Sponsored by Zendesk
Consolidate client communications in one place
Proper customer support requires a digital infrastructure to track history and respond to inquiries quickly.
Start your free trial →
Are you still viewing cybersecurity as someone else’s responsibility? Your clients may not agree, especially when you both may become targets of sophisticated phishing schemes. Matt Twiford, managing partner at Pegacorn Group LLC, has made cybersecurity a continuing priority for his boutique accounting firm. Here’s how he’s helping clients and his own firm stay ahead of emerging threats.
—Interview by Lauren Ward, edited by Bianca Prieto
Can you share an example—either from your own experience or a client situation—where a simple control or verification process prevented a costly mistake?
I've seen a large uptick in phishing scams targeting accounting teams, and they're becoming more sophisticated. For example, I once got the same phishing email simultaneously for two different clients in two different industries in two different parts of the U.S. The only thing they had in common was that they were using [email protected]. I think the easiest way to avoid these scams is to stop using "payables," "accounting," or "invoices" in the first part of the email address. A simple solution: just put a number at the end. Something like ‘[email protected]’.
Accounting teams often have the authority to move money for clients. How should firms rethink their internal controls to reduce the risk of fraud, payment scams and vendor impersonation attacks?
When I was in my first accounting class learning about internal controls, it went something like this: the person writing the check shouldn't be the same person signing the check. None of my clients write or sign checks anymore; everything is issued from systems. So I think we need to examine those internal controls more carefully and update them for the 21st century. Is the person's password unique? Do they use a password management tool? Is two-factor authentication turned on? These are now musts in our internal controls, alongside the traditional separation of duties.
Sponsored by RingCentral
Every missed call is a competitor's new client
Missed calls during your busiest months can cost you valuable client trust. RingCentral ensures your financial or accounting firm stays within reach all year round, not just during peak seasons.
Stay Integrated: Connect your calls directly to your CRM and accounting software.
Stay Compliant: Securely record calls and manage sensitive client data with ease.
Stay Flexible: Add new lines instantly to meet fluctuating seasonal demands.
Ensure your communication system is built for year-round growth with RingCentral.
You’ve implemented an annual cybersecurity training at your firm. How did you launch that, and what staff are required to go through the training?
Everyone, including myself. With the evolving technology, it's a must-have, and I'm still amazed at how many people aren't using password management tools. I also highly recommend it to my clients and suggest the entire company take the training. The saying, "You're only as strong as your weakest link," is true here.
Penetration testing is becoming more common, but many smaller firms aren't familiar with it. What is a penetration test, and at what point should a growing accounting firm consider investing in one?
I'll try to explain it in a way an accountant might understand: it's basically a systems, infrastructure and IT audit.
A penetration test (often called a pen test) is an authorized simulated cyberattack on a company's systems to identify vulnerabilities before real attackers do. A security firm evaluates your network, applications or infrastructure by attempting to break into them using the same techniques real hackers would. They then write a report documenting their findings and providing remediation steps.
Many companies tend to be reactive rather than proactive; they get pen tests done because they need to be SOC 2 compliant, a vendor or client requires it or insurance underwriting demands it. But all of us should be aware of increasing privacy laws where some states require regular monitoring and even suggest pen tests as one way to meet the standard (NY SHIELD Act, Massachusetts 201 CMR 17 and others).
Your firm incorporates bidirectional relationships with IT firms and cybersecurity experts to better serve your clients. What does that look like in practice, and how has it benefitted your firm?
It tends to be a complementary service that many of our clients need. In return, many of their clients need services that we offer, so it works as a great referral system for all parties involved. We have no problem making warm intros to people we have relationships with, knowing our clients will be in good hands.
I know other firms sometimes pay referral fees, and I don't believe there's anything wrong with that. We just prefer knowing our clients are being taken care of and having those firms return the favor when their clients need finance and accounting support.
(Image courtesy Matt Twiford)
The Net Gains’s Take
The internal controls most accounting firms run on were designed for a world of paper checks and physical signatures. Twiford's point is that the separation-of-duties principle still holds, it just needs to be rebuilt around passwords, two-factor authentication and payment approval workflows. One phishing email to “accounting at yourfirm dot com” is all it takes. The fix is often simpler than firms expect: change the email convention, turn on two-factor authentication, run annual training. The firms getting hit aren't always the ones with the weakest defenses. They're the ones that assumed someone else was handling it.
Don't miss this
Tuesday's newsletter: Can new tools meet accounting’s standards?
The most recent Q&A: The case for keeping your staff underutilized
In the vault: Every firm growth and efficiency lesson we've published for small firms this year
Thanks for reading this week's edition! You can reach the newsletter team at [email protected]. We enjoy hearing from you.
Interested in advertising? Email us at [email protected]
If you've been enjoying the newsletter, don't keep it a secret. Share it with an industry colleague. (Copy the link here.)
