensure staff is all 100% ready.
“That’s why I love this type of cybersecurity awareness. It’s really really inexpensive, and you can always try a [free] trial if you have less than 50 people.”– Daniel Moshe
“How secure is Apple iCloud?”
If you have an Apple device, chances are it’s being backed up to iCloud, and that works really well. Backing up to the iCloud is not automatic—you will need to set this up or ask your IT support to assist you.
“I can’t speak to how secure iCloud and Apple’s technology is, but I can say they have a lot at stake. If Apple users’ devices are hacked or if their data is stolen, you know that would be very bad for business. I would expect—just like other large Fortune 500 companies—you can expect your data [to be] relatively safe.”– Daniel Moshe
Want to learn more about cybersecurity?
The “threat” landscape is always changing, and this is why Gusto has a partner program for CPA firms partnering with over 4,500 firms nationwide. Gusto is committed to helping all our partners stay up-to-date with cybersecurity as we provide a platform that helps our clients process tens of billions of dollars in payroll, provide their employee benefits, and help businesses create incredible workplaces.
If you haven’t watched the full webinar yet, we highly recommend watching it here to learn about the 10 steps you can start implementing today to help guard your accounting firm against cybersecurity attacks. Cybersecurity doesn’t have to be overwhelming, and the full webinar does a great job to help accounting firms start setting up systems today. The clearly defined steps will help you create more peace of mind and make your company a harder target.
You can also access additional free resources on CPA Academy’s website and sign up for live webinars and courses on all things accounting. By attending these webinars, you are also eligible to receive one CPE credit per webinar, and it only takes 24 hours for that credit to be issued.
If you’re interested in partnering with Gusto, we’d love to let you know more about our programs and what we provide. We are truly living in unprecedented times, and it’s vital that accountants are armed with the best knowledge to advise their clients while also making a living themselves. Here at Gusto, we want to help you do just that. Click here to learn more about becoming a Gusto partner!