0:30

Welcome to another QB

0:32

Power Hour. Today, we're going to be talking about,

0:35

so you missed the FTC deadline.

0:38

Now what? So

0:40

we've got Jon Melloy from Practice

0:42

Protect joining us here today. He's

0:45

going to be talking us through, notice that

0:48

Michelle is not here.

0:50

She's actually in Ecuador and aggravated

0:52

her foot. So she was going to

0:54

try to join us from. From

0:58

Ecuador. So this really would have been a worldwide

1:01

QB power hour since Jon is actually

1:03

based in Brisbane, Australia.

1:05

And I'm here in the Pacific Northwest.

1:08

So let's kick this off a little bit and

1:10

go with some introductions and we'll go

1:12

from there. As Michelle is

1:15

our international speaker, co host not

1:17

joining us here today. But we're encroaching

1:20

on 15, 000 members in the Facebook

1:22

group for the QB Power Users

1:24

group. We invite you to join us there if you haven't

1:27

already. My name is Dan DeLong

1:29

owner of Danwidth. Worked at Intuit for

1:31

nearly 18 years. Co hosting today

1:33

as well as the workshop Wednesdays over at schoolofbookkeeping.

1:36

com. Just wrapping up another

1:39

tech editing duties of the QBO for Dummies

1:41

series. We hope to have the author

1:43

joining us here, which was an interesting.

1:46

Topic about how do you write books

1:48

about technology that changes

1:50

constantly, which is one of the

1:52

interesting side notes of the writing

1:55

authoring books on tech. But

1:57

Jon, go ahead and introduce yourself for

1:59

the folks that may not know what and who

2:01

Jon Melloy is in Practice Protect.

2:04

Yeah, awesome. Great to be on. And yeah,

2:07

thanks for, yeah. Thanks for having me on here, Dan. So

2:09

yeah, for those of you who haven't met me before

2:11

I'm Jon Melloy and I'm the head of growth

2:13

at Practice Protect. I've been working

2:16

with Practice Protect for just over six

2:18

years now. So I've been with the company for a long

2:20

time and over that time I've

2:22

worked with. Hundreds probably

2:24

getting into the thousands definitely thousands

2:26

of firms assessing their cyber

2:29

security and putting in best

2:31

place security to help them to

2:33

reduce risk, manage compliance

2:35

and meet all of their different obligations.

2:38

Yeah, so Practice Protect as you can see

2:40

there with the leading cyber security

2:42

platform for accountants worldwide. We're

2:45

working with just over 24,

2:47

000 accountants

2:49

and bookkeepers. globally.

2:52

And yeah, as Dan put there,

2:54

so yeah, working with CPAs, bookkeeping and CAS

2:56

firms. And really the reason

2:58

why we exist is because, and I'll talk

3:01

a bit more about this, but cybercrime

3:03

is increasing. As I said, I've been with Practice

3:05

Protect for six years now. And

3:07

every year since I've been with the company

3:09

has been a record year for cybercrime. Okay.

3:12

That is a, not a great stat,

3:15

but I guess that makes sense why why you even

3:17

exist, right?

3:18

Yeah. And it's just, it's becoming more sophisticated

3:21

and really it's because

3:23

that's where the money is. It used to be that people

3:26

would rob banks or if you go further back

3:28

in time, people would rob trains because

3:30

that's where all the good stuff was. But

3:32

now it's online and it's so

3:34

much more lucrative. Hackers can

3:37

hack into businesses without leaving the

3:39

comfort of their homes. And

3:41

that's really broken down a lot of barriers

3:43

when it comes to crime, because it used to be, say if

3:45

I was a criminal and I wanted to steal your wallet, I'd

3:48

have to be in the same room as you. Whereas

3:50

now. From the other side of the world,

3:52

I could log in online and I can steal your online

3:55

identity and

3:57

coupled with that, you've got more and more

3:59

of our information is going online

4:02

and we're definitely we're. Practice

4:05

Protect to a huge cloud advocates.

4:07

Definitely that is the way which firms

4:09

should be working. And it is, if

4:12

it's managed correctly, more secure, but

4:14

that's the caveat. It's that it does need

4:16

to be managed correctly. And

4:19

that's why we exist as data

4:21

security is more information is going online. How

4:23

do you structure that in a secure way? How do

4:25

you secure the new risks

4:28

which we're seeing for the modern firm?

4:30

Yeah, and that's something that I noticed when I was

4:32

working at Intuit in the accountant

4:35

space is that, an accountant

4:37

is a gatekeeper to a lot of sensitive

4:40

data. So they, they are literally

4:43

the, the new world train from

4:45

a hacker's perspective of oh, they've

4:47

got lots of good information. If I can get into

4:50

an accounting firm or accountant, I

4:52

have. Inside information

4:54

on, social security numbers and all

4:57

sorts of client data so

4:59

it definitely behooves accountants

5:02

to be good stewards of that, right?

5:04

Yeah. Oh, yeah, definitely. And that's it.

5:06

And it's accountants, it's almost like a honey

5:08

pot because hackers know

5:10

that if they target, accountant, bookkeeper,

5:12

CAS firm, they're not just getting

5:14

potentially one business. They could potentially get

5:16

the business to, sorry, potentially get

5:19

the access to hundreds of businesses

5:21

information. Okay. So that's

5:23

why we're seeing that accountants are disproportionately

5:27

targeted by scams.

