background image
22
www.ctcpas.org
Identify critical data.
CPAs are accustomed to working with confidential data. It is
important to identify all the areas where critical data exists.
This includes confidential client data, employee data, and
company financial information.
Map the flow of data.
After critical data has been identified, the organization must re-
view all the places that data resides and how it moves through
various locations both inside and outside the organization.
Chances are good that critical data flows through multiple
storage sites that could be subject to cyberattacks. Also pay
special attention to how customer and client communication is
handled, including what information is being shared and how.
Determine responsibility.
Even if your company is not large enough to employ a full-time
security officer, responsibility must rest somewhere. It is im-
portant to determine who in the organization will take the lead
on protecting assets and implementing security measures. In-
clude any internal and external parties, such as software ven-
dors, support companies, and outside consultants.
Assess your information security policies.
Clear, well-written security policies must be in place to set the
ground rules for the business and its employees. These poli-
cies are dynamic, living documents that must be reviewed and
updated frequently. If ambiguities exist, those responsible for
security inside the organization must be responsible for clarifi-
cation of the policy.
Increase employee awareness and training.
Your company may have excellent policies, but unless you ac-
tively get buy-in from staff, the policies will be ineffective. Im-
plementing an ongoing security awareness program can help
educate employees on policies, safeguards, and vulnerabili-
ties, increasing the effectiveness of cybersecurity measures.
Have an incident response plan.
The company should have a specific process in place for staff
to report potential threats or breaches. This should include the
detailed chain of response in place to immediately address
security incidents. Conduct drills to verify readiness. Often,
this is where disaster recovery/business continuity plans and
cybersecurity plans overlap.
Have regular cybersecurity reports.
Hold meetings throughout the year to discuss ongoing security
efforts within the organization. The agenda should include se-
curity incidents, emerging threats, proposed security changes,
project updates, and vendor issues. Keeping security top of
mind increases the entire organization's vigilance.
Control your physical assets.
Critical data exists both in physical and digital form, so best
practices should be put in place to secure printed copies of
sensitive data as well as devices such as laptops, tablets, and
flash drives. Keep a strong inventory of your assets. Don't
overlook building security safeguards, including locks on serv-
er rooms and network closets, visitor controls, and cameras.
Stay active.
Continue to keep cybersecurity high on your agenda and pro-
vide cybersecurity teams with the resources needed to protect
both digital assets and your most valuable assets your em-
ployees and customers. Keep an eye on regulatory develop-
ments and breaking news.
Jarrett Meiers
leads Reynolds +
Rowella's IT con-
sulting division,
Blueprint Essen-
tial. He advises
accounting firms
and businesses on technology,
security, and practice management.
He can be reached at jarrettm@
reynoldsrowella.com.
In conclusion, having a cybersecurity
risk review is one practical approach to
protecting your business and will help
guide you in the right direction. Even
still, cybersecurity isn't a "set it and
forget it" project that you can com-
plete and cross off your list. Today's
ever-changing environment demands
ongoing maintenance, monitoring,
patch management, penetration test-
ing, and assessment.
This high level of consistent vigilance
requires time, money, and effort. It may
sometimes seem easier to direct these
resources at more tangible and seem-
ingly urgent needs. Unfortunately, this
could easily prove to be a costly mis-
take. The stakes are high. Companies
that take these threats seriously may
survive where others may not. Be sure
you're doing everything you can to
protect your customers and clients,
your employees, and your business.
9
Practical Cybersecurity Steps to
Help Protect Your Organization
1
2
3
4
5
(continued)
6
7
8
9