‹ All episodes

QB Power Hour Podcast

So You've Missed the FTC Deadline....Now What?

July 18, 2023 Dan DeLong
So You've Missed the FTC Deadline....Now What?
QB Power Hour Podcast
More Info
QB Power Hour Podcast
So You've Missed the FTC Deadline....Now What?
Jul 18, 2023
Dan DeLong

Jon Melloy from Practice Protect joins us to discuss the 8 guidelines from the FTC Safeguards deadline and what they means to accounting professionals.

QB Power Hour is a free, biweekly webinar series for accountants, ProAdvisors, CPAs, bookkeepers and QuickBooks consultants presented by Michelle Long, CPA and Dan DeLong who are very passionate about the industry, QuickBooks and apps that integrate with QuickBooks.

Watch or listen to all of the QB Power Hours at https://www.qbpowerhour.com/blog

Register for upcoming webinars at https://www.qbpowerhour.com/

Apple Podcasts Spotify Amazon Music Overcast Castro Castbox +
Show Notes Transcript

Jon Melloy from Practice Protect joins us to discuss the 8 guidelines from the FTC Safeguards deadline and what they means to accounting professionals.

QB Power Hour is a free, biweekly webinar series for accountants, ProAdvisors, CPAs, bookkeepers and QuickBooks consultants presented by Michelle Long, CPA and Dan DeLong who are very passionate about the industry, QuickBooks and apps that integrate with QuickBooks.

Watch or listen to all of the QB Power Hours at https://www.qbpowerhour.com/blog

Register for upcoming webinars at https://www.qbpowerhour.com/

Dan DeLong:

Welcome to another QB Power Hour. Today, we're going to be talking about, so you missed the FTC deadline. Now what? So we've got Jon Melloy from Practice Protect joining us here today. He's going to be talking us through, notice that Michelle is not here. She's actually in Ecuador and aggravated her foot. So she was going to try to join us from. From Ecuador. So this really would have been a worldwide QB power hour since Jon is actually based in Brisbane, Australia. And I'm here in the Pacific Northwest. So let's kick this off a little bit and go with some introductions and we'll go from there. As Michelle is our international speaker, co host not joining us here today. But we're encroaching on 15, 000 members in the Facebook group for the QB Power Users group. We invite you to join us there if you haven't already. My name is Dan DeLong owner of Danwidth. Worked at Intuit for nearly 18 years. Co hosting today as well as the workshop Wednesdays over at schoolofbookkeeping. com. Just wrapping up another tech editing duties of the QBO for Dummies series. We hope to have the author joining us here, which was an interesting. Topic about how do you write books about technology that changes constantly, which is one of the interesting side notes of the writing authoring books on tech. But Jon, go ahead and introduce yourself for the folks that may not know what and who Jon Melloy is in Practice Protect.

Jon Melloy:

Yeah, awesome. Great to be on. And yeah, thanks for, yeah. Thanks for having me on here, Dan. So yeah, for those of you who haven't met me before I'm Jon Melloy and I'm the head of growth at Practice Protect. I've been working with Practice Protect for just over six years now. So I've been with the company for a long time and over that time I've worked with. Hundreds probably getting into the thousands definitely thousands of firms assessing their cyber security and putting in best place security to help them to reduce risk, manage compliance and meet all of their different obligations. Yeah, so Practice Protect as you can see there with the leading cyber security platform for accountants worldwide. We're working with just over 24, 000 accountants and bookkeepers. globally. And yeah, as Dan put there, so yeah, working with CPAs, bookkeeping and CAS firms. And really the reason why we exist is because, and I'll talk a bit more about this, but cybercrime is increasing. As I said, I've been with Practice Protect for six years now. And every year since I've been with the company has been a record year for cybercrime. Okay.

Dan DeLong:

That is a, not a great stat, but I guess that makes sense why why you even exist, right?

Jon Melloy:

Yeah. And it's just, it's becoming more sophisticated and really it's because that's where the money is. It used to be that people would rob banks or if you go further back in time, people would rob trains because that's where all the good stuff was. But now it's online and it's so much more lucrative. Hackers can hack into businesses without leaving the comfort of their homes. And that's really broken down a lot of barriers when it comes to crime, because it used to be, say if I was a criminal and I wanted to steal your wallet, I'd have to be in the same room as you. Whereas now. From the other side of the world, I could log in online and I can steal your online identity and coupled with that, you've got more and more of our information is going online and we're definitely we're. Practice Protect to a huge cloud advocates. Definitely that is the way which firms should be working. And it is, if it's managed correctly, more secure, but that's the caveat. It's that it does need to be managed correctly. And that's why we exist as data security is more information is going online. How do you structure that in a secure way? How do you secure the new risks which we're seeing for the modern firm?

Dan DeLong:

Yeah, and that's something that I noticed when I was working at Intuit in the accountant space is that, an accountant is a gatekeeper to a lot of sensitive data. So they, they are literally the, the new world train from a hacker's perspective of oh, they've got lots of good information. If I can get into an accounting firm or accountant, I have. Inside information on, social security numbers and all sorts of client data so it definitely behooves accountants to be good stewards of that, right?

