All reports and statistics show the threat of cybercrime to small and mid-size businesses is growing. Accounting firms may be at the top of the hacker hit list because of the vast amount of Personally Identifiable Information (PII) they compile. If network and data security protocols are not up to date, firms leave themselves vulnerable to an attack that could be catastrophic to both them and their clients.

Think about all the PII data these firms have:

• Names and Social Security numbers

• Names of spouses and dependents

• Employment information

• Bank account information

In addition, if the firm deals with corporate clients, any hacker able to breach the system gains access to corporate financial data including information about any mergers, acquisitions, or restructuring.

So if an attack occurs, what happens after the information is stolen? There are several ways it can be used that are both damaging to the firm and the client.

• Ransomware: In this type of attack, the criminal holds the information hostage contingent on a “ransom” to be paid for its release. The amount demanded can break a business; statistics show that many small and midsized business will fold approximately six months after a cyber-attack.

• Fraudulent tax returns: In the event of a data breach, criminals potentially have access to all tax information. Without strong cybersecurity protocols, it can be months before the attack is detected. The cyber criminals can see who has filed for any tax extensions, and then use the acquired information to file fraudulent tax returns and divert any refund money into their own pockets. By the time this is detected, it is too late.

• ACH (Automated Clearing House) fraud: The ACH network is the central clearing facility for all Electronic Fund Transfer (EFT) transactions. Only two pieces of information are needed to complete this criminal transaction; the checking account number and bank routing number.

In order to avoid any of the above scenarios, it is important to have a data security system in place that both provides early detection and protects the data if a system breach occurs.

• Be sure all systems and security programs are up to date: This is the first line of defense. Since the threats are always changing, these need to be kept up to date.

• Encrypt all data held in systems and in emails: When sensitive data is encrypted, it makes it more difficult for anyone who gains unauthorized access to use the information.

• Educate staff: All employees should know how to recognize suspicious emails and activity as well as how to report them. They should be made aware of current cyber security attack methods as these constantly change. Provide IT policy training so you reduce the risk of human error.

• Have an incident response plan: Define what constitutes a data breach or suspicious activity and be sure employees know who should receive the report of such activity. Usually this is a member of the IT department, but other people in the company may need to be brought in to the response plan as well and what their roles are when communicating with employees and clients.

At Zinman & Company, the security of our clients’ information is of paramount importance to us. We have strict cyber security measures in place and stay up to date on current and emerging cyber security threats.