Expert Opinion – How Should CPA Firms Manage Cybersecurity Risks?

At this time of the year, when almost every CPA is filing their taxes from home, protecting the client’s critical data against cybercrime is mandatory for all individuals. Cybersecurity breaches could cost both clients and the CPA firm a heavy fine that can go up to $300,000.

So, to avoid such repercussions, CPA firms should strengthen their cybersecurity policies by keeping strong passwords and regularly updating them, training their workforce to avoid phishing attacks, installing firewalls and antivirus on the devices, etc.


To know more, we, at Ace Cloud Hosting, reached out to Randy Johnston, who is a nationally recognized educator, consultant, and writer. He has over 40 years of experience in Strategic Technology Planning, Accounting Software Selection, Paperless Systems and Network Integration, Business Continuity and Disaster Recovery Planning, Business Development and Management, Process Engineering, and outsourced managed services.

Let’s hear Randy’s take on the importance of cybersecurity for CPA firms.

1. How can a security breach impact the reputation of a CPA firm?

The impact of a security breach is far less than it used to be because the occurrences are so common. Further, much larger organizations have had breaches. With the resources of a large business compared to most CPA firms, the clients tend to be more forgiving. Unfortunately, the impact on individual clients and your cyber insurance premium will be noticeable.

If your firm operates primarily in a local market, you may have some explaining to do during your encounters with clients. Once a security breach in a CPA firm has occurred, it is impossible to know where client information will be sold or used and when.

Even with cybersecurity identity theft reporting, the client impact could occur immediately, but the information is more likely to be used over time by bad actors. If action is immediate with the breach, you should be prepared to deal with both the client and media with a well-thought-out incident response plan.

2. What all security measures should a cloud service provider implement to protect customer’s critical information?

There are multiple layers of protection needed. Besides the simple firewall protection, data should be separated in the infrastructure from applications, isolated by individual firms, and backed up continuously. Security tools such as Centripetal, Crowdstrike, or others with endpoint recovery and heuristics are minimal protection. Further, all data should be encrypted while in motion or at rest.

Encryption in motion and at rest is a long-term standard to protect customer data. Unfortunately, this will slow performance, and many cloud providers are reticent to choose to encrypt. Providers should also protect against internal issues by controlling access by network admins changing passwords, and setting clear internal control procedures for access.

3. When a customer stores their data on the cloud, who all can access it?

That depends on the protections used. If the customer possesses the only encryption keys for the data, then even network administration personnel will be hard-pressed to get to client data. However, if the customer does not use encryption, the network personnel with admin access may have the ability to access, view, and copy data.

Data may also get copied easily from one place to another in the cloud, if for no other reason than backup. There may be regulatory reasons that data needs to stay within a country. Further, data access regulations vary widely around the world, so you should assure both primary and backup copies are in compliant locations that protect your data.

4. What are the cloud security challenges faced by the accounting industry?

The main security issues for accounting professionals come from user errors. Professionals want to provide excellent client service and are frequently fooled by bad actor’s techniques. Ransomware and malware are the biggest cloud security challenges, as evidenced by numerous cloud providers that have been successfully attacked.

Technical setup for remote access is frequently probed by bad actors. Inadvertently leaving a port open can allow malware to be planted for later use. This can occur not only in the centralized servers but at your workstations as well. The majority of malware is coming through Microsoft RDS ports, not as attachments or as links in the email. IT setup is critical.

5. How should accountants address these risks?

Most security risks can be remediated by having continuous backups. It is also essential to have an “air gap” backup that is not connected to the internet 100% of the time. User training reduces the risk of using tools like KnowBe4.

Choose reputable IT providers that understand and implement best practices for security. While security risks morph over time, the provider must actively respond to new threats and continuously make adjustments to their security protocols and technical setup to protect your firm.

To Conclude

As a CPA firm withholds crucial client information, they must take steps to avoid the cybersecurity risks and protect the client’s business data. While it is said that cloud-based solutions offer high-end security and protection, it is vital to understand which service provider is most-suited for your business based on your business requirements and budget.

Have more questions about cybersecurity for CPA firms? Reach out to our Solutions Consultant at +1-855-223-4887.

About Julie Watson

Julie is a dynamic professional with over 16 years of rich experience as a VDI and Application Hosting expert. At Ace Cloud Hosting, she humanizes disruptive and emerging remote working trends to help leaders discover new and better possibilities for digital transformation and innovation by using cloud solutions with an enterprise-class security approach. Beyond work, Julie is a passionate surfer.
On the weekend, you will find her hanging out with her family or surfing around the North Shore of Oahu.

Find Julie Watson on:

Leave a Reply

Your email address will not be published. Required fields are marked *


Copy link