Jon Melloy:

Yeah. Oh, yeah, definitely. And that's it. And it's accountants, it's almost like a honey pot because hackers know that if they target, accountant, bookkeeper, CAS firm, they're not just getting potentially one business. They could potentially get the business to, sorry, potentially get the access to hundreds of businesses information. Okay. So that's why we're seeing that accountants are disproportionately targeted by scams. And it's also interesting seeing how much more complex scams and cybercrime is becoming. It used to be, it used to be quite easy to spot a scam and I always feel nostalgic thinking about it in a way. So you used to get, you'd be surfing online and you get some emails pop up on your screen saying, sorry, you used to get some pop ups saying that you'd won a free Motorola razor, or you'd get a email from a. overseas prince somewhere asking for a donation. But we all got quite desensitized to those. And now what's happened is it's become so much more personalized. Okay. And it's the same trend that we're seeing just across everything. Online. So there's so much different information and data points on us. And hackers are using this to craft the best personalized kind of scams possible. They know about our business. They know who we are. They know who we work with. They know who our clients are. And on top of that, there's all this different information that has been leaked by leaks about us on different data breaches online and hackers are using that to send the most targeted scams possible. So yeah. I guess that's the reason why we're existing because this is becoming so much more complex and the cost of not acting is so high with the cost of a breach being 80, 000, 88, 000 that it's, far cheaper, far effective to put in place the correct prevention to stop that from happening. Oh, Dan, I think you're on mute there. You

Dan DeLong:

are correct. Sorry about that. Let's talk a little bit about some of the housekeeping things for the QB Power Hour and then we'll dive into some of these guidelines and what what accountants, bookkeeping professionals can do about it now that the deadline has has passed. So the QB Power Hour is, of course, every other Tuesday at CPE. But check the website for upcoming events. We also have other events available there. There's a e com as you are discussion over at Roundtable. So you can register for those things as well. But if you need PDFs of the slides, recordings of podcasts, we have qppowerhour. com slash resources for you. If you have specific questions about what Jon's talking about here today, please put those in the Q& A. Makes it far easier for us to follow up, especially if there is a a follow up necessary. But if you have general comments concerns things to just talk about amongst ourselves here please put those in the chat comment. And then, of course, we have the slides there for the webinar archive and and resources as well. Essential steps for for accountants and bookkeepers with regards to these FTC safeguard rules. So let's talk a little bit about first these. Why these FTC safe what are these safeguards and why was there this ominous June deadline?

Jon Melloy:

Yeah, also, I think it's important to, to talk about the why as well, Daniel, as you said, because it helps frame up why was it being implemented. And the reason why is because cybercrime is increasing. As I said at the start, we're seeing records being broken. Every year for cybercrime and it's becoming too expensive not to act. So there was a report which was put out last year by the FBI which was looking at the Most commonly committed internet crimes. So if you're a cybersecurity nut like myself, you can look it up online. So it's the FBI internet internet crime report, and it shows where, what the most damaging scams are. And it's really interesting to see this because the cost of this is getting so high. So the amount lost to the U S economy from email scams, so business email compromise last year was 2. 4 billion. That was the most costly scam that we were seeing there. Yeah. That skews

Dan DeLong:

the that skews the 88, 000

Jon Melloy:

a little bit, I think. Yeah, and it's such a costly scam and that's the top one. You're seeing, on top of that, there's another 100 million lost to ransomware and other scams. But the cost of not acting is so high. And what's interesting as well is. When we hear about cybercrime, we often think about it affecting the bigger businesses because that's what hits the headlines. Okay. Typically when you see cybercrime in the news, it's, some top 100 company has been hit by ransomware. That's not what makes up the bulk of it. Okay. When you actually. dig beneath and you look at the stats, it's for smaller firms that are smaller businesses that are the worst, that are the worst hit. And that's because naturally they don't have the same kind of cybersecurity measures as the big companies. So I was looking at a stat recently, and this was in Australia, but it was saying that PwC, Deloitte, the big four, they're sponsoring. 800 overseas visa applications for cybersecurity roles. So they're really investing heavily in this area. And there's similar trends, but we're seeing in the U S as well, where the big four are investing. They've got whole divisions dedicated to cybersecurity. Okay. So what we're seeing is because of that, hackers are moving down the food chain and they're then going for the smaller businesses who. Naturally, you don't have a chief information officer.

Dan DeLong:

Yeah, you, you look at, you go to any city, right? Like downtown central city, they've got bars in the windows, they've got, locks on the doors. But, you go out into the suburbs or the, or, the rural areas, people leave their doors unlocked those types of things. So I think that's an equating to what you're, to what you're talking about. These cyber criminals are now leaving the city. And going into the more rural areas where people are more apt to leave their doors unlocked or on those types of things. Is that what you're seeing? Yeah.