5:30

And it's also interesting seeing

5:32

how much more complex

5:34

scams and cybercrime is becoming.

5:37

It used to be, it used to

5:39

be quite easy to spot a scam and I always

5:41

feel nostalgic thinking about it in

5:43

a way. So you used to get, you'd

5:46

be surfing online and you get some emails

5:48

pop up on your screen saying,

5:51

sorry, you used to get some pop ups saying that you'd won a free

5:53

Motorola razor, or you'd get

5:55

a email from a. overseas

5:58

prince somewhere asking for

6:00

a donation. But we all

6:02

got quite desensitized

6:04

to those. And now what's happened is it's become

6:06

so much more personalized. Okay.

6:09

And it's the same trend that we're seeing just across

6:11

everything. Online. So there's

6:13

so much different information and data points

6:15

on us. And hackers are using this to craft

6:17

the best personalized kind

6:20

of scams possible. They know about

6:22

our business. They know who we are. They know who we work

6:24

with. They know who our clients are. And

6:26

on top of that, there's all this different information that has

6:28

been leaked by leaks about us on different data

6:31

breaches online and hackers

6:33

are using that to send the

6:35

most targeted scams possible.

6:38

So yeah. I guess that's the

6:40

reason why we're existing because this

6:42

is becoming so much more complex

6:44

and the cost of not acting is so high with

6:47

the cost of a breach being 80,

6:49

000, 88, 000 that it's,

6:51

far cheaper, far effective to

6:53

put in place the correct prevention to

6:55

stop that from happening. Oh,

7:01

Dan, I think you're on mute there. You

7:05

are correct. Sorry about that. Let's talk

7:07

a little bit about some of the housekeeping things for

7:10

the QB Power Hour and then we'll dive into

7:12

some of these guidelines and what what accountants,

7:14

bookkeeping professionals can do

7:16

about it now that the deadline has has

7:18

passed. So the QB Power Hour

7:20

is, of course, every other Tuesday at CPE. But

7:26

check the website for upcoming events.

7:28

We also have other events available

7:31

there. There's a e com as you are

7:33

discussion over at Roundtable. So you can

7:35

register for those things as well. But

7:37

if you need PDFs of the slides, recordings

7:40

of podcasts, we have qppowerhour.

7:42

com slash resources for you. If

7:44

you have specific questions about

7:47

what Jon's talking about here today, please

7:49

put those in the Q& A. Makes

7:51

it far easier for us to follow up, especially

7:54

if there is a a follow

7:56

up necessary. But if you have general comments

7:58

concerns things to just talk about amongst

8:01

ourselves here please put those in the chat

8:04

comment. And then, of course, we have the slides

8:06

there for the webinar archive and

8:08

and resources as well. Essential

8:12

steps for for accountants and bookkeepers

8:15

with regards to these FTC safeguard

8:17

rules. So let's talk a little bit about first these.

8:20

Why these FTC safe what

8:22

are these safeguards and why was there

8:24

this ominous June deadline?

8:28

Yeah, also, I think it's important to, to talk

8:30

about the why as well, Daniel, as you

8:32

said, because it helps frame up why was

8:34

it being implemented. And the reason why is because

8:37

cybercrime is increasing. As I said at the start,

8:39

we're seeing records being broken. Every

8:42

year for cybercrime and it's becoming

8:44

too expensive not to act.

8:47

So there was a report which

8:50

was put out last year by the

8:52

FBI which was looking at the

8:54

Most commonly committed internet crimes.

8:57

So if you're a cybersecurity

8:59

nut like myself, you can look it up online.

9:01

So it's the FBI internet internet crime

9:03

report, and it shows

9:06

where, what the most damaging scams are. And it's

9:08

really interesting to see this because the

9:10

cost of this is getting so high. So the amount

9:12

lost to the U S economy from

9:15

email scams, so business email compromise

9:18

last year was 2. 4 billion.

9:21

That was the most costly scam that

9:23

we were seeing there. Yeah.

9:28

That skews

9:29

the that skews the 88,

9:31

000

9:32

a little bit, I think. Yeah, and it's such a costly scam and that's

9:34

the top one. You're seeing, on top of that, there's another

9:36

100 million lost to ransomware

9:39

and other scams. But the cost

9:41

of not acting is so high.

9:44

And what's interesting as well

9:46

is. When we hear about

9:48

cybercrime, we often think about it affecting

9:51

the bigger businesses because that's what hits

9:53

the headlines. Okay. Typically when you

9:55

see cybercrime in the news, it's,

9:57

some top 100 company has

9:59

been hit by ransomware. That's

10:02

not what makes up the bulk of it. Okay.

10:04

When you actually. dig beneath and you look

10:07

at the stats, it's for smaller firms

10:09

that are smaller businesses that are

10:12

the worst, that are the worst hit. And that's because naturally

10:14

they don't have the same kind of

10:16

cybersecurity measures as

10:19

the big companies. So

10:21

I was looking at a stat recently,

10:23

and this was in Australia, but

10:25

it was saying that PwC,

10:28

Deloitte, the big four, they're sponsoring.

