More Than Numbers
McGowen Hurst Clark Smith (MHCS) is one of the oldest and largest local CPA firms in Central Iowa, providing clients a depth of experience and resources in tax and accounting, auditing, and business advisory and consulting expertise.
Like all CPA firms, MHCS is entrusted with highly sensitive business and personal information. Clients share with them confidential business insight (i.e. merger and acquisition information), company finances (revenue and payroll), and employee information (personally identifiable information (PII).
While attending a cybersecurity presentation, Mike Tullis, System Administrator at MHCS began thinking about all the client information they have and how securing it was a major responsibility.
During that moment, Tullis decided it was time for MHCS to test their network to identify any vulnerabilities leaving them open to attack. Before doing so, he needed to present his idea to the MHCS leadership team.
“At first, I thought who would ever want to attack a CPA firm in Iowa? But, after Mike [Tullis] explained our risk, I began to understand what a cyberattack could do to a company and wanted to make sure we and our clients were protected,” said Mike Brinker, CPA and Shareholder at MHCS.
Getting Started with Cybersecurity
MHCS began their security program the way many information security life cycles begin, with a realization of responsibility. They identified the need and decided it was time to gain visibility into the organization’s security risks.
To initiate their information security program, MHCS established a relationship with Pratum.
We met with Pratum and it felt right, a company with national coverage and expertise, that still felt personable and in our backyard.Mike Brinker CPA and Shareholder - MHCS
MHCS worked on their first project with Pratum in 2017 which was identifying vulnerabilities in their external and internal infrastructure by performing a penetration test. “Overall, we were happy with the pen test results. While we thought there would be an increased amount of external threats, we were actually in really good shape,” said Tullis.
What MHCS did identify, however, was room for improvement with their internal infrastructure. Many companies think about breaches happening from the outside in but forget to check their internal network. To help fortify their network, MHCS elected to implement Multi-Factor Authentication (MFA), which enables them to verify users entering their system through multiple forms of authentication. Examples include passcodes, passwords, and biometrics.
Identity and Access Management (IAM) was also identified as an area of improvement for MHCS. IAM enables organizations to reduce risk by restricting user access to only the items they truly need. This improvement is in MHCS’s plans for future implementation.
Understanding the Bigger Picture
Upon identifying the necessary internal updates, the MHCS team recognized the need to move forward with a wholistic information security approach. The next step in internal improvement was to get employee buy-in. They wanted employees to be on board with upcoming security implementations and to understand the big picture of cybersecurity and the role each employee plays. The team elected to introduce in-person cybersecurity education and training.
Bringing in an experienced security consultant provided the MHCS team the opportunity to hear real life examples and recommendations from someone working daily in information security. The MHCS team was not only trained by one of Pratum’s information security consultants, they were put to the test with customized email phishing campaigns and pretexting phone calls.
Security testing helps employees see firsthand how attackers attempt to deceive victims. Hackers are looking for any weakness in an organization, and often, the weakness is an employee. Testing helps prepare employees for real-life attacks and elevates cybersecurity to top-of-mind. For MHCS, this is especially important during busy times (tax season) when they communicate with clients using multiple platforms. As a result, MHCS runs regularly scheduled security testing campaigns to keep it a priority.
Planning for the Best, Prepared for the Worst
Even with all the security awareness and training, it is still important to be prepared for a security incident. Through building a relationship with MHCS, Pratum helped identify the need to develop an Incident Response Plan, to help guide their organization through security incidents in times of high stress. When an incident occurs, the last thing you want is to scramble for answers.
As with any good plan, an Incident Response Plan evolves overtime. To initiate this process, Pratum works closely with clients to explore the most important areas of their business. It starts with asking the right questions. Pratum helped MHCS think about the impact an incident could have on their organization and how to react to it. MHCS continues to review and update their plan regularly to ensure all risks are considered and addressed as their company continues to change and grow.
“My biggest concern is getting the call at 2 or 3 in the morning saying our system has been breached,” said Tullis. While this is still a concern within MHCS, they now have an action plan to address issues and know their team is ready to act when called.
Information security programs vary from company to company. MHCS understands its capacity and is taking a methodical approach to strengthening its security program over time. To avoid being overwhelmed with insurmountable security goals, MHCS is working with Pratum to execute one task at a time. As their business continues to grow, their security program continues to mature. With every new security layer, MHCS provides better protection for its business, employees, and clients.