Jon Melloy:

Yeah, definitely. So they're moving to smaller firms and they're going to the firms that don't, haven't taken the correct steps to secure themselves. And that's why there is becoming, there is more and more regulation. Coming out around this. So obviously we've got the FTC safeguards rule, which we'll focus on today. There's also the IRS 4557 safeguarding taxpayer information guidelines. And on top of that, you've also got some state based guidelines. And the point I'd like to make is as well, is that I do see this as actually being a real positive, because it's now giving people a Benchmark and showing people what they should be doing because for the longest time, it's almost been, the Wild West where just get a business. Get a laptop and you're off. Okay. But there are basic steps that you take. And if you put in place, some simple measures, you can reduce your risk massively by 80, 90%. Okay. Just by some simple low cost steps. And the point is with cybersecurity and when we're seeing hackers targeting small businesses, they're not necessarily targeting your business. Okay. So they're not waking up in the morning saying I want to break into Melloy accounting, a five user firm in Idaho. Okay, they're not targeting me specifically. They're sending out scams targeting hundreds of business, thousands of businesses, and what they'll do is they'll get into the ones that have the worst levels of security. Okay, so that's why these guidelines are here is to give you basic steps to really basic steps to secure your business. It's not about going crazy and going putting in step in putting in place the same levels of Securities enterprises, but it's about putting in place small steps. And that's what we'll look at today. Got it

Dan DeLong:

So let's talk a little bit about what it is. We are going to cover a little bit more in detail So we'll talk about what is the it's ftc safeguard rule. When was the deadline? How does this affect me and what do I need to do? Let's start off with with a poll to get get us started. And the poll is, which will be shared now, how prepared are you for the FTC safeguards rules, right? These have you heard about it before? Are you fully prepared? Are you getting there, just getting started? Or what the heck are these rules to begin with? Maybe if you, Jon, if you want to Tea us off there about, what are these rules that we actually were talking about? So we mentioned the FTC safeguard.

Jon Melloy:

Yeah, sure. So the FTC safeguards for all it's actually been around for a fairly long time. So it was first introduced in 2003. But what we saw, and it was in place then, but back then it was quite vague. It doesn't have a specifics, but it does now. But what it's about in short is. Prepare to provide guidelines for businesses on how to maintain safeguards to protect the security of customer information. Okay. So yeah, it took effect in 2003, but it was updated in 2021 and the 2021 update provides more concrete guidance for businesses. Okay. So what it does then is it reflects provides more guidance and more specifics around what firms should and shouldn't be doing. To secure their data there. Yeah, let me go

Dan DeLong:

ahead and share the results. And while I'm doing that, I'm going to stop sharing so that you can pick up because that way you can go through your cadence of the slides here. And an interesting point of someone in the chat here they picked up that you've got a little accent there. You're based out in, you're based out of Australia. How does how does practice, how did Practice Protect get into, US based cybersecurity and protection?

Jon Melloy:

Yeah, it's good. And it's a funny point. And I can definitely see the irony. I find it quite interesting. Because also, as well, I'm from what I live in Australia, but I'm from the UK, originally. So I'm from the UK, I work for an Australian company. And I spent a lot of my time talking about FTC and IRS guidelines. And that's because to answer that question is because we work heavily with US firms. So we've, as I said at the start, we're working with over 24, 000 accountants and bookkeepers, and that's across both Australia and the U. S. So a large portion of our client base are based in the U. S. So naturally, we're experts in two areas. It's Australia, cybersecurity legislation, and U. S. Cybersecurity legislation, because when it comes to security, and I'll talk more about this later, it's not just about the technology that you put in place. There is different compliance and regulations that you're doing. So say if we were just providing a software platform, we'd only be doing half of the job. So as part of what we're doing with working so heavily with US companies, We've had to brush up on these these guidelines and make ourselves experts in these areas.

Dan DeLong:

Yeah. So these guidelines started in 2003. They were updated in 2021, and then they impose this nebulous deadline because people are creatures of habit. They only do things when there's a deadline associated with them, right?

Jon Melloy:

Yes. Yeah. Correct. And so the deadline this is one of the main questions we get is when was that and the deadline to comply with some of the updated requirements was on the 9th of June, and it's really important to note that it's some of the requirements. It's not every single requirement. The FTC have listed on their websites, what specifically needs to be done in these areas and that's what I'll talk about today. So if you go online if you look at the FTC safeguards for all it is. a lengthy document and it will have a lot more requirements from what we speak about today, but there are some different breakout articles from the FTC where they reference what needs to be done for this specific deadline. Okay. And really then the next question that we get is does this apply to me? Okay. And there has been When I've been speaking to firms about this, there has been a bit of a misconception out there amongst some, and I think it's almost a willful misconception, as when I've been speaking to, speaking about the set of events, so particularly with some bookkeepers and CAS firms, they've interpreted it as not applying to them which isn't necessarily correct and the reason for that is because there has actually been a lot of education over the last few years around Be around data security if you're a tax practitioner. So if you're a tax practitioner, there's obviously been that IRS 4557 legislation, which sets out what you should be doing to secure your taxpayer data. And also when you fill out form W12 for the PTIN application you have to sign off saying that, yes, I have a data security plan in place. And I think that. Question on the form has been in place for three years now. So there's been a lot of information and education around this, but that what that's meant as well is that when I've been speaking with companies and they don't prepare taxes, they've been flying under the radar a little bit of thinking that this isn't as relevant to them because they're not filling out that form and ticking that box. But if you look at the definition of who the FTC safeguards rule applies for from the FTC, that's not necessarily the case. Okay, so the safeguards rule applies to financial institutions subject to their jurisdiction. And when you look at their definition, According to this section, an entity is a financial institution if it's engaged in an activity that is financial in nature. Okay that is a very

Dan DeLong:

Broad stroke. Isn't everybody right?