10:30

800 overseas visa

10:32

applications for cybersecurity roles.

10:35

So they're really investing heavily in this area.

10:37

And there's similar trends, but we're seeing in the U S

10:40

as well, where the big four are investing.

10:42

They've got whole divisions dedicated

10:44

to cybersecurity. Okay.

10:46

So what we're seeing is because of that, hackers are

10:49

moving down the food chain and

10:51

they're then going for the smaller businesses who. Naturally,

10:54

you don't have a chief

10:56

information officer.

10:58

Yeah, you, you look at, you go to any city,

11:00

right? Like downtown central city,

11:03

they've got bars in the windows, they've got,

11:05

locks on the doors. But,

11:07

you go out into the suburbs or the, or,

11:09

the rural areas, people leave

11:11

their doors unlocked those types of things.

11:13

So I think that's an equating to what you're,

11:16

to what you're talking about. These cyber

11:18

criminals are now leaving

11:20

the city. And going into the

11:22

more rural areas where people are more apt

11:24

to leave their doors unlocked

11:26

or on those types of things. Is

11:28

that what you're seeing? Yeah.

11:30

Yeah, definitely. So they're moving to

11:32

smaller firms and they're going to the firms that

11:35

don't, haven't taken the

11:37

correct steps to secure themselves.

11:39

And that's why there is

11:41

becoming, there is more and more regulation.

11:44

Coming out around this. So obviously

11:46

we've got the FTC safeguards rule, which we'll focus

11:48

on today. There's also the IRS

11:51

4557 safeguarding taxpayer

11:54

information guidelines. And

11:56

on top of that, you've also got some state based guidelines.

11:58

And the point I'd like to make is as well, is that I

12:00

do see this as actually being a real positive,

12:03

because it's now giving people a Benchmark

12:06

and showing people what they should

12:08

be doing because for the longest

12:10

time, it's almost been, the Wild West where

12:13

just get a business. Get a laptop

12:15

and you're off. Okay. But

12:18

there are basic steps that you take.

12:20

And if you put in place, some simple

12:22

measures, you can reduce your risk massively

12:25

by 80, 90%. Okay.

12:27

Just by some simple low cost

12:29

steps. And the point

12:31

is with cybersecurity and when we're seeing

12:33

hackers targeting small businesses,

12:36

they're not necessarily targeting

12:39

your business. Okay. So

12:41

they're not waking up in the morning saying

12:43

I want to break into Melloy accounting,

12:46

a five user firm in Idaho. Okay,

12:49

they're not targeting me specifically. They're sending

12:51

out scams targeting hundreds of

12:53

business, thousands of businesses, and

12:55

what they'll do is they'll get into the ones that have the

12:57

worst levels of security. Okay,

13:00

so that's why these guidelines are here is

13:02

to give you basic steps

13:04

to really basic steps

13:06

to secure your business. It's not about

13:09

going crazy and going putting

13:11

in step in putting in place the same levels

13:13

of Securities enterprises,

13:16

but it's about putting in place small steps.

13:18

And that's what we'll look at today. Got

13:20

it

13:21

So let's talk a little bit about what it is. We are going to

13:23

cover a little bit more in detail So

13:25

we'll talk about what is the it's ftc

13:28

safeguard rule. When was the deadline?

13:31

How does this affect me and what do I need to

13:33

do? Let's start off with with a

13:35

poll to get get us started.

13:38

And the poll is, which

13:41

will be shared now, how prepared are you

13:43

for the FTC safeguards rules, right? These

13:46

have you heard about it before? Are you fully prepared?

13:48

Are you getting there, just getting started? Or

13:51

what the heck are these rules to

13:54

begin with? Maybe if you, Jon, if you want

13:56

to Tea us off there about, what are these

13:58

rules that we actually were talking about? So we mentioned

14:00

the FTC safeguard.

14:05

Yeah, sure. So the FTC safeguards for

14:07

all it's actually been around for a fairly

14:09

long time. So it was first introduced

14:12

in 2003. But

14:15

what we saw, and it

14:17

was in place then, but back then it was quite vague.

14:20

It doesn't have a specifics, but it does now. But

14:22

what it's about in short is.

14:25

Prepare to provide guidelines for

14:27

businesses on how to maintain

14:29

safeguards to protect the security

14:32

of customer information. Okay.

14:34

So yeah, it took effect in 2003,

14:36

but it was updated in 2021

14:40

and the 2021 update

14:42

provides more concrete guidance

14:45

for businesses. Okay. So what

14:47

it does then is it reflects provides

14:49

more guidance and more specifics around what firms

14:51

should and shouldn't be doing. To secure

14:54

their data there. Yeah,

14:56

let me go

14:57

ahead and share the results. And while

14:59

I'm doing that, I'm going to stop sharing so that

15:01

you can pick up because that way you can

15:03

go through your cadence of the slides here.

15:06

And an interesting point of someone

15:08

in the chat here they picked up

15:10

that you've got a little accent there.

15:13

You're based out in, you're based out of Australia.

15:16

How does how does practice, how did Practice

15:18

Protect get into, US based cybersecurity

15:21

and protection?

15:23

Yeah, it's good. And it's a funny point.

15:25

And I can definitely see the irony.

