CPA Cybersecurity Checklist

Cyberattackers target CPA & accounting firms because they are goldmines full of business data. What should your accounting firm be doing?

Cyber attackers target CPA & accounting firms because they are goldmines full of business data.  Here is what (a) the Federal Government says all CPA firms should be doing, (b) what it means, (c) how to actually get it done and comply with the law, and (d) an example of possible risks and associated actions that a firm may identify and then schedule to have implemented.

(a) What should your accounting firm be doing from a cybersecurity perspective?

We have worked through the below list with just about all of our CPA & Accounting clients.  It’s not hard or complicated; it just needs to be done.  I was impressed with this government-made list.  It wasn’t full of unnecessarily complicated steps that provide marginal improvements in security.  It also had most of the essential items without too many holes.  In short, this list is pretty close to perfect!  These are all good things to do for any business that genuinely adds value without being overly complicated or impossibly costly.

You can see the long version of these requirements here:

https://www.irs.gov/newsroom/tax-security-2-0

Essentially, every CPA firm needs to walk through these 5 steps.

  1. Create a data security plan
  2. Deploy the “Security Six” measures
  3. Educate yourself and be alert to key email scams
  4. Recognize the signs of client data theft
  5. Create a data theft recovery plan

I’ll break out what exactly they mean and how to resolve them below.

(b) What the 5 steps mean

This is what you need to do to “comply” with each of the steps.  Of course, this depends on your environment, but most businesses are principally in 1 of 2 categories.  

  1. Data on-site 
    Your client’s info sits in your office saved in a server or something (i.e. Lacerte, QuickBooks, etc.)
  2. Data in the cloud
    Your client’s info is on your service providers’ system (i.e Proconnect, ProSystem fx Tax cloud version, etc.)

1 of 5: Create a data security plan

There are five parts to creating an IRS approved security plan.

  1. Designate one or more employees to be your information security champion.
  2. Select service providers that can maintain appropriate safeguards and have your champion oversee them.
  3. Identify and assess the risks to customer information.
  4. Design and implement a safeguards program. Monitor and test it.
  5. Evaluate and adjust the program over time.

ONE: Employee information security champion

This person will be your point-person for all things IT & Cybersecurity related.  They don’t necessarily need to be geeky if you have the right vendor that can work with them to accomplish these tasks.  They do, however, need to be organized and good at documentation.  All efforts to protect your business should be documented to show your good-faith effort to achieve compliance in all areas.

TWO: Select a trusted service provider to help you maintain the safeguards you will choose below

In the official IRS documentation, selecting a provider is step 4 of 5.  However, having your trusted MSSP involved from the start of this process reduces rework considerably. It will make the life of your champion much better as they will have someone helping them that has been through this process many times.  

After you choose a champion, have them arrange an excellent tech/security provider to help them with the rest of the steps.

THREE: Risk identification and assessment

Your champion needs to work with the rest of your team, and your MSSP, to determine where and how your clients can be hurt by you having access to their company’s information.  Make a document such as my example outline, linked below, to help ID the risky areas and assign priority.

* See the bottom of this post for an example of a simple risk assessment.

FOUR: Implement and maintain safeguards

Any safeguard plan must include the following steps:

  1. Implement safeguards
  2. Monitor safeguards
  3. Test safeguards

Part of this process involves “Deploying the six security measures,” as outlined in the next section.  However, now that you have identified where you need to be secure, it will be much easier to see what you need to implement.  Some actions you take will not be technical, however.  I’ll use the example risk identification data, linked above, to illustrate possible safeguard actions + follow-ups in the document linked below.

* See the bottom of this post for an example of a safeguard implementation.

FIVE: Adjust safeguards over time

As security needs change and your business changes, so will your protective measures.  Just like if you remodel your house to add a garage, you’ll need to add a lock to the new garage entry door and a remote to open the garage door.  When you change where and how client data is accessed, you’ll need to tweak your plan.  This is all you need to do:

  1. Your responsibility: Have your champion reach out to your MSSP if your business processes change so that you can reassess your safeguards.
  2. Your responsibility: Ask your MSSP for a yearly review and risk assessment.