Jon Melloy:

Yeah we're all, any businesses is financial in nature because we're in the business of making money, which is financial in its core. So you could go that broad with your definition, but I think narrowing it down is if you're looking at What is your core business function? Okay. And when it comes to, bookkeepers obviously CPAs, CAS firms, their core business function is finances, advising on finances, keeping accounts. And that is by definition financial nature. So even if we narrowed down that definition, it would then apply to CPAs, accountants, and CPAs, bookkeepers, and CAS firms.

Dan DeLong:

The natural question and Nancy asked it in the chat. What are the consequences of missing this deadline? Is someone going to show up at their door and be like, where is, where are all these compliances? And would there be a fine or something like that if it were actually to be discovered that they're out of compliance

Jon Melloy:

with it? Yeah. Yeah. Great question. And yeah, it's definitely, it's not that they're knocking and knocking on doors, checking in businesses. We haven't seen so far that there have been any proactive checks and really the trend that we're seeing in cybersecurity is that this is policed. After the fact. Okay. So what we're seeing is they're not doing prior to the audits, but say if your firm is hit, if you do have a data breach, if you do have a hack, then after that, there's usually, an investigation and that's when penalties could then be applied. Also this could turn into a double, like a triple whammy, because if you don't have the correct measures in place, but firstly, obviously you're more likely to be hit. With these at their core, it is about securing your business, putting in the correct measures. So if you don't have that in place, you are more likely to be hit. Secondly, if you haven't followed the guidelines, and if you haven't put the correct measures in place, you're likely not going to be compliant with your cyber insurance. Because cyber insurance companies do require you to take certain steps for them to actually be valid. So that's a whole separate webinar and conversation to have. But it is something to be aware of when we talk about security is making sure that you're actually doing what you said you're doing. It's the same thing. If you just think about it, it's the same thing as your car insurance. Okay. If you left your car unlocked and the keys in the lock, they're probably not going to pay out. Okay. There's that. And the third point is, so you would also be hit by not getting the cyber insurance money back because you haven't taken steps. And third, there are also penalties for non compliance. So I guess that was a little bit long winded. So to answer the question, yes. Could there could be fines for this, but we're only seeing them being enforced after a breach. That's when it's being investigated.

Dan DeLong:

Got it. So very similar to the insurance adjuster going, okay this is this is what happened. Oh, this is why it happened. Okay. This is now would there be, would they levy a fine? Is that what it would ultimately be after the fact when there's an investigation like that?

Jon Melloy:

Yes. There, there could be a fine. And really the cost of a fi the amount of a fine really depends on the business. So it depends on the amount of data that was exposed. It depends on the damage fat was done. So we've seen wide ranging ones from, smaller ones in the tens to thousands to, far larger fines for bigger businesses.

Dan DeLong:

All right, so let's talk about what the compliance has to deal with. So there's what eight?

Jon Melloy:

Yes. Yeah, correct. As I said earlier, VF to C safeguards rule. It is a long it's a long piece, but there are some specific guidelines which they outlined in one of their article. And this is what you'd be needing to comply with. So I'll just run you through quickly what these are. So the first one is to designate a qualified individual to oversee your information security plan. Next up, it is to develop a written risk assessment. The third point is to limit and monitor who can access sensitive customer information. Next is to encrypt all sensitive information. There's also a training aspect, so you have to train security personnel. Also you need to develop a incident response plan. Next up is to periodically assess the security practices of your service providers, which When I speak with firms, it always sounds a bit daunting, but that's actually one of the easiest ones to do. And lastly, it's to implement multi factor authentication or another method across everything that you use to access customer information. Got it.

Dan DeLong:

Now, Don in the chat has raised up an interesting point. And this is something that I think you want to drive this point home is that Don is a one person firm. And these things seem so nebulously like a large firm type of thing needs to do. You want to talk a little bit and we'll unpack these these regulations or guidelines a little bit more in detail as we go through the slides here. But let's talk a little bit about first about scale, right? What is, designating a person? If I'm a one person firm, I guess that's me, right?

Jon Melloy:

Yeah. Yeah, definitely. I'll jump back to, we'll have a poll, but I'll come back to that in a second. We can jump back because I think this is the question is how am I meant to do all of that? And that's a good question from Don. And the point is, and I always do emphasize this is for when you're putting this in place you need to focus on your business. Okay. So before you panic and get overwhelmed around those eight requirements, it's really important to keep perspective. and follow the guidance of the FTC and look at what they're saying because they are actually being very common sense about this. So I thought I'd jump to this slide just because this is straight from the horse's mouth. So this is from the FTC's website, but what they're saying is that your information security program Must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities and the sensitivity of the information at issue. Okay. And I really want to emphasize that point because I think often. When we talk about cyber security and technology, things can get over complicated. But if you're what you'd be doing is applying something that's appropriate to your business. OK, so if you're a large multinational company, you've got 500 team members across the country, different offices. You're going to need a very robust information security program. Okay, if you're a smaller firm, if you're a sole practitioner then you need to put something appropriate to the size of your business. Okay, so do you need a 60 page document outlining whatever it is over 60 pages? Probably not. Okay but the thing is, you do need to do something, okay? As VFTC says, it must be written, okay? And it must be appropriate to your business. Okay what you can't do is to bury your head in the sand and to do nothing. But it's about putting in place something simple, something effective to demonstrate due diligence, which is appropriate to your business. And I will talk a bit more about the hows of these eight requirements shortly. Okay let's

