the 7 categories of cybersecurity solutions firms need

how important are wisp and employee awareness? just ask the irs or the ftc.

by donny shimamoto, cpa, citp, cgma
on cybersecurity for accountants
center for accounting transformation

historically, finding cybersecurity solutions “right-sized” for the small and mid-sized business space was difficult. most of the technologies were expensive and difficult to implement, and their price points weren’t reasonable for organizations with under 25 people. it’s only been within the last five years that we’ve seen solutions mature and evolve enough to be delivered via the cloud at a price point that makes sense for smaller organizations.

more: how hacker-proof is your firm? | donny shimamoto: future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.

to check if your policy addresses all of the requirements, take our cybersecurity compliance self-assessment for tax practitioners at: improvetheworld.net/cyberselfassessfortaxbook

with the covid-19 pandemic and the adoption of remote work increased cybersecurity threats, the cybersecurity industry has stepped up and made solutions much more affordable and easier to implement. these solutions still require some technical knowledge to install, but there is much less maintenance, and they now make economic sense even for sole practitioners.

there are seven categories of solutions that most small firms will need:

written information security policies
employee awareness
email protection
workstation protection
server & network protection
data backup & business continuity plan
cybersecurity risk advice

each of these helps to address a segment of tax practitioners’ compliance requirements. i’ll explain two of them below in non-techie language, and we’ll look at the others in future articles.

written information security policies

both the irs and ftc require that there be written information security policies that demonstrate a tax practitioner’s understanding of their compliance requirements as well as identify the controls they are putting in place to address the expectation from irs publication 4557 and the ftc’s safeguards rule.

while there are a number of these templates floating around the internet, many don’t address the specific needs of tax practitioners. policies prepared by managed service providers and other it professionals without the proper cybersecurity risk management background often don’t address all of the irs and ftc requirements.

employee awareness

you’ll often hear cybersecurity experts say that the weakest link in cybersecurity is people. to mitigate this risk, you must take proactive action to keep everyone’s cybersecurity threat awareness high and also to ensure that you and your staff know how to recognize attempted attacks. one way to accomplish this is by sharing relevant examples of cybersecurity attacks and providing training on how to recognize and report cybersecurity incidences to management.

the best practices in this area include initial information security policy training upon onboarding a new staff member, plus an annual refresher training on cybersecurity policies and incident reporting. to keep cybersecurity at top of mind, i also recommend at least monthly awareness activities like mini-trainings, newsletters that share examples of cyber breaches and attacks, and phishing testing.

phishing testing is using software that sends emails to staff that are structured similarly to phishing attacks. you configure the emails to look like legitimate emails but include the telltale signs of phishing, like minor misspellings and suspicious urls. if someone clicks on the link in the email or opens an attachment without scanning it, the phishing testing software detects it and reports it back to a central console so that you know who poses a potential risk and can have them take additional training. in fact, some phishing software will actually do remedial training for the person right after they fall for the attack. it basically tells them that they failed the phishing test and then shows them how they could have detected that it was a phishing attack.

really proactive firms will even do weekly awareness and phishing testing during tax season. you may be thinking: “that’s our busiest time of year! why would they do that? we don’t have time for that!” the reason is exactly that…you’re busy trying to push through and not paying attention to these potential threats. so, tax season is when it is even more important to keep awareness high. plus, imagine if you had a malware attack during busy season. you’d have to stop all your return preparation work to deal with a data breach or ransomware attack. wouldn’t that be worse than just having to check one additional email each week?

it’s important to ensure that you and your staff stay vigilant to cybersecurity threats, and employee awareness solutions help to automate information distribution, monitor who is completing training, and test that people are actually applying what they learned.

email protection

email is the most common malware attack vector we see today. these are often called phishing attacks, but they’ve also gotten more complex, and there is a slew of derivative attacks like spear-phishing, vishing, and other “–ishing” attacks that we are hearing about. these attacks normally try to get someone to click on a link or open an attachment containing malware.

email protection solutions help mitigate these attacks by scanning incoming emails for known malicious senders, links, and malware. some solutions replace the original links with surrogate links. when you click on a surrogate link, you are taken back to the email protection solution, which then opens the link for you and checks if it is a known malware site or if it starts to act suspiciously (e.g., invokes the download of malware or opening of another browser window to a suspicious site). some of them take the surrogate approach with attachments, too.

