10 best practices to

enhance CYBER SECURITY

FOR ACCOUNTING FIRMS
 A cybercrime is an intended illegal
act involving the use of computers
or other technologies.

www.entigrity.com
 INTRODUCTION

ENTIGRITY is an ISO 27001:2013 certified organization with policies and framework

imbibed in its culture and practice for effectively identifying and managing security and
information risks for ensuring fulfillment of its commercial, contractual, and legal obliga-
tions. ISO 27001 is the top standard for Information Security Management System defining
a suite of activities for management of information security risks. We take complete care
and all the necessary steps for preventing data security risks. Hence, so far we not been
subject to any security breach ever.

2017 ACHIEVEMENTS

500+ 96% 100+ 0

ACCOUNTING FIRMS CLIENT RETENTION ONLINE REVIEWS & SECURITY BREACH

SERVED TESTIMONIALS

CYBER SECURITY LANDSCAPING ACCOUNTING INDUSTRY

Today, We all live in a world, networked together, thus net-

work protection is not an optional implementation but a
prime necessity for small & mid-sized accounting firms who
deal with sensitive client data. It should be seamless and
thorough, regardless of business or organizational stand-
ing. We have our set of measures in terms of practices and
policies, which we have enlisted here, which are essential
in having the right level of preparation vital for optimized
security, damage control, and recovery from consequenc-
es of any possible cyber breach incidences.

www.entigrity.com
IMPORTANCE OF CYBER SECURITY FOR SMALL
AND MID-SIZED ACCOUNTING FIRMS
During tax season, any down-
time or rupture of customer data
could basically affect your
accounting practice. Proactively
taking measures to forestall
cybercrimes is a business need.
www.entigrity.com
Cyber security is among the top issues currently on the
minds of management and boards in just about every
company large and small, public and private; including
the small and mid-sized accounting firms. It becomes
especially challenging because while dealing with clients’
sensitive data there is no scope for taking things leniently.
Cyber-attacks may impose these firms to regulatory
actions, negligence claims, inability to meet contractual
obligations, and a damaging loss of trust among clients
and every stakeholder. Consequently, it may bring com-
mercial losses, public relations issues, and disruption of
operations.
As we know even a small breach leads to unsurmount-
able disasters. Therefore, it is always better to have
certain measures at the organizational level, such that
precedent and unprecedented threats can never surface.
It's not really a disclosure that accountants and account-
ing firms hold delicate data about their clients like social
security numbers to addresses. Hackers are continually
trying to get their hands on such critical, private informa-
tion. That is a challenge for them, and can be alarmingly
simple if firms don’t have appropriate cyber-security mea-
sures implemented at the core level. This is the reason,
accountants need to be motivated now ever more, and be
cautious about protecting their client data like never
before.
As the owner of a small accounting, bookkeeping, or
finance firm, you've probably faced questions about your
cyber security, and whether your firm might get hacked in
the same way that any larger financial institutions may
have been. The short answer is yes!
 THE CHALLENGE

FOR CPAS & ACCOUNTING FIRMS

Cybercriminals usually target small- and medium- sized accounting firms on the grounds that, these orga-
nizations tend to give relatively lesser emphasis to data security, controls, and risk evaluations; they are
therefore more vulnerable than bigger firms. In many cases, firms don’t have enough staff in the IT func-
tion, and not all staff have the mastery to spot these issues, which can prompt further risks. Chief account-
ing officers (CAOs), chief financial officers (CFOs), treasurers and controllers are especially at risk since
they are both effortlessly identifiable on the web, and are most likely to conduct online banking transac-
tions for their practices. Any savvy cybercriminal also knows the steps for hijacking access to accounts, as
well as the security features associated with online banking.