Dan DeLong:

launch that that second poll, which is which compliant, which requirements you want to bring that slide back up where we have. The eight on there, but I think I did put them all in the in the options for the poll, which of those requirements your firm already compliant with. Now, don't be afraid to answer this poll. I'm not going to send this to anyone who's passed the deadline and whatnot. So don't worry about that. We just want to get an understanding as to, which which of these are, are you already, Okay. Already in compliance with and might give us some guidance as how far we need to unpack some of these things based on those poll results. But a lot of things, a lot of things I'm seeing in the chat about, little questions about what Practice Protect is and what they do. And I think as we go through these requirements you do offer a free resource, a way that you know, a accountant or bookkeeper practitioner can do these things themselves, but also how Practice Protect helps with these compliance guidelines as well,

Jon Melloy:

right? Yeah, definitely. And I'll cover that off the areas that we help. And I can see I can see that there are some questions around pricing as well. Definitely more than happy to answer those at the end. And I can walk you through what that looks like as well. Okay. Yeah. Perfect. Awesome. Cool. But I guess it's interesting seeing these poll results coming in and seeing the split and which ones are most which ones firms are most compliant with and which ones need a bit more help. So

Dan DeLong:

if I'm going to, And I'm going to share the results so everybody can see what we're talking about here. Yeah, it's a smattering of compliance across the board there.

Jon Melloy:

Yeah, definitely. And I think you can see which ones are the big winners where people have most security already in place. And it's good to see these two, which is often what I've seen. People are limiting and monitoring who can access central information. That's at 73% and 72% have implemented MFA. And that's fairly consistent with what I'm seeing. There's obviously been a large focus on multi factor. And I think implementing MFA is probably helped by the fact that for a lot of apps, it's not optional. I think that does definitely help there and that's great because when it comes to MFA is really, the first line of defense when it comes to working online. So that's great. Also great to see. There has been a lot of education around the information security plan. So 58% people have an individual there, which has been awesome. Awesome. Great. Without further ado as I said we're not just here to tell you what it is and not give any solutions. So we can go through and take a look at how you can simply and easily meet these requirements. We are talking about. FTC requirements. So I guess an advanced warning. The next eight slides as we're looking at these, they're all going to follow the same kind of structure. We've gone too crazy with the design of the slides. So we're all going to follow this format. So what we'll look at is first what the requirement says. Straight from the FTC, what the wording is. And then after that, the FTC on the website, they do also have some further information. So I'll take you through additional info that the FTC says. And then after that, talk a bit about what should you do? Okay, breaking that down, interpreting the requirement and what the FTC says, what practically should you do? And then look, I wouldn't be doing my job if I didn't say how we can assist firms in these areas. So I'll talk a little bit about how we can help our clients in these areas. So make sure we'll let you know how you could do it yourselves and also where we could help and assist too. Okay, but this first requirement is to designate a qualified individual to oversee the information security program, and this one's great. It's nice and straightforward. But there are a couple of caveats with who that person should be. So the FTC says that this person must have the requisite skill and experience to fulfill the role. It could be someone internal. So it may be a partner or employee of the firm, or it could be an outside service provider. Okay. So if you are using a service provider, then you still remain responsible and you should identify someone to oversee them. Okay. So what should you do? Pretty simple with this one appoint someone in the firm or an outside provider to oversee your program. Okay. But it is really important to consider who you are appointing. So you can appoint someone in the firm, but they have to have the skills to oversee the program. So that is the caveat there. So that could be yourself. It could be an office manager, could be internal it, or it could be an external provider. Okay. And the one thing we saw earlier with these steps is that it must be written. So make sure that this is documented. Okay, so document who this is clearly and keep that on record. And what we then recommend is to review who this individual is or who this company is annually. Okay, so just set up a recurring task to review annually. And how can we help? So for our clients that we're supporting across all of our services, we could actually be listed as their qualified service provider for information security. Awesome. Awesome. So the second I'm sorry, Dan. No,

Dan DeLong:

That seems pretty straightforward. Designating someone to be the manager of this of this whole process. So let's move on to number two.

Jon Melloy:

Yeah, and I think it's similar to a lot of these guidelines when we talk about them, and I'll use this comparison a lot. It's similar to when you think about fire safety. In an office you'll have a fire warden Okay? So you have someone, he's got some responsibilities around that. So very similar kind of approach. The second requirement, Is about developing a written risk assessment. And I always think that this is a great place to start. When I talk to firms about cybersecurity, it's one of the questions I ask them. I say, do you have a risk assessment? And often when they say no, I'm like that's the first thing to do, because it helps you identify what you should then do. to secure your business. But what BFTC says is that you should conduct a risk assessment to identify an inventory customer information where it's stored and foreseeable risks and threats to these. It should be in writing and updated periodically as operations change. So What should you do? So some areas to consider is where is this data physically stored? Okay. Do you have files? Do you have folders? Also, what hardware is data being stored on? So are there laptops, mobile phones going up a level? What applications are being used? Where is the data being stored online? And then lastly, who has access to what data? Okay. So that's really the first thing is to list down the different locations and then think about the risks. So what are the risks or threats to these locations? Okay. So the physical data fire still, I don't know why I've just got fire on my mind now, but that could be stolen as well. What risks are there around the team members, PCs, do we have personal PCs and then what security is in place. And then again, with this, it's about documenting it and reviewing it annually. Okay. So those are the steps for you to do. How can we help? How can we make this easy for our clients? We actually supply a WISP, so a written information security plan, which has a risk assessment to all of our clients.