15:27

I find it quite interesting. Because

15:30

also, as well, I'm from what I live in Australia, but

15:32

I'm from the UK, originally. So I'm from the

15:34

UK, I work for an Australian company. And I

15:36

spent a lot of my time talking about FTC

15:38

and IRS guidelines. And

15:41

that's because to answer that question

15:43

is because we work heavily with

15:45

US firms. So we've,

15:48

as I said at the start, we're working with over 24,

15:50

000 accountants and bookkeepers,

15:53

and that's across both Australia and

15:55

the U. S. So a large

15:57

portion of our client base are based in

15:59

the U. S. So naturally,

16:02

we're experts in two areas. It's Australia,

16:05

cybersecurity legislation, and U.

16:07

S. Cybersecurity legislation,

16:09

because when it comes to security, and I'll

16:12

talk more about this later, it's not just

16:14

about the technology that you put in place.

16:16

There is different compliance and regulations

16:19

that you're doing. So say if we were just providing

16:21

a software platform, we'd only

16:23

be doing half of the job. So as

16:25

part of what we're doing with working so heavily

16:28

with US companies, We've had

16:30

to brush up on these these guidelines

16:32

and make ourselves experts in these areas.

16:36

Yeah. So these guidelines started in 2003.

16:39

They were updated in 2021,

16:41

and then they impose this nebulous

16:44

deadline because people are

16:47

creatures of habit. They only do things when

16:49

there's a deadline associated with them, right?

16:52

Yes. Yeah. Correct. And

16:54

so the deadline this is one of the main

16:56

questions we get is when was that and

16:58

the deadline to comply with some

17:01

of the updated requirements was on the 9th

17:03

of June, and it's really important to note that

17:06

it's some of the requirements.

17:08

It's not every single requirement.

17:11

The FTC have listed

17:13

on their websites, what specifically

17:16

needs to be done in these areas and that's

17:18

what I'll talk about today. So if you go online if

17:20

you look at the FTC safeguards for all it is.

17:22

a lengthy document and it will have a

17:24

lot more requirements from what we speak about

17:27

today, but there are some different breakout

17:29

articles from the FTC where they reference

17:31

what needs to be done for this specific

17:33

deadline. Okay.

17:36

And really then the next

17:38

question that we get is

17:41

does this apply to me?

17:44

Okay. And there has

17:46

been When I've been speaking to firms

17:48

about this, there has been a bit of a misconception

17:51

out there amongst some, and I think it's

17:53

almost a willful misconception,

17:56

as when I've been speaking to, speaking

17:58

about the set of events, so particularly

18:01

with some bookkeepers and CAS firms, they've

18:03

interpreted it as not applying to them

18:05

which isn't necessarily correct

18:08

and the reason for that is because there has

18:10

actually been a lot of education over the last

18:12

few years around Be around

18:14

data security if you're a tax practitioner. So

18:17

if you're a tax practitioner, there's obviously

18:19

been that IRS 4557

18:21

legislation, which sets out what

18:23

you should be doing to secure your taxpayer

18:26

data. And also when

18:28

you fill out form W12

18:31

for the PTIN application

18:33

you have to sign off saying that, yes, I

18:35

have a data security plan in

18:37

place. And I think that. Question

18:39

on the form has been in place for three years

18:42

now. So there's been a lot of

18:44

information and education around this,

18:46

but that what that's meant as

18:48

well is that when I've been speaking with companies

18:51

and they don't prepare taxes,

18:53

they've been flying under the radar a little

18:55

bit of thinking that this isn't as relevant to them

18:57

because they're not filling out that form

19:00

and ticking that box. But

19:03

if you look at the definition

19:05

of who the FTC safeguards rule applies

19:07

for from the FTC, that's

19:10

not necessarily the case. Okay,

19:12

so the safeguards rule applies

19:14

to financial institutions

19:17

subject to their jurisdiction. And

19:20

when you look at their definition, According

19:22

to this section, an entity

19:24

is a financial institution if

19:27

it's engaged in an activity that is

19:29

financial in nature. Okay

19:32

that is a very

19:33

Broad stroke. Isn't

19:36

everybody right?

19:39

Yeah we're all, any businesses is

19:41

financial in nature because we're

19:43

in the business of making money,

19:46

which is financial in its core. So

19:48

you could go that broad with your definition,

19:51

but I think narrowing it down is if

19:53

you're looking at What is your core business

19:56

function? Okay. And when it comes

19:58

to, bookkeepers obviously CPAs,

20:01

CAS firms, their core business function

20:03

is finances, advising

20:05

on finances, keeping accounts. And

20:08

that is by definition financial nature.

20:10

So even if we narrowed down that definition, it

20:12

would then apply to CPAs,

20:15

accountants, and CPAs, bookkeepers, and CAS

20:17

firms.

20:19

The natural question and Nancy

20:21

asked it in the chat. What are the consequences

20:24

of missing this deadline? Is someone

20:26

going to show up at their door and be like, where

20:29

is, where are all these compliances?

20:31

And would there be a fine or something like

20:34

that if it were actually to

20:36

be discovered that they're out of compliance

20:39

with it? Yeah. Yeah. Great question.

