If your company experienced a data breach today, it could cost $4 million or more to address it, according to the most recent data from IBM and the Ponemon Institute, which analyzed 537 breaches.
That includes the cost of identifying and containing the breach, lost or stolen data and lost business.
Given the high stakes, implementing cybersecurity best practices should be a top priority for your organization. Of course, that’s easier said than done if you don’t have an enterprise-level security team.
Here are five best practices you can take to protect your company’s sensitive data.
Cybersecurity best practices for growing businesses
Recognize the landscape has changed
Eighty-one percent of respondents in a survey commissioned by Harvard Business School Online said they either didn’t want to go back to the office after COVID-19 or would prefer a hybrid schedule going forward.
That means you’ll need to adapt your security approach since your accounting and operations teams, as well as all other employees, will need to continue accessing critical data from remote locations. Cloud accounting software is quickly replacing traditional on-premise and in-office solutions. Employees are increasingly using their own devices and storing data in the cloud without the right protections, which could introduce new vulnerabilities.
"The new perimeter isn't defined by the physical location(s) of the organization," Microsoft security specialist Jaspal Singh wrote in a recent post. "It now extends to every access point that hosts, stores, or accesses corporate resources and services."
It’s time to implement cloud-based accounting software with built-in security protections and revisit your company’s policies regarding acceptable use of technology if you haven’t already.
All employees need to understand their responsibilities for implementing cybersecurity best practices. That starts with accessing company data from virtual private networks or secure wireless connection and keeping their mobile devices and operating systems up to date with the latest security protections.
It means having strong passwords and additional access controls for sensitive information.
Move toward a Zero Trust security model
Ronald Reagan was known for his "trust, but verify" approach to diplomacy. Modern cybersecurity best practices follow a new mantra: "Never trust, always verify."
One of the core principles of the Zero Trust security model is to authenticate users at every access point.
With 20% of data breaches initially caused by compromised credentials, according to the IBM-Ponemon report, it’s imperative to work with your IT service provider to update your network security protocols and consider enabling multi-factor authentication.
Multi-factor authentication verifies a user’s identity by sending a code to their device.
The zero trust model also recommends least privilege access, a concept that dictates users shouldn’t have access to more information than they need to do their jobs.
For instance, a hotel employee may need access to your inventory data, but not your customer and vendor lists. Granting user access based on role minimizes the risk of both internal and external security risks.
Make sure each employee who needs access to your business accounting software and other critical systems has their own password. This helps you protect your data and allows you to track any changes with a complete audit trail.
The Zero Trust security model assumes a breach will occur and every employee or vendor who interacts with your systems is a potential cyber threat. The IBM-Ponemon report found the average cost of cyber-attacks for businesses that follow this model was about $1.76 million less than for those that don’t.
Don’t wait — educate
Fully implementing Zero Trust is a worthwhile initiative, but it requires some time and effort.
Educating your employees about cybersecurity best practices is a proactive step you can take starting this week.
Teach employees how to protect their credentials, how to avoid phishing (present in 36% of breaches, according to the IBM-Ponemon report), and how to report a suspected breach.
Microsoft offers cybersecurity awareness training that includes videos, interactive courses, and other resources you can share with employees to educate them on these important topics.
Seek SOC2 compliance
System and Organization Controls (SOC) reports offer objective assessments on your company’s internal controls. SOC1 focuses on your finances, while SOC2 audits your security policies. That includes your digital and physical access controls, network security, and how you protect your company and customer data.
To obtain SOC2 compliance, you’ll need to work with a licensed auditor who will conduct security questionnaires and collect other evidence that your organization has the right measures in place. The American Institute of CPAs offers guidance and resources on SOC2 compliance.
While there are substantial costs to consider, SOC2 compliance is an investment that can go a long way to establish trust among your customers. More companies are requesting this documentation from their vendors as part of their own cybersecurity best practices.
Vet your vendors
Even if your own organization has implemented security best practices, an external application or software system could put you among the more than half of organizations that have experienced a data breach caused by third parties, according to a Ponemon report sponsored by SecureLink.
Before working with a new software vendor, ask them to outline their security policies in detail. That includes:
-
Whether they’ve conducted a cybersecurity risk assessment
-
How they maintain data privacy
-
How they store data and backups
-
Whether they encrypt data in transit and at rest
-
How they manage access to their network and their software
-
How often they conduct penetration testing
-
How often they perform software updates
-
What they’ve done to audit their own security controls
Kara M. Curtis, a CPA and audit manager at the firm Heinfeld Meech, recommends having a written agreement with your vendors regarding their security practices and not allowing any vendor to access more information than they need.
Gravity provides peace of mind
Enforcing cybersecurity best practices at your own organization is daunting enough — and ensuring your vendors follow them is even more challenging.
Fortunately, if you choose Gravity Software as your accounting software provider, you’ll have one less thing to worry about as your business continues to grow.
Gravity is built on the Microsoft Power Platform, a platform that is actively managed by Microsoft 24/7 x 365, which features robust and up-to-date security measures that rely on Microsoft’s deep expertise in compliance, identity management and data access security.
And because Gravity is a true cloud accounting software system, all updates happen automatically, keeping you ahead of security threats without any system downtime.
Learn more about Gravity’s cloud-based accounting software security features and schedule your online demo today.
Gravity Software
Better. Smarter. Accounting.