Dan DeLong:

That was one of the questions that that we saw here from Stephen. How is... These guys, how are these guidelines different from a WISP? And if you could say that again what a WISP is you know what that stands for?

Jon Melloy:

Yeah, great. So the WISP is a written information security plan. So that, and you're right, if you have that in place, just Go and check it because it should tick off a lot of these boxes. So a risk assessment is usually contained within the WISP. So most firms have that in place. Some people call it a data security plan as well. So that's the wording that was used on that question on the PTIN form. But yeah, definitely check your WISP to make sure it's covering these areas. Awesome. I see it.

Dan DeLong:

I see a lot of people actually doing this risk assessment in the chat, because I don't even charge credit cards or, things like that. Those are things that come up with, this type of risk assessment, right?

Jon Melloy:

Yeah, definitely. Definitely. Yeah. Awesome. Now this third requirement really flows on from the second one. So once you've done your risk assessment, you've seen what the different areas are. Now you need to limit and monitor who can access sensitive customer information. And the FTC says that you need to determine who has access to customer information and consider on a regular basis, whether they have a need for it. So what should you do? Go back, look at your risk assessment and look at where your data is stored and consider what measures you have in place to control access across the team. Think about whether you have an easy way to grant and revoke team member access, because if somebody leaves, if they. Suddenly stop working at the firm. How are you going to make sure that they don't have sensitive information passwords stored in their head? So make sure that as you're sharing information, you're doing it in a controlled way. And how can we help? That's a core part of our business. So with our clients, we perform an assessment to determine what your sensitive applications are and our access hub puts in a system to easily control team members, access lockdown and secure passwords from your team members. Awesome. The fourth requirement is around encryption. So making sure that you encrypt all sensitive information. And the FTC says that you need to protect by encryption all customer information held or transmitted by you both in transit or over external networks and the rest. So what should you do here? So really, again, it's about considering where your data is sat. Do you have data encryption in place on all of your company devices? If not, set that up. A client passwords encrypted when shared with your team members consider where your data is stored and then check with your apps that store critical data around what their encryption levels are. Most companies, if you go to their websites, if you go to if you Google them and put security afterwards, you can usually find their security accreditation or encryption levels. And lastly review the encryption levels around your local file storage. Is it locked as well? And how can we help? Not with the last point, we don't sell padlocks. So that's the answer to you guys to source. But when it comes to your online information, we can definitely help with that. Our access hub encrypts sensitive client and company passwords. We also have our device hub, which can. Encrypt and remotely wipe lost and stolen devices. And lastly, our email hub provides additional security around email and file storage as well. Awesome. Okay, great. And the fifth requirement is a nice and straightforward one, and it's all about training. Okay. So you need to train your security personnel. And when the what the FTC says is that you should provide your people with security awareness, training, and schedule regular refreshes. So what should you do here? So firstly it's about. members. Okay. So put a cyber security training plan in place for your new employees. Okay. So that's something which we really focus on, it's so key. The first 90 days of someone in the business Is is key across all areas and cyber security is no exception. So it's important, but you've taken your due diligence, even if you're hiring someone who has a cyber security qualification, okay, it's about covering yourselves, so make sure that they have done your version of cyber security training. So make sure you've got something for new employees. But then after that, make sure that you put a training plan in place for existing employees. Okay, because it's all well and good someone doing something in the first 90 days, but if they stay with you for five years and haven't done any training after that, you haven't taken the correct steps and due diligence. So make sure that you're putting something in place for, which has at least an annual cadence. That's what we'd recommend. And also you can help enforce this with policy to cover yourselves as well. So one of the things that we do and we recommend our clients do is have team members sign an it and internet usage policy confirming that they have access to cyber security training and how can we help? So we've got over 18 hours of cyber security training in our Practice Protect university which is available for all of our clients on demand. And we also supply an IT and internet usage policy. Yeah,

Dan DeLong:

that's a big, that's a big burden, I think, for for smaller firms to, to create that. Is there other resources that are out there that That they would need to resource it themselves.

Jon Melloy:

Yeah, definitely. But the good thing is it's like with anything, there's heaps of different cyber security resources online. There is a government, I'm not sure of it. If you, I'll see if I can grab it at the end, but there's some cyber security training from a federal level. There's some really good courses. And if I get a chance to at the end, I'll grab the link to that. Okay, there's definitely lots of free training out there, which is great. Awesome. Yeah, I've seen we've had a few questions and chats come in down. Is there anything we should highlight at the moment?

Dan DeLong:

I'm trying to keep it, topical and I may just want to silo those to the very end. So Let's just burn through these requirements and then we'll field preform the questions, I think, at the end.