Your MSSP’s responsibility: They should stay up-to-date on current risks and the cost-to-value of different solutions so they can offer quality recommendations that offer a high utility to your business.

2 of 5: Deploy the six security measures

These are the five standard protective practices that, by law, must be deployed at any firm.  I added a “What else should be done” list to show anything that we at QuickFix think is a necessary security mechanism that was left out of the IRS document.

ONE: Manage your antivirus software

(or use a Managed Security Service Provider (MSSP), like QuickFix to do it for you!)

Who must do this:

  • Data on-site = NECESSARY
  • Data in-cloud = NECESSARY

What must be done:

  1. Verify that it is updated
  2. Verify that it is running scans
  3. Verify that it is scanning files on removable drives (i.e., USB, CD, DVD, etc.) + your whole hard drive
  4. Verify that it is scanning email if you download it to your PC (i.e., You use Outlook.)
  5. Verify that it is scanning email attachments
  6. Verify that it uses real-time malware detection/removal

TWO: Use a firewall (or get a managed firewall)

(or use an MSSP to do it for you!)

Who must do this:

  • Data on-site = NECESSARY
  • Data in-cloud = NECESSARY

What must be done:

  1. Install a firewall

What else should be done:

  1. Enable and monitor IDS and IPS (Intrusion Detection and Prevention Services)
  2. Update networking equipment with security patches as they are released (monthly)
  3. Monitor the network for devices requesting malicious sites or servers
  4. Verify no extra user accounts are added to the firewall

THREE: Use Two-Factor (or Multi-Factor) Authentication (2FA/MFA)

(This is the SINGLE MOST IMPORTANT item on this list!)

Who must do this:

  • Data on-site = NECESSARY
  • Data in-cloud = NECESSARY

What must be done:

  1. For every provider you have, enable this feature!  It is considered “standard” and is free for the vast majority of all services.  Below is a sample list of provider categories:
    - Email
    - Banking
    - Cloud Software
    - Remote Access
    - VPN (Virtual Private Network)
    - Document Upload Services (Like the IRS!)
    - Etc.

FOUR: Backup Client Data

(or use an MSSP to do it for you!)

Who must do this:

  • Data on-site = NECESSARY
  • Data in-cloud = provider should do this

What must be done:

  1. Backup all your client data to either (a) the cloud or (b) an external disk
  2. The contents of these backups should be encrypted

What else should be done:

  1. Do NOT rely only on external drives for backup.  
  2. Use a monitored backup service that can report to you backup success v/s backup failure.
  3. Your backups should store file versions.
  4. Use encrypted cloud backups.  
  5. Backup everything, not just client data.

Why should you do these extra things not mandated by the IRS:

  1. External drives provide a false sense of security.  Most current malware targets external backup devices with any attack.  
  2. Also, we have seen on many occasions where the external backup drive has been malfunctioning for months to years, and no one knew.  The backups were unusable.
  3. With backup versioning, you can recover good versions of corrupted or encrypted files.  When a file gets corrupted or encrypted, the backup software knows that the file changed and will then backup this bad file.  Without versioning, you will attempt to recover the file from the backup only to find the bad file is what you backed up last!
  4. Cloud is king for backups.  Should you have a flood or a lightning strike, you still have all of your data.
  5. Backup any data that you rely on to run your business.  We’ve seen businesses lose all critical business data to malware and have a busted backup system with no way to get back up other than to sift through paper files and try to recreate their schedules, invoicing, etc.  It’s not worth doing backup incorrectly.

FIVE: Consider Drive Encryption

(Drive the IRS does not mandate encryption.  Instead, it is required that you “consider” implementing this protection.)

*IMPORTANT NOTE: Drive encryption does ZERO to protect files when the computer is running.  Drive encryption only protects data when the computer is shut down.  For instance, if someone breaks into your office and steals your server, Drive encryption will keep the thief from accessing your data)

Who must do this:

  • Data on-site = It may be NECESSARY
  • Data in-cloud = Usually unnecessary

What must be done:

  1. Discuss with your security contractor if you SHOULD or SHOULD NOT encrypt drives with client data.
  2. If you determine that this should be done, implement some drive encryption.

