07 Sep September 2017
After a full slate of standing-room-only events at our Indianapolis Learning Center this summer, I’m ready for some R&R. I’m taking a couple of weeks’ vacation in Italy, but our members are still on my mind. As I wind my way through a maze of public wifi networks in airports, cafés and train stations, security is an ever-present concern. I know you’re facing fall tax deadlines now, but I want to be sure you stay vigilant and get your staff and your firm security-focused.
At the Learning Center this summer, we talked about both security and organizational culture. I’ve asked our IT Professional, Chris Dickens, to share the spotlight in this month’s column to draw those two timely topics together, and give you some direction on creating a culture of security in your firm. The remainder of the words in this issue’s column are his. In addition, we’re starting a new regular feature with Chris in ThoughtLeader—a monthly Security “Pro Tip.” Scroll down to find it.
I’ll be back in October preparing for our year-end conferences in Sarasota—if you haven’t yet, register now.
How to Create a Cybersecurity Culture, by Chris Dickens
As we all know, cyber criminals pose a serious threat to our businesses today. Criminals can accomplish everything from locking our data and demanding ransom, to gaining access to our systems and filing fraudulent tax returns and stealing our clients’ identities. It is everyone’s responsibility to protect the firm from a breach or targeted attack. Here are three initiatives you can work on to create a cybersecurity culture in your firm:
- Focus on the minimum basics of security: passwords, access and inventory.
- Passwords are the keys to the kingdom. Make sure your password policies prevent simple passwords that can be guessed or cracked by software.
- Access to sensitive information should be limited to those who need it. The more people who have access to information, the more at risk that data can be.
- Maintain an active inventory of authorized devices on your network, and who has access to them. This can help identify unauthorized devices or unauthorized access.
- Train staff to be security detectives.
- Educate staff on social engineering and email red flags. Social engineering is the action of a hacker to convince their victim to take an action that they should not take. Examples are clicking on a link in an email, opening an attachment, or providing login information to someone without verifying their identity.
- Implement Slack for real-time staff collaboration and information sharing. Slack is the fastest growing business communications platform in the market. It’s basically chat on steroids. Taking screenshots of suspicious emails and sharing them can prevent someone from clicking on something dangerous. Slack is the perfect tool for this.
- Implement callback and verification procedures to validate requests for sensitive information and transactions.
- Walk the talk.
- Lead the way by practicing good security practices. Staff will follow your lead.
- Be a champion of cybersecurity culture and reward it. If staff identify phishing attempts or suspicious behavior, give recognition and rewards.
- Plug into Rootworks Cybersecurity events. Rootworks has committed to providing you with ongoing awareness and training. Make it part of your firm’s planning.
A big focus for us this summer has been security, and we’re picking up that thread in this edition of ThoughtLeader. If you’ve attended your Partner Retreat at our Learning Center in Indianapolis or a variety of our virtual events, you’ve heard from us and our IT Professional, Chris Dickens, how important it is to evaluate your security frequently and have a strategy in place. In addition to what Chris is offering on security in this edition, here’s more to think about:
Did you know that at least five firms report data breaches to the IRS per day?! And those are just the ones discovered and reported! A significant portion of them are related to email—everything from ransomware, malware, a total break through their firewall, RDP or other ports.
So what are you doing to protect yourself? You have a firewall—that’s an easy answer—and, of course, you have a backup. But when’s the last time you tested your backup system? And I don’t mean just making sure it’s running—when’s the last time you REALLY tested your backup system? Do you know how easy (or difficult) it is to restore a file, a system or your entire business from those backups? Is the integrity of the data good? You should be testing things like this, at minimum, on a quarterly basis.
If you are in a hosted environment, your vendor should have backup processes in place, but how strong is your password? Are you using a password keeper or are your passwords stored in a browser? You need to think of security on your local machines as a way of preserving your hosted environment.
What will you do if you realize there’s a ransomware running on one of your staff computers? Don’t freeze, anticipate and plan for a tech failure. Designate a key staffer or two to consider what crises might occur. Ask them to think about how the business uses different tools and devices. Make a list of the hardware, software and services you use on a daily basis and ask: What would you do if your server went offline? If staff lost access to email? If you realize a computer was hacked and files are being held for ransom? How will you respond? What’s your plan B? Write your answers down and make sure to include vendor or individual contact information.
