It’s one thing to recognise the state of play: that cyber threats are on the rise and accounting firms, in particular, need to bolster their defences in order to protect their practice and their clients’ data. It’s another thing entirely to implement best-practice solutions to thwart malicious actors.
If you’re ready to secure your firm against the latest threats with a robust cybersecurity policy, here’s what you need to do.
What should go into your policy?
What you choose to include in your cybersecurity policy will depend on your firm – the type of clients you keep, your current digital security defences, your staff’s technical competency, and more. If you’re starting from scratch, the government’s breakdown includes all the essentials. However, if you need a more intricate policy then you may need to hire a third-party cybersecurity expert to create a custom solution for your needs.
Generally, a standard cybersecurity policy should include things like:
- Password requirements (including use of password managers).
- Email security best practice (e.g. how to avoid phishing scams).
- How to handle sensitive client data.
- Policies around technology, such as bring your own device (BYOD) and remote work.
- Restricted access to social media, etc.
- Incident reporting.
- Ongoing training and policy updates.
Best practice begins at onboarding
The best time to have a cybersecurity policy in place in your accounting firm is yesterday. The next best time is now.
For any new team members, make it a requirement that they are walked through the practice’s cybersecurity policy during their onboarding. This will ensure they understand your company’s requirements from day one, and allow them to refer back to the policy whenever they are in doubt.
Training up existing staff may be more challenging. Not only will you need to ensure the policy is comprehensive yet easy enough for the average employee to understand, but you will also need to get buy-in. There will no doubt be changes to how your team works following the rollout of the new policy, so provide as much support to your staff as possible, and deliver weekly or monthly sessions to work through any problem areas or update them about policy changes.
Incident response and disaster recovery – what are your plans?
These two documents have similar goals but separate purposes, and they should form part of your overall cybersecurity policy. It’s not simply enough to have rules around password management, email best practice and whether you can use devices while outside the office. The current threat landscape means that you need to prepare for the worst with the right response plans.
An incident response plan is a set of very clear instructions – usually for the IT team, but also for any cybersecurity leaders you’ve nominated – to help detect and manage network security incidents. The overall purpose of the plan is to protect your sensitive client data during a security breach. The CPA Journal has a helpful guide to walk you through the essentials of an incident response plan.
A disaster recovery plan, on the other hand, is all about what happens after the breach. How do you pick up the pieces? Who is managing what tasks? When should you tell your clients and the media, if necessary? All these questions must be answered in the plan, and you need to provide a clear path for your team to follow. To ensure business continuity even in the event of a cyber disaster, make sure you spend enough time and money on developing a solid disaster recovery plan.
Selecting a team of ‘cybersecurity leaders’
Writing detailed plans and ensuring your teams are familiar with the overall cybersecurity policy is the first step. But it won’t do much good if there aren’t dedicated leaders to carry out those plans in the event of a security breach or cyberattack.
While many accounting firms have their own IT departments, smaller practices may not have the internal resources or may instead choose to outsource their IT needs. In all cases, you need to assign ‘cybersecurity leaders’ to manage the response during and after a breach.
Who is best placed to manage a real-time response during a security breach? An experienced IT leader, most likely. What about sharing the news with clients and the media that sensitive data has been stolen or compromised? A senior person at the practice would be a better intermediary than someone junior. And who will be the go-to person to answer questions about the policy? Someone who either wrote it, or who is extremely well-versed in the company’s expectations for cybersecurity.
Working hand-in-hand with your cybersecurity policy should be digital solutions that streamline your operations. That’s where best-in-class accounting software like APS can deliver the functionality, integration and compliance you’ve been searching for. Contact us today or call (+61) 2 9965 1300 to request a demo and find out more.
To find out more about APS software, visit aps-software.com.