20:41

And yeah, it's definitely, it's

20:43

not that they're knocking and

20:46

knocking on doors, checking in businesses.

20:48

We haven't seen so far that there have been any

20:50

proactive checks and

20:53

really the trend that we're seeing in cybersecurity

20:56

is that this is policed. After the

20:58

fact. Okay. So what

21:00

we're seeing is they're not doing prior to the audits,

21:03

but say if your firm is hit,

21:05

if you do have a data breach,

21:07

if you do have a hack, then after that,

21:10

there's usually, an investigation

21:12

and that's when penalties could

21:14

then be applied. Also this

21:16

could turn into a double, like a triple

21:18

whammy, because if

21:21

you don't have the correct measures in place, but firstly,

21:24

obviously you're more likely to be hit. With

21:27

these at their core, it is about securing

21:29

your business, putting in the correct measures. So if you don't have that in

21:31

place, you are more likely to be hit. Secondly,

21:34

if you haven't followed the

21:36

guidelines, and if you haven't put the correct measures

21:38

in place, you're likely not going to be compliant

21:40

with your cyber insurance. Because

21:43

cyber insurance companies do require

21:45

you to take certain steps for them

21:47

to actually be valid. So that's

21:49

a whole separate webinar and conversation

21:52

to have. But it is something to be aware

21:54

of when we talk about security is making sure

21:56

that you're actually doing what you said

21:59

you're doing. It's the same thing. If you

22:01

just think about it, it's the same thing as your car insurance.

22:03

Okay. If you left your car unlocked

22:06

and the keys in the lock, they're probably not going to pay

22:08

out. Okay. There's that.

22:10

And the third point is, so

22:13

you would also be hit by not getting the cyber insurance

22:15

money back because you haven't taken steps. And

22:18

third, there are also penalties for non compliance.

22:21

So I guess that was a little bit long winded.

22:23

So to answer the question, yes. Could

22:25

there could be fines for this,

22:28

but we're only seeing them being enforced

22:31

after a breach. That's when it's being investigated.

22:35

Got it. So very similar to the

22:37

insurance adjuster going, okay this

22:40

is this is what happened.

22:42

Oh, this is why it happened. Okay.

22:44

This is now would

22:46

there be, would they levy a fine? Is that

22:49

what it would ultimately be after the fact

22:52

when there's an investigation like that?

22:55

Yes. There, there could be a fine. And really

22:57

the cost of a fi the amount of a fine really

22:59

depends on the business. So it depends

23:01

on the amount of data that was exposed. It depends

23:04

on the damage fat was done. So we've

23:06

seen wide ranging ones from, smaller

23:08

ones in the tens to thousands to, far larger

23:11

fines for bigger businesses.

23:15

All right, so let's talk about what the compliance

23:18

has to deal with. So there's what eight?

23:21

Yes. Yeah, correct. As I said earlier, VF

23:23

to C safeguards rule. It is a long

23:25

it's a long piece, but there are some specific

23:28

guidelines which they outlined in one of

23:30

their article. And

23:32

this is what you'd be needing to comply

23:35

with. So I'll just run

23:37

you through quickly what these are. So the first

23:39

one is to designate a qualified

23:41

individual to oversee your information

23:44

security plan. Next

23:46

up, it is to develop a written

23:48

risk assessment. The

23:50

third point is to limit and monitor

23:53

who can access sensitive customer

23:55

information. Next

23:57

is to encrypt all sensitive

24:00

information. There's also a training

24:02

aspect, so you have to train security

24:04

personnel. Also you need to develop

24:07

a incident response plan. Next

24:10

up is to periodically assess the

24:12

security practices of your service providers,

24:15

which When I speak with firms, it always sounds

24:17

a bit daunting, but that's actually one of the easiest ones

24:19

to do. And lastly,

24:22

it's to implement multi factor authentication

24:25

or another method across everything

24:27

that you use to access customer information. Got

24:30

it.

24:31

Now, Don in the chat has raised up

24:33

an interesting point. And this is something that I

24:35

think you want to drive this point home

24:37

is that Don is a one person firm.

24:40

And these things seem so nebulously

24:43

like a large firm type of thing

24:45

needs to do. You want to talk a little bit

24:47

and we'll unpack these these regulations

24:50

or guidelines a little bit more

24:52

in detail as we go through the slides here.

24:54

But let's talk a little bit about first about scale,

24:56

right? What is, designating a person?

24:59

If I'm a one person firm, I guess that's me, right?

25:02

Yeah. Yeah, definitely. I'll jump back to,

25:04

we'll have a poll, but I'll come back to that in a second.

25:06

We can jump back because I think this is the question

25:10

is how am I meant to do

25:12

all of that? And that's a good question

25:14

from Don. And the point

25:16

is, and I always do emphasize

25:19

this is for when you're putting this

25:21

in place you need to focus

25:24

on your business. Okay. So before

25:26

you panic and get overwhelmed around

25:28

those eight requirements, it's really important

25:30

to keep perspective. and follow

25:33

the guidance of the FTC and look at what they're saying

25:35

because they are actually being very

25:37

common sense about this. So

25:40

I thought I'd jump to this slide just because this is

25:42

straight from the horse's mouth. So

25:44

this is from the FTC's website, but

25:46

what they're saying is that your information

25:49

security program Must be

25:51

written and it must be

25:53

appropriate to the size and complexity

25:56

of your business, the nature and scope

25:58

of your activities and

26:00

the sensitivity of the information at issue.