Jon Melloy:

Okay, perfect. That sounds great. Awesome. So the basic requirement is to develop an incident response plan. And again, I was talking about assigning the fire warden earlier. Think of your incident response plan in the same way as a fire response plan which most businesses have. So in the case of a fire. What do you do? Who do you call? Where do you gather? What are the next steps immediately in the aftermath to secure everyone and contain the fire? And it's the same for a cyber incident response plan. Okay. Also, if I continue that analogy, it's important that you act fast to contain the breach. Okay, just as a fire can get out of control rapidly, so too can a cyber security incident. So really, when it comes to it, the first hour is absolutely critical. Okay, so the FTC does outline what the plan should cover. And I won't read this through bullet by bullet. I know that these are available as a handout, but go through and they say what it should outline. And again, I do want to stress here that when you're putting the incident response plan in place, it's about doing something which is appropriate to the size and scale of your business. Okay. So if you are a sole proprietor obviously this would be a shorter plan than, someone who has an office with 50 people Okay. And so these points covered from out here, and also you can go online. You can look for us, my templates online. How can we help now we have our clients by having this plan available. So we've got an incident response plan inside of our university which is available to all of our clients. Awesome. Now the seventh requirement as I said, this one can seem a bit daunting, but it's actually one of the easiest to knock over in about 15 minutes or so. And it's to periodically assess the security practices of your service providers. Okay. So what BFTC says is that you should select service providers. With the skills and experience to maintain appropriate safeguards. So what should you do here? So firstly, just do a bit of research and then you can document that. So say if you Google app name security, most providers have a section of their website. where it outlines their security measures. Okay. Also reach out to your key providers. Now, the point of this is that you don't need to be cyber security professionals to assess this, there are actually different security certifications, which a lot of companies are compliant with. So if you check to see if they have these, then That's you doing your due diligence as well. You don't need to pour through every finer detail of their security plan. Okay. So ask them what security certification may have. Again, most companies actually have this listed on their websites. If you just Google app name and security, you can find this out. But when it comes to security certifications SOC 2 001 are the international standards. Okay. And then once you've done your research again, the one thing with this plan is that it should be written. So just document the links and who has what. And just for everyone knows with us with Practice Protect, we're actually SOC 2 compliant there. And the requirement is to implement multi factor authentication or another method with equivalent protection. Now, as we saw earlier, this is one where everyone is pretty pretty well covered with this. I think the vast majority, 73% of people have put multi factor in place. And I think we're all pretty familiar with multi factor is it can be annoying at times. When it's popping up every time you're logging into something, but as I've said, it really is the first step, the first line of defense when working online. So make sure that you've got it implemented across all of your apps. And how can we help we try to make it a little bit less annoying if possible. That's where we can help with multi factor. So we've got our access hub, which can help provide an easy way to enforce multi factor across multiple applications. Awesome. Awesome. Great. All right. Onto the third poll then. Third

Dan DeLong:

poll here. Let me go back here so I can launch this one. So on a scale from one to five, how confident are you in your firm's cybersecurity measures? So it's a good pausing point, right? To maybe talk about some of the questions that, that popped up. So Danielle asked this question. What is the practical language to use with your clients to let them know that you are Compliant. And then how do you prove that what you've done is FTC compliant? Knowing that most of your clients may be familiar with the, with these rules. How do you, is there like a badge certification? How does that work for for a business to let them, to let their clients know?

Jon Melloy:

Yeah, really good question. And it's a really good point because it is something which you should be talking to your clients about. So definitely an area. And one of the things that we recommend to our clients is to have something in your client engagement letter. Around this. So you can talk about your data security measures in that, but also if you put new measures in place send it, one of the things I'd recommend is send an email send an email blast to your clients, let them know, Hey, my lawyer counting, we have done X, Y, Z, we are compliant with these FTC requirements, and I think it's really important to do that, to demonstrate that your. Doing the right thing, because obviously you're asking them for access to their sensitive information. So it's important that at the same time, you let them know that you've taken the correct steps with due diligence to secure that. Yeah, I'd say definitely the engagement letter, privacy policy and the emails as well. Oh, sorry, Dan, you're on mute again there. Oh, yeah, sorry.

Dan DeLong:

Somebody knocked on the door and I had to mute there but I'm sharing the poll results and I appreciate people being candid about, their self assessment that they do need to, put some more measures in place and that's partly why you're here is just to make sure that, people are educated on, on, on these guidelines and guidances and put that in Thank you. Putting it out there, right?

Jon Melloy:

Yeah, definitely. And as well, I'm conscious, and one of the things we'll say with cybersecurity is there is no silver bullet. There are no guarantees when it comes to cybersecurity. The only guarantee is that you can never be 100% secure. It's about putting in the correct steps, taken the correct due diligence to ensure that you've lowered your reduced. So sorry to make sure you've reduced your risk profile to an acceptable level. And that's all that any business can do.