Why you may NOT choose to encrypt drives:

  1. Your client data may be stored in tax software that already encrypts the data.  No reason to do it twice.  For instance, QuickBooks requires a user/password to open up your company file.  That user/password decrypts the QB Database.
  2. Your client data may be stored in the cloud and protected by a user/password.  Drive encryption does nothing to protect this further.
  3. Encrypted drives run more slowly
  4. Encrypted drives have a higher risk of unrecoverable malfunction
  5. Encrypted drives can make data recovery (should you have an inadequate backup solution) impossible
  6. You may gain more utility by using the cash that you would have spent encrypting drives to set up a security system like ADT instead.

SIX: Implement Remote Access Security

(or use an MSSP to do it for you!)

Who must do this:

  • Data on-site = NECESSARY if you use remote access
  • Data in-cloud = NECESSARY if you use remote access

What must be done:

  1. If you access the office from a remote location, you must use a VPN (Virtual Private Network).
  2. The computer that you are using to connect to the VPN must be treated just like any other work computer and must comply with these IRS requirements.
  3. 2FA should protect the VPN access you use. 

* Consider using a service like LogMeIn instead of setting up a VPN.  Remote access services are easy to set up and easy to add 2FA.  They also give access only to the machines onto which you install the software while a VPN may provide access to your whole office network.

3 of 5: Education

According to the IRS, more than 90% of all data thefts start with a phishing email.  This means that if you get hacked, it’ll likely be due to you or an employee clicking on some email.  There are many clever scams out there, and they change almost monthly.  

  1. Contact your MSSP and ask for a CPA-specific training session for your whole team.
  2. Choose to have this happen annually, and with new hires, and include the training document with specific items that you built in the previous step.
  3. Ask about anti-phishing tools that you can use to reduce potential attacks
  4. Ask about sending a test phishing email to your team.  If a staff member is tricked into clicking on this fake email, they will be enrolled in online training.  The business owner and/or champion will be alerted that this training is happening.

*Remember to document the dates, times, and attendance of these training sessions for compliance coverage.

4 of 5: Recognize signs of client data theft

If data is stolen, you need to know.  The below list should be reviewed in the training sessions. 

The IRS already has a good list of things to watch out for.

  1. Client e-filed returns begin to be rejected by the IRS or state tax agencies because returns with their Social Security numbers were already filed;
  2. Clients who haven’t filed tax returns begin to receive taxpayer authentication letters (5071C, 4883C, 5747C) from the IRS to confirm their identity for a submitted tax return.
  3. Clients who haven’t filed tax returns receive refunds;
  4. Clients receive tax transcripts that they did not request;
  5. Clients who created an IRS Online Services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. Another variation: Clients unexpectedly receive an IRS notice that an IRS online account was created in their names;
  6. The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients;
  7. Tax professionals or clients responding to emails that the firm did not send;
  8. Network computers running slower than normal;
  9. Computer cursors moving or changing numbers without touching the keyboard;
  10. Network computers locking out employees.

5 of 5: Have a data theft recovery plan

Define a plan using the items below and have it available to staff members.  Add it to your training sessions.

If you think your or your client’s data was stolen:

  1. Call your MSSP.  They may be able to tell you for sure if it was or was not stolen.

If you determine that data WAS truly stolen or MAY have been stolen: (See link below for department contact info)

  1. Contact the IRS and law enforcement.
  2. Contact the state agency in which the stolen tax returns are applicable.
  3. Contact your insurance company as they may pay for your MSSP (or an outside firm) to secure your office.
  4. Contact your clients.  This will suck, but best to let them know you are on it and that action has been taken.
  5. Contact other services.  See the link below for other services you may care to contact.

https://www.irs.gov/newsroom/tax-security-2-0-a-taxes-security-together-checklist-step-5

(c) How do I do all this?

I know this looks like a lot, but it's straightforward with the right partner and a diligent champion and by choosing to do one thing at a time.  Remember that compliance is more about having an action plan than about having every single thing checked off. It's ok to do a few things in year one and a few more things in years 2 and 3.  Just make sure that your actions and your planned actions are documented appropriately.  This will show your clients and the IRS that you are moving forward with your security and attempting to be responsible for your clients.

