10 Common Cybersecurity Mistakes Accounting Firms Make

Since the beginning of 2021, there has been a 102% increase in ransomware attacks compared to last year, according to cyber security firm Check Point Software. Unfortunately, small and medium-sized accounting firms are a primary target for these attacks, given their lack of sophisticated security infrastructure. Given this reality, every employee in your firm must be educated about these security threats and how they can be prevented. Here are the most common security mistakes accounting firms make and some helpful solutions to solve them.  

1. Using weak passwords without two-factor authentication 

Passwords are no longer enough. Your firm must protect all accounts with two-factor authentication. Attackers can use unauthorized access to an account to wreak havoc on your business and hurt your reputation, potentially costing you a lot of money and possibly putting you out of business. Each account should have a different password that includes unique and alphanumeric characters.  

2. Storing passwords under your keyboard or in an Excel spreadsheet  

Spreadsheets are for client reporting and calculations and not for passwords. Every firm should use a password management tool such as LastPass or Practice Protect. Both platforms automatically generate complex passwords and store them in a vault secured with two-factor authentication. Thanks to the convenient autofill feature, you will never have to worry about remembering a password again.  

3. Using weak or insecure wireless networks 

The first thing you should do to improve the security of your wireless network is to change the default administrative password to something complex and unique. Second, change your wireless network’s name, so it is not personally identifiable. Your network name or SSID should not be named after your firm’s business. Also, use WPA-2, or Wi-Fi Protected Access 2, with Advanced Encryption Standard (AES) enabled. Your firm should not be using WEP, which is easy to hack. Lastly, use a VPN when accessing confidential information over public Wi-Fi outside of the office. 

4. Poor or inconsistent approach to terminated employees   

When terminating employees, you must deactivate their accounts immediately. All passwords and usernames should be deactivated from all apps and platforms to prevent customer information from being stolen. Have a structured off-boarding checklist to prevent cyber attackers from finding loopholes in your firm’s security. Before deleting any data from former employee accounts, back up and save them.  

5. Expecting your employees to know what ransomware is and what not to click on   

Consistent cybersecurity training is an essential component of a successful security program. It would be best if you never assumed that employees know what ransomware attacks and phishing emails are. Check with your IT provider to see if they offer cybersecurity awareness training, which educates employees about identifying phishing emails that pretend to be the IRS, software providers, and other accounting service providers. This training will send employees fake phishing emails, directing them to a training session if they willingly click the phishing link.  

6. Running outdated or unpatched software   

Running software that is outdated or, worse, unpatched is a recipe for disaster. Unpatched software means that the program has vulnerabilities that the manufacturer is aware of and has released an update for, but that update has not been installed yet by the user. Keeping software up to date requires vigilance and consistency. A security breach can affect even the latest software, so it is vital to regularly check for software updates that will patch these security holes. Sometimes software companies are aware of their program’s vulnerabilities but will not, or cannot, fix them. If your software doesn’t release consistent updates that patch security loopholes, it might be time to look for a new program.

7. Having a 10-year-old server (or old server) 

Old servers require a lot of maintenance which can be expensive in the long run. Your first sign is that it’s time to replace your server if your applications run slow. Many firms are migrating to the cloud, which requires less maintenance, improves security, and enhances collaboration. Consider bringing all your files to Microsoft SharePoint, a web-based platform that integrates with Microsoft 365 and will enable you to collaborate in real time with your coworkers.  

8. Haphazard backups  

Daily cloud backups are the standard for all accounting firms. They should include all your business data and, ideally, images of your computer’s hard drives to speed recovery in the event of a ransomware attack. Routine backups ensure that your files will not be inaccessible in case of a ransomware attack, natural disaster, hardware failure, or theft. The easiest way to back up your firm’s data is in the cloud, which provides security, and encryption and can be fully automated. You can augment a cloud backup with a local backup, decreasing the time to recovery in the event of a catastrophic data loss event.  

9. Allowing employees to put company and client information on their personal devices  

Employees should never have company and client information on their personal computers or devices that are not company-owned or company-managed. A common misconception is that mobile devices are not susceptible to ransomware attacks, but this is far from true. In fact, in 2020, over 4.2 million Americans were victims of a mobile ransomware attack (Kasperky, 2020). It only takes one click on a hazardous link for attackers to access the information they shouldn’t have. It might seem expensive to provide and manage devices for your employees, but it will cost much less than a security breach. Plus, you can have these devices returned when an employee leaves, reducing the likelihood of leaking residual data. 

10. Leaving confidential documents and storage devices in an insecure location   

Security isn’t just for all your technology – let’s not forget all our paper and files! The IRS security standard is to keep all servers and file cabinets with sensitive printed information stored in a locked storage room. Be sure to label your document folders using terms like “Sensitive” or “For Official Business,” which will help clarify each document’s importance. Finally, create an inventory of where your client data is stored, including storage location(s), type of information, etc.  

Take your cybersecurity to the next level!

Further assess your firm and establish technology priorities by taking the Security Self-Assessment, which will help you understand where your firm currently stands regarding security and how you can improve different aspects of your security plan.