Dan DeLong:

So let's let's move on then and talk about practice, protect how practice can protect, can actually help with all

Jon Melloy:

of it. Yeah. Yeah. Awesome. Conscious. I'm conscious of time as well. So we've covered off a lot of this, but just to recap where we come in and how we help is that we're America's largest cyber security platform for CPA bookkeeping and cash firms. And again, why we're existing why we're doing what we're doing is because cyber crime is increasing. Data security is becoming more and more complex. There's more requirements. There's more guidelines. So what we're here to do is to provide a holistic cyber security platform that helps across these areas. So In short, we've got three hubs which enable us to help firms to secure their businesses. So device email and access, because as I said just a second ago, it comes to cybersecurity. There is no single approach. You need to be taking different steps across different areas and that's where we can help. So firstly, the device hub. Is all about securing your PCs, your workstations. Okay. So we protect your workstations against threats, such as malware, viruses, ransomware if you use AI to scan for known and unknown viruses. So that's really locking down your PC because if your PC gets infected, then potentially everything that you connect to everything that you work to from. Work on from there could then be compromised. Our next system is the email hub, which is all about safe guiding your inbox from different threats, such as phishing, malware and spam. And this is so important because as I mentioned at the start, the cost of email cybercrime business email compromise to the U S economy last year was 2. 4 billion. Email is the most targeted application, so we put a big emphasis on making sure that your email system is secure. And lastly is our access hub. So what this does is it enables you to easily manage identity and passwords across team members because working with CPAs, bookkeepers, CAS firms, we know that it's not just your passwords, it's also your clients passwords. You've got access to not 20 applications. It's. 500, 600, so many different applications because of all of the client apps. So what we're about to do there is providing you with a secure solution to manage this so that team members can access client work without knowing all of your clients passwords, their mother's maiden names, whatever it may be. Okay, making sure that all of this information is locked out and secure. Awesome. So that's it in one breath what we

Dan DeLong:

Got it Just want to throw out the last poll question here is if i'm going to launch it here. Would you like an accounting security consultation with Practice Protect seeing if if this will actually, assist so while people are answering that Meryl asked a good question. If one, if someone has Practice Protect, do they need cyber insurance? Or is it how does that work with with regards to cyber security insurance?

Jon Melloy:

Yeah, definitely. Great question. And yeah, so we were on the prevention side. Okay. So we're all about making sure that you guys don't have an incident, but at the same, but we're, so we're not an insurance company, so we do recommend to all of our clients that they do have cyber insurance as well. So we can help make sure that you're compliant with that, but definitely we recommend you still have cyber insurance.

Dan DeLong:

Does having something like like this help with the, like the approval process or maybe a discount or something like that having, it's like a safe driver course or something like that for your teenagers is there, does that work

Jon Melloy:

for that? Yeah. Yeah, definitely. So yeah, we see that because when you're getting cyber insurance, you do have to fill out forms saying we do X, Y, and Z. And we help you achieve that. So they're asking questions similar to this. So do you have a information security plan in place? Do you have MFA? Can you restrict access? And that's what we do and how we help. So yeah, we help firms get the approval because they are compliant with it. And also, yeah, correct. Dan, I'm getting discounts because you have the correct security in place. We see that very often as well.

Dan DeLong:

Another question that came up again from Merrill and this is more of a scenario type of situation. So what is, what does somebody do when a client will consistently not use the encrypted method of sending sensitive information to you? They Here's my bank statement or let me just send that via carrier pigeon or something like that, right? How does one address those cyber security concerns when they're not doing that?

Jon Melloy:

Yeah it's a good question. And I think there's always one isn't there across every business. There's always that one client. It won't move. So definitely, we've recommended, you need to make sure that you've got a secure message, secure way of sending information. And one of the things I'd say is going back to that earlier point about letting your clients know about the security you've put in place, trying to educate your clients around the why. Why it's important. Okay. And the potential damage that they could do to themselves by sharing information over email. So I'd say that would be the first step trying to educate

Dan DeLong:

them on the risks. Yeah, it's like you said, there's always one that will do that. And despite your efforts, they continue to do that. Is there a point where, you would recommend like. Disengagement of those types of things just or is it more of, how does one, delicately, talk to talk to somebody about that.

Jon Melloy:

Yeah. Yes. It's a good question. I think it's about. Like I said, trying to educate and engage with them and it's it's ultimately it's the firm's decision whether what the risk is around that information and whether you would disengage with that client. And I think it's always for the thing that I'm trying to do is all the things for. But one of the things I'd recommend is communicate with them how you want to be communicated with so if they are sending stuff, don't Then default back to sending unsecure emails, keep using the system that you set up, whether that's Alicio or whatever for sharing documents, but always revert back to that and try to get them to engage with that. So whether it's resubmitting, resending that link saying, Hey, I need you to put this here, not there because of X, Y, and Z reason.

Dan DeLong:

All right. Makes sense. We appreciate you, Jon for joining us today. We're here at the top of the hour. Our power hour is con concluded. So hopefully this has been educational for folks as we close out of the Power Hour, when you, when we end it you'll be prompted with a survey. We appreciate any feedback. We actually do read that and try to take it take it into account. Appreciate you joining us today, Jon, any closing remarks on your side?

Jon Melloy:

No, it was great. And it was awesome seeing all of the questions and comments coming in. I've yeah, I tried to keep up with the chat as much as I can. So yeah, it was great seeing that. Also I just saw I'll just drop a link in the chat cause I saw, obviously there's a few people asking for a review of their setup, so there's a link there. So if you want to jump in and book a time for a call you can do so there. That's the easiest way to do it. Fantastic.

Dan DeLong:

Thank you again for joining us, Jon, and all of you that that, that joined us on the Power Hour. Great discussion that we saw scrolling through the chat and whatnot. So we appreciate you joining us and we'll see you next time on the QB Power Hour. Have a great day, everyone. Cheer.