www.entigrity.com
WHY ACCOUNTING FIRMS ARE
AT HIGH RISK FOR CYBER ATTACKS?
Small and mid-sized
accounting firms are easy
targets for the hackers and
eavesdroppers to breach
sensitive client data and for
misusing it.
www.entigrity.com
They Hold Massive Private Data
Cyber attackers comprehend that accounting firms
hold top to bottom information as privileged data from
HNI clients or organizations. In addition to tax docu-
ments, Social Security numbers, and direct-store
data, accountants may also serve as sources for
years of private data. Actually, some accounting firms
hold virtually complete individual accounts of their
customers, transforming these practices into import-
ant targets. Recent increases in fraudulent tax returns
propose that this sort of theft may turn out to be more
prevalent. Since numerous accounting firms have
legitimate obligations to illuminate clients of ruptures
that affect their own personal data, accountants must
make every attempt to stay aware of the state of their
firm’s security.
They Have Productive Corporate
Information
While numerous public accounting firms deal exclu-
sively with tax documents, and related personal and
business documents, different practices handle
high-stakes corporate issues. Accounting firms that
deal with mergers, acquisitions, and corporate
rebuilding frequently, hold data that might be of con-
siderably more noteworthy enthusiasm to cybercrimi-
nals.
As the Financial Times reports, in late 2016, three
dealers were accused of utilizing hacked data to
confer securities fraud. Though in this case, the hack-
ers took data from significant American law firms, an
equal security breach inside an accounting firm could
deliver comparative outcomes.
WHY ACCOUNTING FIRMS ARE
AT HIGH RISK FOR CYBER ATTACKS?
Some of the more obvious
results of Information Secu-
rity failures include reputa-
tional damage, placing the
organization at a competi-
tive disadvantage, and con-
tractual noncompliance.
www.entigrity.com
Small Firms Tend to Have
Insufficient Security
While one may expect that significant accounting
firms have more prominent resources, and therefore,
experience the maximum risk of cyber-attacks, small
and mid-sized firms are, however, more vulnerable
from these cyber threats. Indeed, a few criminals
particularly target small accounting firms since they
have implemented much lesser security systems than
necessary. Some hackers utilize strong, maintained
attacks on small, poorly secured firms until the point
that they breach the company’s restricted protections.
When they get access to an organization's system,
cybercriminals can regularly steal virtually any type of
documents, from financial records to emails.
Small Accounting Firms May Not
Recover From Hacks
For small accounting practices, recovery may prove
fairly hard to achieve if not impossible. Clients pay
accountants for their skills, however, they likewise
expect trust and tact. Once a firm has demonstrated
that it can’t give satisfactory information data security
or guarantee customers' protection, the organization
may never have the capacity to come back to its earli-
er level of business.
TOP 10 THINGS

ACCOUNTING FIRMS

CAN DO TO PREVENT

CYBER THREATS
 UPDATE THE OPERATING SYSTEM
Whether you run on Microsoft Windows or
Apple Mac OS X, the operating system requires
frequent or rather contiguous updates for
strengthened security. System updates are
especially significant for server operating sys-
tems where all patches and updates require to
be looked into, and refreshed on a repeating
plan. Regular updates of OS upgrades firewalls
and anti-spyware in your workstations and pro-
vide for more trusted protections against
threats.

EMAIL SECURITY
Many accounting firms rely on email to commu-
nicate with clients, even to send tax documents
or personal data. As email hacks have become
increasingly common, it is significantly neces-
sary than ever to secure professional email
accounts, especially when transmitting import-
ant documents. This has also raised the
To competently perform requirements for efficient encryption software,
rectifying security service, which is hard to decrypt by an untrusted third
party.
two critical incident
response elements are nec- More than 90% of cyber-attacks begin with a
essary: information and phishing email. A vast majority of people open
an email from an unknown individual’s name,
organization.
without browsing or verifying the actual send-
er’s email address. Having your email shielded
from unauthorized access is of prime impor-
tance. One approach of it is to turn on two-part
authentication, major email services- such as
Gmail, Microsoft Office, and Yahoo offer such
stringent security features.

www.entigrity.com

It takes 20 years to build a
reputation and few minutes
of cyber-incident to ruin it.
www.entigrity.com
ANTIVIRUS UPDATES
Accounting Firms need to ensure that antimal-
ware applications are set to check for refresh-
es frequently, scan the devices on a set
schedule in a mechanized fashion, along with
any media that is inserted into any user com-
puting terminal. In bigger firms, workstations
must be designed for reporting the status of
the antivirus updates to a unified server, which
can push out updates consequently when
released.
INTERNET SECURITY
Drive-by browser downloads are another
leading method of cyber-attack. Internet
searches can lead you to compromised web-
sites, which infect your network with viruses
and malware. To prevent this type of attack,
install all the latest security patches into your
computers and servers. Install a hardware
firewall router with gateway antivirus, gateway
anti-malware, and intrusion protection system
to stop the virus before it gets into your private
network. Routers provided by your Internet
Service Provider do not have this type of
security. While these might be adequate for
your home, these are not designed for instal-
lation and application into any business orga-
nization.

Ransomware is unique
among cybercrime because
in order for the attack to be
successful, it requires the
victim to become a willing
accomplice to the crime!
www.entigrity.com
ENCRYPT BACKUP DATA
Firms should encrypt any backup media that
leaves the workplace, and also validate that
the backup is complete and usable. Firms
should frequently review backup logs for com-
pletion, and restore files randomly to ensure
they will actually work when required. Hiring
an IT specialist is advisable to set up your
firm's network, and ensure your data is
encrypted and secured. As an accountant,
your responsibility is to ensure that data is
secure when it's in your custody. Moreover, a
backup is a definite must for any business.
EDUCATE EMPLOYEES
Security education is a must as professional
accounting CPE, and should be required once
a year. In addition to looking into the firm’s
approaches, employees should be regularly
instructed on current cyber security attack
techniques such as phishing and pharming,
dangerous threats including ransom ware,
and social engineering used by hackers to
gain access to a user’s PC. Note: NEVER
share your login, password, or confidential
information over the phone to people you
don’t know. Firms should review IT/computer
usage policies, and provide reminder training
to employees at least once in a year for all the
new and updated policies.
 WIRELESS SECURITY

Secured remote/wireless access into your net-

work system should be planned, tested, and then
implemented. Obviously, deploy a strong pass-
word policy, along with having a guest network,
which should be set up for visitors (to your office
network) that need internet access via your wire-
less network system. This prevents any guest
user access to the system and resources on your
network. This is particularly required to protect in
case one of the workstations or gadgets used by
the visitor is infected.

MOVE YOUR DATA TO THE CLOUD

Transporting data using a USB drive is not

secure. Data stored on the cloud has greater pro-
tection than data that is stored on company serv-
ers. The move to such cloud services can change
business habits that help ensure a much secure
accounting firm. For example, if all company data
is stored on the cloud, then there’s less need for
Fix the basics, protect first workers to email attachments to one another.
what matters for your busi- When team members become less reliant on
email, it helps minimize the risk of falling victim to
ness, and be ready to react phishing emails. Cloud accounting can make
properly to pertinent your business more efficient. It lets you provide
basic accounting services more easily – and cost
threats. Think data, but also
effective.
business services integrity,
awareness, customer expe- If you haven’t moved your accounting practice to
the cloud, you most likely believe it is a complicat-
rience, compliance, and
ed thing to do. But it’s not that hard to migrate
reputation. your practice to the cloud, and it will improve your
efficiency, save money and make your clients feel
safer than what they are feeling now!

www.entigrity.com

Cyber-threat is mainly the
reflection of our weakness-
es. An accurate vision of
digital and behavioral gaps
is crucial for consistent
cyber-resilience.
www.entigrity.com
TEST SECURITY MEASURES
Hire Security specialists for proper configura-
tion when implementing firewalls and securi-
ty-related features such as remote access
and wireless routers. Chances are, your inter-
nal IT people have not been exposed to ideal
security training, or have experience with set-
ting up a new device. External resources can
likewise be called upon to do perception test-
ing to recognize and lock down any system
vulnerabilities.
BYOD POLICIES
Bring your own device (BYOD) trend has seen
grow rapidly in offices throughout the nation.
Since many accountants do get to access
Company and Client data on their personal
devices, it is essential for accounting firms to
have policies in regards to Cyber-Security for
such individual devices. Some accounting
firms have decided to completely prohibit the
utilization of personal gadgets for organization
matters, while others have imposed limita-
tions to the data that can be accessed on
them. Furthermore, such devices can be
easily targeted or exposed to cyber-attacks by
hackers seeking confidential client data.
Thus, it is for the best interest of the account-
ing firms not to allow BYOD so that the data
never leaves the office.
 REMOTE WORKING AND CYBER
SECURITY

Large accounting firms deploy resources for

management of threats related to Cyber Se-
curity. They are well equipped with infrastruc-
ture as well as manpower to keep such
threats at bay. But small- and mid- sized
accounting firms may not enjoy similar privi-
leges, and could be relatively more vulnerable
to cyber threats.

Recently, a huge number of accounting firms

have turned to remote staffing, and have hired
remote staff to work for them. This makes
their worries about client data even more
potent as they won’t be able to monitor all the
setup personally. In this case, the role of the
remote staffing agency becomes all the more
important. Since the staff is working from their
Exhaustive prevention is an
remote offices, it needs to be secured in terms
illusion. We can't secure of both, policies as well as practices. Entigrity
misconfiguration, shadow Remote Staffing is one such company, which
IT, third parties, human has stringent measures for quality control and
data security, clearly defined and implement-
error, former employee...
ed with periodical scrutiny of all security sys-
Focus on what matters
tems.
more, and be ready to react.

www.entigrity.com
FOUR Cs

ENTIGRITY's 4 PILLARS OF

DATA SECURITY AND

CONFIDENTIALITY
 CERTIFICATION
Entigrity is an ISO 27001 certified organization,
which enforces we take all the necessary mea-
sures for securing all confidential data. We em-
phasize on providing 100% safety to all client
data that is disclosed to us as part of work assign-
ment.

COMPLIANCE
Our practices are in compliance with the mea-
sures and practices, which help us do away with
cyber threats. Let's have a look at each of them.

BEING PAPERLESS
Entigrity is a completely paperless office. This
means that no pen, paper, printer, or any statio-
nery is not allowed inside the office, particularly in
the work areas. Also, we follow a clean desk
policy where every employee is required to keep
minimum articles. It is not possible to take note of
anything or print any information, or even carry it
outside the office!

The 4 pillars of Entigrity's

CONTROLLED INTERNET ACCESS
data security and confiden- Every computer at Entigrity’s office is
tiality are FOUR Cs: access-controlled. Firstly, only those software
applications are installed, which are trusted and
CERTIFICATION are required by process, making the computers
devoid from malware or other viruses. Secondly,
COMPLIANCE social networking websites, ecommerce web-
COMMITMENT & sites, and other such irrelevant platforms are
banned and blocked. Only if ever a client requires
CREDIBILITY the employee to have such access, we permit
that on a need to know basis, and it is supervised
by the manager continuously. An added benefit of
having controlled internet is that no harmful con-
tent or software could be downloaded, which is
deemed suspicious.

www.entigrity.com

Digital services increasing-
ly rely on external factors.
Security must broaden its
scope, and imagine how to
ensure a 'known and con-
sistent' risk level with
in-house and outsourced
means.
www.entigrity.com
NO PERSONAL EMAILS
Entigrity’s policies do not allow its employees to
use personal emails. Such email sites are also
banned from being accessible on their comput-
ers. The only emails they can access are the
ones that are provided by the company domain,
which all are monitored by the dedicated IT Admin
team. Therefore, no unwanted data can be trans-
ferred even electronically.
DISABLED USB
Any desktop computer’s USB ports are the most
convenient means of data transfer, and are also a
medium of bringing in harmful files, viruses, Tro-
jans, malware, ransom-ware to a computer.
Hence, we have all the USB ports disabled in all
the installed computers. Even if someone tries to
connect any portable memory device to our com-
puters, they simply won’t be accessible as the
system cannot identify any such USB storage
device plugged into the USB ports! Thus, protect-
ing the systems from any offline cyber threats.
PROHIBITED MOBILES
All the work areas are “no mobile phone” zones.
No employees are allowed to carry their mobile
devices to the work areas. The mobile phones are
deposited in secured lockers outside the work
areas, and can be used only outside the office
premises. The clients can communicate with their
remote staff over secured VOIP lines, if and when
they need to make a call using their phones. All
communication is secure, and is again monitored
on a regular basis by the IT Admin team.

If you want to build security,
avoid straining people to
respect complex security
tasks, but rather teach them
to be vigilant and how to
long for convenient and
safe solutions.
www.entigrity.com
KEY CARD ACCESS
All the work areas in Entigrity’s office are elec-
tronically locked, and need access cards to
unlock. Only those employees are allowed to
enter a work area who have their workstation
there. Apart from that every other access is
prohibited. At times, access is granted to sub-
ject experts upon permission from supervisors
or managers but that is only limited to certain
time, when the need arises or when required
by clients. These activities are monitored by
the Admin with the help of internal electronic
surveillance.
24X7 SURVEILLANCE
The whole premise of Entigrity is under 24X7
CCTV surveillance, both the exterior and the
interiors. Every work area, has at least 2 secu-
rity cameras installed so that we can keep an
eye on every activity taking place at the office.
The Admin team tirelessly keeps monitoring
daily activities to keep any unwanted activity
taking place, and maintain the integrity of the
cyber security intact.
SECURED SERVERS
Entigrity has a consistent 99% uptime and
secure servers to keep the data safe and
backed up at all times. They are encrypted so
that eavesdropping attempts fail miserably.
They are accessible to employees only on a
need to know basis.
 COMMITMENT
Entigrity believes in providing transparency to
the claims we put forth towards our clients.
While working for CPAs and Accounting firms,
protecting their data is as important as it is for
our own. Hence, we sign up with a Non-Disclo-
sure Agreement with every client. This binds us
ethically, professionally, and legally to protect
the confidentiality of the data that is being
shared with us.

We would be very happy to give our clients a

visit to our office to inspect the infrastructure
personally. If travelling so far is not viable we
could arrange for a virtual/video tour, so as to
see the operations and security arrangements
online. The agreement, which binds us for pro-
tecting the data is explicitly applicable to all our
employees as well.

Every recruited staff goes through a rigorous

As Cybercrime is a step background check, and signs a non-disclosure
ahead of the regular IT agreement for the information he accesses in
the premises, according to work requirements.
security market, each busi-
All our policies and practices undergo regular
ness should implement updates and evolutions, and we maintain a very
innovative counter-mea- high level of security commitment. Clients have
sures, and this approach visited our office before and seen the arrange-
ments themselves to their satisfaction. We can
has to leverage the start-
also proudly say that we have never had any
ups’ offer. cyber security breach in all these years of our
business.

www.entigrity.com
 CREDIBILITY
After having worked with hundreds of clients
from across the nation, we have had a
tremendous record of ZERO security breach-
es into confidential data of clients. We take
pride to share numerous client success sto-
ries, testimonials and reviews from our clients,
which are consequently, our stories of out-
standing achievements in data security and
quality of service. Several clients have taken
their time to visit our operations Centre in
India, and have found the offices to be very
stringently safeguarding critical, sensitive
client data / information. We have often heard
from our clients that our office is more secure
than that of their own!

Security must Shift from

supply chain to value chain.
Shape a customer-centric
security approach, and look
beyond your own produc-
tion means to see the true
picture of cyber-risks.

www.entigrity.com

Much of America's most
sensitive data is stored on
computers. We are losing
data, money, and ideas
through cyber intrusions.
This threatens innovation
and, as citizens, we are also
increasingly vulnerable to
losing our personal infor-
mation.
www.entigrity.com
CONCLUSION
All professionals owe a duty to their clients,
managers, and other employees to address
digital security. Being aware of breaches at
other companies is not enough, nor is
crisis-mode response to security problems at
your own organization. Active contribution is
key to addressing the risks of illegal cyber
activities: Understand your data and focus
efforts on the most critical information, imple-
ment encryption, become compliant with Cy-
bersecurity regulations, educate employees
about mobile devices, and devise a basic set
of desktop security policies. These steps are a
good first start, but they do not completely
cover the gamut of standards and protocols
seen in a high-security Cyber Security Risk
Management System.
For the accounting firms, who are also having
their teams working from remote locations,
they need to select their vendors after due
research and assurance that the data shared
would be as secure as their clients would
want. Hence, Entigrity can proudly boast of
the fact that there have been no security
breaches at our office till date.
 Watch Webinar
CYBER SECURITY FOR
ACCOUNTING FIRMS
By MIKE GOOSSEN, CPA

+1-646-827-4348 www.entigrity.com info@entigrity.com