A solid plan will ensure that you won’t be paralyzed or lose valuable time and that all staff members are aware of potential issues.
Crack the Social Engineering Hack with the Callback
One of the primary ways cybercriminals steal information and money is simply by asking for it. Social engineering works like this: A cybercriminal creates a fake email that appears to come from one of your clients. The email asks your staff member to wire or charge a payment to a vendor—a dummy or hacked bank account he has set up to intercept the payment—and makes the request sound urgent. The staff employee processes the payment quickly to serve the immediate need of the client because we all want to provide great customer service, right? By the time anyone realizes that the request was fake, the money is gone.
The easiest way to combat social engineering is the callback. When requests come in, verify the request by calling an official callback number of the client to validate that request. You can also add a security “passphrase” that the client and your staff know to validate payment requests. If the supposed client asks you to call them at an alternate phone number, doesn’t know the passphrase or convinces you to work around these security procedures, these are all big red flags suggesting you should put the brakes on the transaction.
Understand the path your prospects take to becoming a client, and help them along the way.
“Hi. Um…we’ve never met before, but… wanna get married?”
Not a great pick-up line, is it? Love at first sight makes for great stories, but in reality, it almost never happens that way. A deep, long-lasting relationship is the result of a careful, meaningful process of getting to know one another and building trust.
And it’s the same when it comes to turning a prospect into a client. It’s a process that involves achieving these milestones with your prospects:
Which, generally, hopefully, involves these stages of activity with them:
It’s important to think about this process as a journey, because your prospective client will need unique content and messaging from you at each of the intermediate steps along the way. Here’s a look at how to be sure potential clients get the right information from you at the right time, to make the right choice:
- Awareness. This one is straightforward, because awareness is simply a matter of exposure. Every means of expressing your brand in the public view contributes to awareness, and, if the messaging is effective, people will also come away with basic knowledge on what you do. Mass media is often a logical choice because of its efficiency in reaching large numbers of people; however, if your goal is reaching a niche market, you’ll want to take a different strategy and look for media more tightly focused on that specific audience (i.e. trade publications, association newsletters, etc.).
- Learn/Compare. At this stage, prospects are trying to gain knowledge of competing firms and evaluate them to find the best fit. The content you provide for people at this stage needs to focus on anticipating questions and providing clear, easy-to-access answers. Your website is the cornerstone of content at this stage. Think about the way your services are presented—are they “productized” in a way that’s easy for prospective clients to understand and self-select? Consider developing an FAQ section for your website, and explore using your social media channels as a place for question-oriented content. For example, if you have a YouTube channel, you could create a series of short videos providing answers to Frequently Asked Questions.
- Purchase/Use. When you gain a new client, the content doesn’t stop—be sure to shape an outstanding experience and positive reinforcement for your clients with good content, starting with your website—make sure it provides a helpful, low-friction environment for collaboration and conducting business. Reach out proactively with a client newsletter, periodic reminders about filing deadlines and planning. Think about your role as an educator for your clients; offer helpful tips, and consider hosting instructional seminars for your clients and their staff. And remember to express appreciation for their trust and their business on a regular basis.
- Satisfaction/Advocacy. When you provide an excellent experience, your clients will start generating the most valuable content you can have—their advocacy in person-to-person communication, social media channels and referrals. There’s nothing more powerful than the testimony of a happy client who has become a raving fan.
As we always say, “your mileage may vary”—every firm has different business goals and marketing objectives. Examine yours, and draw out a map of the journey people make from simple awareness to becoming a client. Then focus on creating content to help them at each stage of the journey.
Next issue: “Why Content Matters”
Announcing a New Rootworks Vendor Member!
National Payment: Online ACH & Document Distribution Services
- NatPay is an alternative to Intercept, particularly for firms processing payroll in Accounting CS
- Less expensive than Intercept
- Better option than working with individual banks for direct deposit
- Tax payments do not require a five-day window (as they do with Intercept)
NatPay offers three ACH Packages:
Academy and Advantage Members
Register now for your Sarasota Conference!
Your year-end Conference in Sarasota is shaping up to be our best ever, with breakout tracks for partner and staff attendees and important, timely topics from cybersecurity to organizational culture and leadership to manage the ongoing process of change.
Don’t wait to register—get in now, before rooms become scarce. Reserve your seats here.