26:03

Okay. And I really want to emphasize

26:06

that point because I think often. When

26:08

we talk about cyber security and

26:10

technology, things can get over complicated.

26:13

But if you're what you'd be doing is

26:15

applying something that's appropriate to your business.

26:18

OK, so if you're a large multinational

26:20

company, you've got 500 team members

26:22

across the country, different offices. You're

26:24

going to need a very robust information

26:27

security program. Okay, if

26:29

you're a smaller firm, if you're a sole practitioner

26:32

then you need to put something appropriate to

26:34

the size of your business. Okay, so

26:36

do you need a 60 page

26:39

document outlining whatever

26:42

it is over 60 pages? Probably

26:44

not. Okay but the thing is, you

26:47

do need to do something, okay?

26:49

As VFTC says, it must be written,

26:52

okay? And it must be appropriate to your business.

26:55

Okay what you can't do is to

26:57

bury your head in the sand and to do nothing.

27:00

But it's about putting in place something simple,

27:02

something effective to demonstrate due

27:05

diligence, which is appropriate to

27:07

your business. And I will

27:09

talk a bit more about the hows

27:11

of these eight requirements shortly. Okay

27:14

let's

27:14

launch that that second poll, which is which

27:16

compliant, which requirements you want to bring

27:18

that slide back up where we have. The

27:21

eight on there, but I think I did put them

27:23

all in the in the options

27:25

for the poll, which of those requirements your firm

27:27

already compliant with. Now, don't

27:30

be afraid to answer this poll. I'm not going to send

27:32

this to anyone who's passed the

27:34

deadline and whatnot. So don't

27:36

worry about that. We just want to get an understanding

27:38

as to, which which of these

27:41

are, are you already, Okay. Already

27:44

in compliance with and might give us some

27:46

guidance as how far we need to unpack some

27:48

of these things based on those poll results. But

27:52

a lot of things, a lot of things I'm seeing in the chat

27:54

about, little questions

27:56

about what Practice Protect is and

27:58

what they do. And I think as we go through these

28:01

requirements you do offer a

28:03

free resource, a way that you know, a

28:05

accountant or bookkeeper practitioner can do

28:08

these things themselves, but also

28:10

how Practice Protect helps with these

28:12

compliance guidelines as well,

28:14

right? Yeah,

28:16

definitely. And I'll cover that off the areas that we help.

28:18

And I can see I can see that there are some questions

28:20

around pricing as well. Definitely more

28:22

than happy to answer those at the end. And I can walk you

28:24

through what that looks like as well.

28:27

Okay. Yeah. Perfect. Awesome. Cool.

28:30

But I guess it's interesting seeing

28:32

these poll results coming in and seeing

28:34

the split and which ones are most

28:37

which ones firms are most compliant with

28:39

and which ones need a bit more help. So

28:43

if I'm going to, And I'm

28:45

going to share the results so everybody can see what we're

28:47

talking about here. Yeah, it's a smattering

28:50

of compliance across

28:52

the board there.

28:55

Yeah, definitely. And I think you can see

28:57

which ones are the big winners where people have

28:59

most security already in place. And

29:02

it's good to see these two, which is often what

29:04

I've seen. People are

29:06

limiting and monitoring who can access central information.

29:09

That's at 73% and

29:11

72% have implemented MFA.

29:13

And that's fairly consistent with what I'm seeing.

29:15

There's obviously been a large focus

29:17

on multi factor. And I

29:20

think implementing MFA is probably helped

29:22

by the fact that for a lot of apps,

29:24

it's not optional. I

29:29

think that does definitely help there and that's

29:31

great because when it comes to MFA is really,

29:34

the first line of defense when it comes

29:36

to working online. So that's great. Also

29:38

great to see. There has been a lot

29:40

of education around the information security plan.

29:42

So 58% people have

29:45

an individual there, which has been awesome. Awesome.

29:49

Great. Without further ado as I said

29:51

we're not just here to tell you what it is

29:53

and not give any solutions. So we can

29:55

go through and take a look at

29:57

how you can simply and

29:59

easily meet these requirements.

30:02

We are talking about. FTC

30:05

requirements. So I guess an advanced warning.

30:07

The next eight slides as we're looking at these, they're

30:09

all going to follow the same kind of structure.

30:12

We've gone too crazy with the design of the slides.

30:14

So we're all going to follow this format. So

30:16

what we'll look at is first what the requirement

30:19

says. Straight from the FTC, what

30:21

the wording is. And then after that,

30:24

the FTC on the website, they do also have some

30:26

further information. So I'll take you through

30:29

additional info that the FTC says. And

30:32

then after that, talk a bit about what

30:34

should you do? Okay, breaking that down,

30:36

interpreting the requirement and what the FTC says,

30:39

what practically should you do?

30:42

And then look, I wouldn't be doing my job

30:44

if I didn't say how we can assist

30:46

firms in these areas. So I'll

30:48

talk a little bit about how we

30:50

can help our clients in these areas.

