Why Accounting Firms Need Cybersecurity Awareness Training & Testing

December 16th, 2020 | IT Security, Security Culture

We often find that the accounting and CPA firms we talk to have many IT security software and technology tools in place but neglect their most critical vulnerability: their people. Most of the time, these firms lack a regular and practical cybersecurity awareness training and testing program. Many companies mistake relying on an annual course or one-time training session to educate their staff about current threats and best practices. These efforts generally have a minimal impact and do not hold employees accountable for practicing cybersecurity awareness in their everyday jobs. As a result, they are more likely to be successfully targeted by social engineering and phishing attacks designed to take advantage of employees and contractors who hold the keys to your network and business data. Cybersecurity awareness training and testing have been proven to reduce risk and promote a culture of cybersecurity awareness when effectively implemented and maintained over time. According to the 2020 Phishing Industry Benchmarking Report, 37.9% of employees at companies without a security awareness program in place were susceptible to phishing attacks. After just one year of training and testing, this number was reduced to 4.7%. The reason these programs are so effective is that they are both timely and iterative. Employees are continually educated and tested to determine where additional training is needed to mitigate potential risks. Essentially, cybersecurity awareness training treats the core of the problem: employee awareness of and response to potential cybersecurity threats. Moreover, it consistently and overtime to ensure security remains top of mind throughout your organization. This post will cover what cybersecurity awareness training entails and how it helps protect you and improve your accounting firm’s data security by leveraging informed security awareness.

What is Cybersecurity Awareness Training & Why Does Your Firm Need It?

Cybersecurity awareness is founded on your employees’ attitude towards education and approach to information security across your firm. While you do need the right IT security software and tools in place, technology alone won’t protect your business from hackers looking for an easy way into your network.

Human Risk

The human factor is the most significant IT security risk facing organizations today. Cybersecurity awareness training for employees is the easiest and most effective way to transform this risk into your best defense against social engineering attacks like phishing emails and calls that can cripple your business. However, social engineering attacks are evolving to become increasingly targeted and are becoming harder and harder to identify. As a result, one-time training programs have become less effective as they take an outdated approach to IT security awareness.

Cyberthreats Are Continuously Evolving

Hackers use phishing and spear-phishing tactics to disguise malicious links and requests under the guise of legitimate business communications via email and phone calls. The goal is to trick your employees into divulging company data or granting internal access to your network and valuable financial and business data. Once they’re inside, attackers can go undetected for months, additional mining information they can use to exploit your employees for financial gain. This is why your cybersecurity awareness training program should cover both IT risk prevention and incident response by successfully empowering your staff to do all of the following:

  1. Recognize a social engineering attack
  2. Stay compliant with your firm’s IT security policies
  3. React to an IT security incident by following the procedures established by your firm

All three capabilities are crucial to building and maintaining a culture of cybersecurity awareness that successfully mitigates an IT security incident and minimizes the cost of a breach when an attack does occur.

The Cost of a Cybersecurity Incident

When a successful cyber attack does occur, direct costs such as wire fraud, ransomware, and repairs are only the tip of the iceberg. Indirect costs are often overlooked and can include:

  • Loss of intellectual property
  • Loss of business
  • Fines
  • Detection and notification
  • Legal fees and settlements
  • Damage to your firm’s reputation
  • And more

While the cost of a successful cyberattack varies depending on the company’s response and legal ramifications, the mean cost of a breach is $369,000. Thus, cybersecurity awareness programs are a relatively cheap and easy way to mitigate cyber risks and their associated costs while keeping tabs on your human vulnerabilities. Your employees should have the IT security education to identify suspicious emails or internal requests and take the proper steps to stop hackers in their tracks. For example, if they receive a fraudulent email dressed as a client request to wire funds, employees should know that your firm’s protocol requires a phone call to the client to confirm the request’s legitimacy. Likewise, if they receive a suspicious email from a coworker urging that they review a linked client file, employees should know how to check for a malicious link before clicking anything in the message. These are two simple but common scenarios that can lead to costly outcomes if the wrong decision is made. By now, you should know that building a culture of cybersecurity awareness takes more than a one-time training course. We execute regular phishing simulations and targeted training content for the accounting firms we work with to help them protect their sensitive data and reputation. Check out our next blog, where we will outline what it takes to build a culture of cybersecurity awareness and what an effective security training program looks like, “Cybersecurity Awareness Training for Accounting Firms.” If you would like to learn more about our cybersecurity awareness training and testing approach, our IT security team can help.