email protection solutions help prevent malicious emails and attachments from getting to your inbox, or use the surrogate method to help protect you in real time. they are often the first line of defense in cybersecurity protection. the good news is that these are now often very affordable, compared to ten years ago when we’d only really see these used by big companies. i recommend that all tax practitioners have email protection in place. it is one of the most effective ways to prevent malware attacks, and the price-for-value proposition should be a no-brainer.

workstation protection

workstation protection includes device management, anti-virus, and zero-trust solutions. device management solutions ensure that your computers are kept updated and enable more proactive computer performance monitoring. the anti-virus options we’ve identified include those with centralized management—so that if you or someone from your firm has a virus incident, it is reported, and you can be proactive in your response to ensure that there isn’t a data breach or ransomware incident that needs to be addressed.

zero-trust solutions help to mitigate an insider threat where someone has accidentally (or maliciously) installed malware that uses their credentials to try and explore your data, files, and network. zero-trust only allows recognized software interactions to occur. for example, if you accidentally open a microsoft word document with a trojan virus that tries to access your tax software, the zero-trust solution knows that word doesn’t normally interact with your tax software and stops the virus from accessing the tax software. additionally, it reports this attempted interaction to you so that you can investigate the situation and get help if needed to remove the virus.

workstation protection solutions provide both preventative technical controls and detective mechanisms that enable you to identify potential threats before they become problems.

server & network protection

server protection is exactly the same as workstation protection, but it is applied to your servers instead of workstations. as you know, servers are more complex than workstations, so these solutions are usually a little more costly than the workstation protection ones, but if you are using a server-centric data storage strategy (e.g., save all your data on the server), then the server is also your biggest consolidated risk area, so you should ensure that it is highly protected.

sometimes, people then say, “well, if i store everything on my server, why do i need to protect my workstations?” the answer is that workstations are the gateway to your server and network. one of the common malware attack vectors that we see is where the malware first goes onto a staff member’s laptop (often while they are working outside of the office in a less protected environment) and then when they connect to the office via vpn or come into the office, the malware tries to move to the server. thus, you need workstation protection to prevent the first stage of this type of attack from occurring.

if you have an in-office or even if you are using a hosted desktop environment, then you’ll also need network protection. for small firms, this usually takes the form of a network firewall. a good network firewall (whether physically in-office or as part of a hosted desktop environment) will include virus protection, intrusion detection and prevention, content filtering, and attack detection notification.

if you want to be even more proactive, there are additional services that you can purchase like endpoint detection and response (edr), security operations center (soc, not to be confused with service organization controls audit reports), and other cybersecurity monitoring and response services. while i encourage small firms to consider these, the cost versus value for additional risk mitigation is often not there—or at least is not there based on current pricing. hopefully, that will change as service providers figure out how to automate these types of services better, as i do believe in the increased effectiveness of these types of services in preventing and detecting cybersecurity attacks.

data backup & business continuity plan

the biggest impact of ransomware is that it makes your data inaccessible—and thus the need to pay the ransom to get access to your data. imagine if this happened the day before a tax deadline. what would you do? well, if you have a good data backup, then you could restore your data from the backup instead of paying the ransom.

this starts to bridge into the concept of business continuity planning or having a plan and procedures ready to execute in the event of a ransomware attack. many people confuse disaster recovery with business continuity. a simplified way to understand the difference is that disaster recovery is designed to get your computers back up and running after a disaster (which could include a ransomware attack), but business continuity looks at your broader business operations.

again, take, for example, a ransomware attack just before a tax deadline. a business continuity plan may include a list of unfiled and un-exttended tax returns kept outside of your it environment. if you are hit by a ransomware attack on a tax deadline day, you can invoke the procedure to take the list and start processing manual extensions so that you can get them all filed that day. otherwise, with only a disaster recovery plan, you’d be waiting for your it service provider to restore the environment so that you can figure out what is unfiled and hasn’t been extended yet. depending on how fast your it service provider works and how many of their clients are dealing with this type of issue, getting your environment restored can take a day or two—or sometimes weeks, as we’ve seen with previous attacks upon hosted desktop vendors who serve a lot of firms. having the business continuity plan in place enables you to not be at the service provider’s mercy.