30:53

So make sure we'll let you know how you could do

30:55

it yourselves and also where

30:57

we could help and assist too. Okay,

31:01

but this first requirement is

31:03

to designate a qualified

31:05

individual to oversee the information

31:08

security program, and this one's

31:10

great. It's nice and straightforward.

31:13

But there are a couple of caveats with who

31:15

that person should be. So the

31:17

FTC says that this person must

31:20

have the requisite skill and experience

31:22

to fulfill the role. It could be someone

31:25

internal. So it may be a partner or

31:27

employee of the firm, or it could be

31:29

an outside service provider. Okay.

31:32

So if you are using a service

31:34

provider, then you still remain

31:36

responsible and you should identify someone

31:39

to oversee them. Okay. So

31:41

what should you do? Pretty

31:43

simple with this one appoint someone

31:45

in the firm or an outside provider to oversee

31:48

your program. Okay. But it is really

31:50

important to consider who you

31:52

are appointing. So you can appoint

31:54

someone in the firm, but they have to have the skills

31:57

to oversee the program. So that is the caveat

31:59

there. So that could be yourself. It

32:01

could be an office manager, could

32:03

be internal it, or

32:05

it could be an external provider. Okay.

32:08

And the one thing we saw earlier with

32:11

these steps is that it must be written. So

32:13

make sure that this is documented. Okay,

32:15

so document who this is clearly and

32:17

keep that on record. And

32:19

what we then recommend is to review

32:21

who this individual is or who this company

32:24

is annually. Okay, so just

32:26

set up a recurring task to review annually.

32:29

And how can we help? So

32:32

for our clients that we're supporting

32:34

across all of our services, we could actually be listed

32:37

as their qualified service provider

32:39

for information security. Awesome.

32:44

Awesome. So the second I'm

32:46

sorry, Dan. No,

32:48

That seems pretty straightforward. Designating someone

32:51

to be the manager of this of this

32:53

whole process. So

32:56

let's move on to number two.

32:58

Yeah, and I think it's similar to a lot of

33:00

these guidelines when we talk about them, and I'll use this comparison

33:03

a lot. It's similar to when you think about fire

33:05

safety. In an office you'll have

33:07

a fire warden Okay?

33:09

So you have someone, he's got some responsibilities

33:12

around that. So very similar

33:14

kind of approach. The second requirement,

33:17

Is about developing a written

33:19

risk assessment. And

33:22

I always think that this is a great place to start.

33:24

When I talk to firms about cybersecurity,

33:27

it's one of the questions I ask them. I say,

33:29

do you have a risk assessment? And

33:31

often when they say no, I'm like that's the first thing

33:33

to do, because it helps you identify

33:36

what you should then do. to

33:38

secure your business. But what

33:40

BFTC says is that you should conduct a

33:42

risk assessment to identify an

33:44

inventory customer information where

33:47

it's stored and foreseeable risks

33:49

and threats to these. It should be in writing

33:52

and updated periodically as operations

33:54

change. So What

33:56

should you do? So some areas to consider

33:59

is where is this data physically

34:01

stored? Okay. Do you have files? Do you have folders?

34:04

Also, what hardware is

34:07

data being stored on? So are there

34:09

laptops, mobile phones going

34:11

up a level? What applications

34:13

are being used? Where is

34:15

the data being stored online? And

34:17

then lastly, who has access to what data?

34:20

Okay. So that's really the first thing is to list down

34:22

the different locations and then

34:25

think about the risks. So what are the risks

34:27

or threats to these locations? Okay.

34:30

So the physical data fire

34:32

still, I don't know why I've just got fire on my mind now,

34:35

but that could be stolen as

34:37

well. What risks are there around

34:39

the team members, PCs, do we have personal

34:42

PCs and then what

34:44

security is in place. And then again,

34:46

with this, it's about documenting it and reviewing

34:48

it annually. Okay.

34:51

So those are the steps for you to do. How can

34:53

we help? How can we make this easy for our clients?

34:55

We actually supply a WISP, so

34:57

a written information security plan, which

34:59

has a risk assessment to all of our clients.

35:02

That was one of the questions that that we saw

35:05

here from Stephen. How is... These

35:07

guys, how are these guidelines different from

35:09

a WISP? And if you could say that

35:11

again what a WISP is you know what

35:13

that stands for?

35:15

Yeah, great. So the WISP is a written

35:17

information security plan. So

35:20

that, and you're right, if you have that in place,

35:22

just Go and check it because it should tick

35:24

off a lot of these boxes. So a

35:27

risk assessment is usually contained

35:29

within the WISP. So most firms

35:31

have that in place. Some people call it a data

35:33

security plan as well. So

35:35

that's the wording that was used on

35:37

that question on the PTIN form.

35:42

But yeah, definitely check your WISP to make sure it's covering

35:44

these areas. Awesome.

35:47

I see it.

35:47

I see a lot of people actually doing

35:49

this risk assessment in the chat, because

35:53

I don't even charge credit cards or, things

35:55

like that. Those are things that come up with,

35:58

this type of risk assessment, right?

36:02

Yeah, definitely. Definitely. Yeah.

