Data breaches, cyber attacks, business email compromise and other Web-related hacks are all the rage these days. Cybersecurity has become a serious issue across the world for law firms, accounting firms and other types of professional services firms. The reason is simple: Internet hackers and cyber criminals understand that these firms process large volumes of valuable confidential information for their clients. Cyber criminals also understand that the employees in these professional services firms are the weak links when it comes to protecting the firms’ private and closely guarded information because they are usually oblivious to the dangers inherent in clicking malicious links in their business emails, or opening unprotected websites using their web browsers.
Because of the need to protect professional services firms from the incidence of cyber attacks, it becomes imperative for them to draft and execute comprehensive cybersecurity guidelines to be implemented across the entire organization for every employee with user access to the firm’s networks.
Cyber threats and risk factors that affect cybersecurity
Employees are usually considered as the weakest cybersecurity link in an organization. Employees are the ones that open emails from unknown senders and click at malicious links enclosed in the emails. They are the ones that open attachments which can potentially infect their work computers with viruses, and by extension, the entire work network. They carry around work files and unencrypted devices. They log into public Wi-Fi networks when they are traveling for work and use those networks to log into their work accounts without knowing that someone out there is snooping around, waiting to grab valuable information.
Employees are usually exposed to cyber risks and threats which many do not know exist. In many cases they are not educated on these risk factors that can affect the entire organization at enterprise level. C-suite executives and financial controllers are also weak links, because a lot of business email compromise scams are targeted at them, and they are usually unaware of the harm they have inadvertently done to the organization until month down the line when audits are conducted and false financial trails detected.
Defining a Cybersecurity Policy
A cybersecurity policy is an extensive document prepared and distributed to employees detailing how employees, line managers, partners, external consultants and freelance contractors, and other users with access to a firm’s information can protect the data in their care, send files safely, and generally practice good computer usage while working online or with Internet-accessible computers.
The cybersecurity policy usually defines what confidential information is for the purpose of protection, common cyber threats the firm face or could face due to vulnerabilities in their computer systems. The following are common threats firms face: malware, trojan horses, ransomware, spear/phishing attacks, business email compromise, hacking of the firm’s website and other digital assets, digital identity theft, loss of data and files. . .
In defining a cybersecurity policy for the firm, there is usually a section included for software updates, use of business-grade anti-virus systems, data encryption of files, protection of personal and firm-issued devices, use of public Wi-Fi networks while working on-site at the client’s offices or while working and traveling. It is always advisable to include a password protection policy, two-factor authentication for Accounts payable, email policy, social media usage policy, internet usage policy and digital signature policy.
In many cases firms are usually at a loss on how to draft and execute comprehensive cybersecurity protection guidelines; there are several online templates that can help with providing guidance to the firm. However, these should be adapted specifically to the firm’s needs and copied as is.
The length of the cybersecurity policy
Those working in big industries and larger firms with several employees working for them may have more comprehensive cybersecurity guidelines usually several pages long in fine print which the employees are expected to memorize and utilize at all times while doing their work. Those in smaller professional services firms usually have smaller policies.
Sadly, many firms do not have cybersecurity guidelines and policies in spite of the fact that they process and maintain large volumes of confidential data for their clients. In this data are a goldmine of information waiting to be harnessed and used for criminal purposes if they fall into the wrong hands. Because of this, the importance of a cybersecurity policy for a professional service firm and businesses in general cannot be over-emphasized.
It is equally important that there is room for updates to the cybersecurity policy. In the event of an industry-wide cyber attack, it is always advisable to study the risk event, then update the policy document to ensure that the associated risk is dealt with. For instance, where the business email of a chief financial officer of an accounting firm is compromised and large sums of money ordered to be transferred out by Accounts in a business email compromise (BEC) scam, other accounting firms should study the incident, try to understand from where and how the loophole occurred that granted access to the business email of the firm’s chief financial officer, then update their policies accordingly.
It is extremely important that for whoever prepares the cybersecurity policy, the primary areas that is important to your firm should be captured adequately. Further, you have to ensure that it is easy to understand by all members of staffs. Individual terms should be explained where necessary so that no one is at a loss as to the meaning of anything within the policy.
Who should draft the cybersecurity policy for your firm?
Drafting such a policy goes beyond just one department because they are firm-wide in implementation and operation.
For firms that have a strong, working IT department, the extensive cybersecurity documentation is usually done by the head of IT. In other cases, c-suite executives, senior data analysts and managers contribute to the policy and even draft them.
What is important–no matter who is responsible for drafting the cybersecurity policy for a firm–is to cover all potential areas of data breaches and attacks and outline measures employees should take to properly safeguard the proprietary information of their firms.
What information should be capture by your firm’s cybersecurity policy?
There are standard information that should contained within the Policy, particularly general guidelines on how employees can safeguard the files and digital data in their possession in the course of their work. The policy can, more specifically, cover: internet use policy, social media use policy, devices protection policy, file encryption policy, two-factor authentication policy for financial transactions coming from the firm. For firms that use external consultants and independent contractors for their work, the policy should also detail guidelines for these set of contractors and remote workers in the course of their work.
Cybersecurity policy updates and audits
Technology changes with breathtaking speed. Cyber threats evolve and become bigger and more sophisticated as operators learn better hacks, employ stronger software. Vulnerabilities in computer systems keep evolving and cyber criminals keep up with these vulnerabilities; your firm should, too. The policy should be constantly audited and updated so as to maintain the latest and best security standards. IT personnel and other officers in charge of cybersecurity for your firm should keep up with global threats and attacks so they can quickly retrain other employees on better safeguards to employ.
Cybersecurity is a serious issue and should be treated as such. Professional service firms should never joke with any aspect of their Firm’s digital health.