3 Simple Cybersecurity Tips to Protect Your Accounting Firm

Recast Episode: This episode was originally published on July 16, 2020, but it’s a favorite among our Growing Your Firm Podcast community, so we’re bringing it back. Comment below to tell us if you’ve been listening to the podcast since the original airing of this episode.

Podcast

Summary

• About Practice Protect
• Understanding Cybersecurity
• Hacking Isn’t What You Think
• Don’t Daisy Chain
• Educate Yourself About Phishing
• Protect Your Email

Additional Resources

• Jamie’s LinkedIn
• Practice Protect
• Accounting Cybersecurity Guide

Meet Jamie Beresford

Jamie Beresford is the CEO and Founder of Practice Protect, which is a company that focuses on protecting accounting firms’ reputations with tools, policies, and education to keep data safe without sacrificing convenience. Jamie has over 20 years in the IT industry working throughout Australia, UK and Asia. His expertise covers cyber security, customer privacy, global communications, process and connection speeds and helping accounting firms overcome the challenges associated with highly dispersed teams. Jamie founded Practice Protect in 2012 after he identified a need in the accounting profession for tighter and more efficient control over client data.

What began as a single sign-on password management tool developed into a full suite of components including compliance documents, training and certification to help accounting and bookkeeping firms control and manage their data. In addition to his responsibilities with Practice Protect, he founded the company Freshmethod in 2002 and has been a Managing Director at Ready Group Global since 2012.

What Is Practice Protect And How Does It Work?

Practice Protect is a combination of an app and other value components specifically designed for accountants that helps them stay safe from cybersecurity risks and threats. It started out as a single sign-on password management tool but has developed into a full suite of components over the years. Its functionalities include compliance documents, training and certification to help firms control and manage their data. It also helps maintain control of applications internally.

Today more than ever, people are working remotely, so the practice of a shared personal-work computer is becoming increasingly common, which is a challenge from a security perspective. However, in the case that you or your employees are using a shared personal-work computer, you simply log in to Practice Protect, access your work applications from within that platform, and when you’re finished working simply log out and “there’s not a trace left of any of your working environment” on that machine.

Understanding Cybersecurity

Cybersecurity is a sitting vulnerability in many firms today. Cybersecurity threats are wide ranging both in their approaches and in their consequences. The most common cybersecurity threats people know about are phishing scams and ransomware. No matter what type of cybersecurity threat you may face, they should be taken seriously. A cybersecurity attacker can use your data to impersonate you, attack other users’ devices, purchase things using your bank details, etc. So, how do you manage your cybersecurity? The first step is education.

Get everything you need to manage projects and meet deadlines.

Subscribe to our weekly newsletter, and get 32 free accounting workflow templates today!​​

sign me up!

“The first thing to understand is: Hackers don’t hack. They log in with stolen credentials.” The most common misconception people have about hacking is due to Hollywood depictions of what hacking is: a man in a hoodie hunched over a laptop in the park with an earpiece in his ear furiously typing strings of code on a black and green screen and then suddenly he states “I’m in.” In reality, hackers use much simpler methods to obtain the desired information. 

They start off by determining where the data is stored, usually the cloud, and what sort of security protocol is in place. Their main objective, however, is to determine how they can either guess or steal someone’s password and log in with a user’s own credentials. How do you prevent that from happening?

Don’t Daisy Chain

Nowadays, people have upwards of 10–20 passwords to keep track of, whether it’s for their social media accounts, email, online banking, dating profiles, you name it. Jamie says, “At the end of the day, people are going to do what’s easiest for them.” And what’s easiest for people trying to keep track of 10–20 passwords? Use the same password. It’s exceedingly common for people to use the same password—passwords if you’re lucky— for all of these things. This practice is called daisy chaining as it connects several devices together in a linear series. The issue is that this practice often extends into the workplace which provides them with more passwords to try and manage.

It all boils down to making access to work applications easy for your employees, for the people you want to access company data. Jamie says the solution to this is to use a firmwide access management tool. These tools aren’t uncommon or solely for business use either. Apple, Google, and many other companies provide password managers as functions, so providing a firmwide option for access management is key.

What Is Phishing?

Phishing is the practice of sending emails pretending to be a person or company in order to convince others to give out personal information, such as passwords, bank account information, or credit card numbers. The short-and-sweet of it is this: It’s a scam that tricks people into clicking links or typing out passwords somewhere which leads to access being stolen. Jamie says while cybersecurity systems are becoming more efficient and advanced that “the human is the weakest link in the whole equation.”

Most people are familiar with ransomware because of its immediate effects, but there are plenty of other types out there to be aware of—keylogging, for example. Keyloggers can be especially dangerous as they can be used to spy on your online activity and steal your cache of internet passwords. Jamie notes that if you use Firefox or Chrome, you can go in and see your passwords in plain text. The reason this is such a security risk in the workplace is if you have Google accounts logged in on several devices, it increases your risk of being hacked. Even if your workstation is locked up at work, your personal computer, phone, tablet, etc. could be hacked. This comes back to the issue of daisy chaining. If the hacker gains access to your personal log in data and sees a repeated password, they can pretty well surmise that you’ve probably used it at your workplace as well, which they can then use to log in to sensitive cloud systems as you.

Protect Your Emails

Jamie says that the devil’s in the email. Email is the number one target for hackers because through that they can access years of correspondence which enables a savvy hacker to more effectively impersonate you. Obviously, this is a major issue. One of the biggest problems with cloud email platforms—think Office365, Gmail, etc.— is their penchant for convenience. They don’t require multi-factor authentication or a two-step login process, though they have the functionality to implement them. 

They do this because they need to be perceived by their users as simplistic, easy-to-use tools, so these companies put the burden and responsibility of risk on the unknowing account holder. So it’s up to you to ensure your accounts are secure, especially in the workplace. Jamie says there are a series of features that should be mandatory in your work environment:

• Location control—Within Practice Protect, there is a setting that allows firms to restrict access to their systems to their home country. Firms can add more countries by request. This setting also has an “Office Only” option which allows firms to restrict access to a specific IP address’ source location. This setting is particularly useful when an employee is just starting or when they are on their way out of the company.
• Multi-factor authentication—Whether it’s an SMS message, a phone call, or a dedicated app, you need to have this in place in order to protect your emails.
• Web browser protection—Lastly, you simply need some kind of software protecting users as they access various work applications.

Conclusion

We covered a ton of great information in the podcast, so if you’re after more detailed information, be sure to check out the full episode! If you want to learn more about Jamie and Practice Protect, you can connect with him on LinkedIn or visit Practice Protect’s website. Also, be sure to check out Practice Protect’s Accounting Cybersecurity Guide!