Also, know that you are not alone.  We at QuickFix have helped many CPAs and accounting firms achieve compliance and also to get a good handle on what they need to care about v/s what they can ignore.  So have other good MSSPs.  So reach out to your trusted MSSP and ask them for a chat!  They will ease your fears and help you make this monster of a compliance doc into a manageable list of bite-sized actions.  

I hope my experience working with CPA and accounting firms helps you get to a safe place while also achieving compliance for your firm.

Sincerely,

-Bryant Harrison
CEO QuickFix

(d) Examples of outlines you might use to ID and fix risks.

Example risk identification and assessment outline:

1. Client Data Locations

  1. Email 
  2. Tax Software
  3. Computers
  4. [Etc. etc.]

2. Risk Assessment

  1. Email
    - Impact = varies per client
    Some send lots of data via email.  Some send none.
    - Probability = high
    Client’s responsibility = We can’t help it if our client’s email get hacked and their data stolen
    Our responsibility = We have no easy way of knowing if our staff is sending sensitive data via email
  2. Tax Software
    - Impact = very high
    All client data lives here!
    - Probability = low
    Cloud based with user/password/2fa implemented as of 2008
    Vendor’s responsibility = if data is hacked via their own website
    (HIGHEST PRIORITY) Our responsibility = if data is stolen from our cloud provider via a hacked workstation.
  3. Computers
    - Impact = low
    Tax documents are sometimes saved in downloads folders on employees computers prior to uploading to tax software.  
    - Probability = unknown?  Need consultation.
    Our responsibility = but how much is there?  Do people save this or delete them immediately?
  4. [Etc. etc.]

Example safeguard deployment, monitor, and test schedule:

You must make notes on each identified item with one of the 3 designations below

  • DONE: When it was implemented + Champion’s initials
  • PENDING: If it is on the implementation schedule for x date + Champion’s initials
  • NO ACTION TAKEN: If you have no plan just yet to implement

Risk Assessment Actions

1. Employee Training

  1. Security Training doc created [Link to training document]
    - (implemented on 2-20-2020, RBH) 
  2. Cybersecurity Training with Champion added to new-hire checklist
    - (implemented on 2-20-2020, RBH)
  3. Training with MSSP scheduled annually 1st week of January
    - (implemented on 2-20-2020, RBH)
    - Initial training completed 1-10-2020
    [link to document with attendance + topics covered + etc.]

2. IRS e-Services

  1. Set weekly reminder to review number of returns filed with EFIN (implemented on 2-20-2020, RBH)

3. Email

  1. Client’s responsibility to not send data via email.
    - File-upload portal link to our website for clients to send us files securely.
    (To be completed by MSSP on 2-25-2020, RBH)
    - Added “Never send any personal documents or tax information via email.” to all employee signatures.
    (implemented on 2-20-2020, RBH)
    - Added to training documents for staff to remind clients and verify their signatures.
    (implemented on 2-20-2020, RBH)
  2. Our responsibility to not send data via email unless it’s password protected and encrypted.
    - Added to training documents how to use Adobe Acrobat to password protect docs and to test all new employees to make sure they can do it efficiently.
    (implemented on 2-20-2020, RBH)
    - Implement 2FA for all email accounts
    (in process to be completed by MSSP Q2 2020, RBH)
    - Reminder to run 2FA verification report added to my calendar
    (implemented on 2-20-2020, RBH)
    - Phishing email examples and training added to training documents.
    (implemented on 2-20-2020, RBH)

4. Tax Software

  1. Vendor’s responsibility if their servers get hacked
    - Ask our Tax Software vendor to provide us information on their (a) security and (b) backup policies.
    (planned for Q2 of 2020, RBH)
    - Ask our Tax Software vendor if we are able to see a report on the computers or IP addresses that are logging into our tax account.
    (call planned for our MSSP Q1 of 2020, RBH)
  2. Our responsibility if our workstations are compromised and the attacker gets access to our cloud services.
    - Follow six safeguards and have workstations & network managed and monitored by MSSP.
    (in process to be done end of Q1 2020, RBH)
    - Add to staff training that if at-home access to cloud services is needed, they must request that their home computer be protected and treated like a business computer.
    (implemented on 2-20-2020, RBH)

5. [Etc. etc.]

Check out our services: