Amidst the increasing presence of cybersecurity threats and bad actors, it’s hard to keep up with the many ways in which business owners should protect themselves and their businesses.  Each time we think we’ve taken the right steps to protect our business, we learn of a new threat or way around the measures we’ve taken. Then we spend more money on more tools in order to stay ahead of the game, and the cycle continues. 

The unfortunate reality is that the cycle will never end. The game will continue. We put protections in place, and the bad guys look for ways to circumvent them. 

Cybersecurity is an Ongoing Commitment

So, what can we do about it? The first step is acknowledging that we are just playing defense: There’s no eliminating cybersecurity threats. We just try to mitigate the risk as best we can.  

Take the mindset that shoring up your cybersecurity defenses is an ongoing task, and remember there is no silver bullet, and no one single person who can make your organization secure. While your IT professional can make recommendations, it takes a commitment from your organization’s leadership team, along with buy-in from all employees, to help keep the company safe. 

Once you’ve achieved company buy-in, you can start making strategic and tactical plans. All businesses should carry cybersecurity insurance (available to COCPA members through its partnership with Camico) to protect themselves and their client data. Be aware that the path to securing insurance isn’t easy; insurance providers are now asking that next-level security measures be put in place. 

The good news is that these applications can be used as a checklist and tool for CPA firms to help put the right measures in place to help secure the organization, become insurable, and lay the foundation for creating a written information security plan (WISP). 

Create a Roadmap to Guide Your Path

To get started, create a technology and security roadmap that aligns with the goals of the business. This defines your organization's plan for structuring and securing your technology as you take your business forward, and includes:

1. Standardizing all company owned computers on the same model hardware
2. Encrypting all laptops with Microsoft Bitlocker
3. If using contractors with their own computers, requiring them to log in via a Windows Virtual Desktop that is part of your infrastructure
4. Enabling multi-factor authentication (MFA) for everything possible
5. Using a next-gen cloud managed firewall, a managed detection and response tool (MDR), and a privileged access management system (PAM) to manage endpoint administrator rights requests
6. Conducting regular email phishing tests and providing regular cybersecurity training to employees

While many other recommendations are also worthwhile, this is a good start. You can perform all of this work yourself on your organization’s behalf, but if the idea of this gives you dread, consider working with a managed IT services company that takes security seriously.

It is not a matter of if but when you will have a security incident. When it does happen, you’ll be able to demonstrate the reasonable measures you've put in place to reduce risk. 

Vince Tinnirello is the director of business development for Anchor Network Solutions, a Denver-based managed IT service provider with 22 years of experience assisting clients with their technology needs. Reach him at vince@anchornetworksolutions.com. 

Anchor is part of the COCPA Members Savings Program and offers specially negotiated rates to Society members.