i’m also seeing and hearing of more comprehensive malware attacks where the malware will destroy online backups before locking down data. in cases like this, having a good business continuity plan that addresses this potential scenario is even more important.

a good data backup solution paired with a well-thought-out business continuity plan is key to mitigating your risk in the event that you do get hit by ransomware, and it’s an area where we regularly see a false sense of security because it service providers often say, “don’t worry we have all your data backed up, and we have a disaster recovery plan for you.” they may truly have both things in place, but you’re still at their mercy if you don’t have a good business continuity plan in place, too—and that is something you can do on your own.

cybersecurity risk assessment & advice

part of the irs and ftc requirements is conducting a cybersecurity risk assessment to ensure you understand your risk areas, the effectiveness of mitigation actions you’ve taken, and the residual risk for a cybersecurity incident. many it service providers and cybersecurity consultants will do a “cybersecurity audit” for free. the thing to keep in mind with these are (1) they often only focus on technical controls and don’t address policy and business continuity requirements, and (2) be wary of free audits or vulnerability scans designed to identify weaknesses and then sell you solutions. a good risk assessment will address all of the risk areas described and include identifying the risks and solutions to mitigate those risks.

a cybersecurity risk assessment is only a point-in-time view of your cybersecurity threats and risks. to effectively manage your firm’s cybersecurity risk, you (or someone you trust) need to monitor all the notifications from the centrally managed solutions and respond accordingly in the event of a cybersecurity incident.

additionally, any time you are considering changing or upgrading any of your software or hardware, you should consider the impact of the change or upgrade to your cybersecurity risks. this is where having a cybersecurity advisor will be helpful. this individual should understand cybersecurity compliance requirements, be familiar with your firm’s operations, understand your firm’s it environment, and understand the controls you’ve put in place to mitigate your risks. if this person didn’t conduct your initial cybersecurity risk assessment, be sure to share that information with them, as it should provide a good summary of where you were at that point in time.

a good advisor will translate any cybersecurity risks into business risks and help you determine the potential impact of changes. this will enable you to be proactive in building cybersecurity considerations into how a new software or change is implemented. this is important because retrofitting cybersecurity requirements after implementation will cost more or may not even be possible in the worst case. it’s important to do your due diligence on vendors upfront and proactively design cybersecurity concerns as part of the implementation.

a good advisor will also help keep you aware of emerging cybersecurity threats, improvements to solutions, and changes to compliance requirements. just as your clients expect you to help them navigate the complexities of tax compliance, financial planning solutions, and proactive planning to minimize tax exposures, a good cybersecurity advisor will help you do the same in the cyber area.

posted on september 14, 2023

donny shimamoto

about the author

donny c. shimamoto, cpa.citp, cgma, is the founder and managing director of intraprisetechknowlogies llc, a specialized cpa firm dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, it governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

click here for more by donny shimamoto

as the founder of the center for accounting transformation, shimamoto is leading a movement to change the world for the better by empowering and equipping accountants with the leading-edge tools and techniques.

donny was the first certified information technology professional (cpa.citp) in the state of hawaii and is one of only four in the state. the citp credential is a specialty designation of the american institute of certified public accountants (aicpa), that identifies certified public accountants (cpas) with the unique ability to bridge between business and technology; meeting the strict requirements for a cpa license as well as additional training and experience in technology strategic planning, it architecture, business process enablement, system development and acquisition, it audit and control, and it governance.

the immediate past chairman of the aicpa’s imta executive committee, donny has been both influential and critical in several aicpa initiatives including the development of an it competency model for cpas, and redesign of the citp credential. donny previously co-chaired the aicpa’s business intelligence working group, researching and creating practice aids in the area of evidence-based management, application & data integration, and information assurance. donny has also been involved in the authoring of guidance published by the aicpa on it considerations for risk-based auditing and enterprise business intelligence. as a subject matter expert, donny is often an invited speaker at national and international webinars and a familiar key-note speaker at national-level conferences.

donny obtained invaluable knowledge and exposure to a wide range of industries and sectors (retail, hospitality, state government, defense, and higher education) while earning his cpa license as a member of pricewaterhousecoopers llp's business assurance services, operational & systems risk management services, and management consulting services lines of business. with itk he has expanded his industry expertise to include not-for-profit (social services, foundations, and membership organizations), professional services, small businesses, technology, and mobile professionals.

click here for more by donny shimamoto