36:05

Awesome. Now this third requirement really

36:07

flows on from the second one. So once you've done your risk

36:09

assessment, you've seen what

36:11

the different areas are. Now you need to

36:13

limit and monitor who can access

36:16

sensitive customer information. And

36:18

the FTC says that you need to determine who

36:20

has access to customer information and

36:23

consider on a regular basis, whether

36:25

they have a need for it. So what should you

36:27

do? Go back, look at your risk assessment

36:29

and look at where your data is stored

36:32

and consider what measures you have in place

36:34

to control access across the

36:36

team. Think about whether you have an easy

36:38

way to grant and revoke team member

36:40

access, because if somebody

36:43

leaves, if they. Suddenly stop

36:45

working at the firm. How are you going to make sure that

36:47

they don't have sensitive information

36:49

passwords stored in their head? So

36:51

make sure that as you're sharing information, you're

36:53

doing it in a controlled way. And

36:56

how can we help? That's a core part

36:58

of our business. So with our clients,

37:01

we perform an assessment to determine what

37:03

your sensitive applications are and

37:05

our access hub puts in a system to

37:07

easily control team members, access

37:10

lockdown and secure passwords

37:12

from your team members. Awesome.

37:17

The fourth requirement is

37:19

around encryption. So making

37:21

sure that you encrypt all sensitive

37:24

information. And the

37:26

FTC says that you need to protect by

37:28

encryption all customer information

37:30

held or transmitted by you both

37:32

in transit or over external networks

37:35

and the rest. So what should

37:37

you do here? So really,

37:39

again, it's about considering where your data is

37:41

sat. Do you have data encryption

37:43

in place on all of your company devices?

37:46

If not, set that up. A

37:48

client passwords encrypted when

37:50

shared with your team members consider

37:53

where your data is stored and

37:55

then check with your apps that store

37:57

critical data around what their

37:59

encryption levels are. Most companies,

38:02

if you go to their websites, if you go to

38:04

if you Google them and put security afterwards,

38:07

you can usually find their security accreditation

38:10

or encryption levels. And

38:13

lastly review the encryption levels

38:15

around your local file storage. Is

38:17

it locked as well? And

38:20

how can we help? Not with the last point, we

38:22

don't sell padlocks. So that's

38:25

the answer to you guys to source. But when

38:27

it comes to your online information, we can definitely

38:29

help with that. Our access hub encrypts

38:31

sensitive client and company passwords.

38:33

We also have our device hub, which can.

38:36

Encrypt and remotely wipe lost

38:39

and stolen devices. And

38:41

lastly, our email hub provides

38:43

additional security around

38:45

email and file storage as

38:48

well. Awesome.

38:53

Okay, great. And the fifth

38:55

requirement is a nice and straightforward

38:57

one, and it's all about training. Okay.

38:59

So you need to train your security personnel.

39:03

And when the what the FTC

39:05

says is that you should provide your people with

39:07

security awareness, training, and schedule

39:10

regular refreshes. So

39:13

what should you do here? So

39:15

firstly it's about. members.

39:18

Okay. So put a cyber security

39:21

training plan in place for your new employees.

39:24

Okay. So that's something which we really focus on,

39:26

it's so key. The first 90 days of someone

39:28

in the business Is is key across

39:30

all areas and cyber security is no

39:32

exception. So it's important, but

39:35

you've taken your due diligence, even if you're hiring

39:37

someone who has a cyber security

39:39

qualification, okay, it's about

39:42

covering yourselves, so make sure

39:44

that they have done your version

39:46

of cyber security training. So

39:50

make sure you've got something for new employees. But

39:53

then after that, make sure that you put a

39:55

training plan in place for existing

39:57

employees. Okay, because it's all well

39:59

and good someone doing something in

40:02

the first 90 days, but if they stay with you

40:04

for five years and haven't done any training

40:06

after that, you haven't taken

40:09

the correct steps and due diligence. So

40:11

make sure that you're putting something in place for,

40:14

which has at least an annual cadence.

40:16

That's what we'd recommend. And

40:19

also you can help enforce this with policy

40:21

to cover yourselves as well. So

40:23

one of the things that we do and we recommend

40:26

our clients do is have team members sign an

40:28

it and internet usage policy confirming

40:31

that they have access to

40:33

cyber security training and

40:36

how can we help? So we've got

40:38

over 18 hours of cyber security

40:40

training in our Practice Protect university

40:43

which is available for all of our clients on demand. And

40:46

we also supply an IT and internet

40:48

usage policy. Yeah,

40:52

that's a big, that's a big burden,

40:54

I think, for for smaller firms

40:56

to, to create that. Is

40:58

there other resources that are out

41:01

there that That they would need to resource

41:03

it themselves.

41:05

Yeah, definitely. But the good thing is it's like with anything,

41:07

there's heaps of different cyber security

41:10

resources online. There

41:12

is a government,

41:16

I'm not sure of it. If you, I'll see if I can

41:18

grab it at the end, but there's some cyber security

41:20

training from a

41:22

federal level. There's some really good courses.

41:25

And if I get a chance to at the end,

41:27

I'll grab the link to that. Okay, there's

41:30

definitely lots of free training out there, which is

41:32

great. Awesome. Yeah, I've

41:34

seen we've had a few questions and chats

41:37

come in down. Is there anything we should highlight

41:39

at the moment?

41:41

I'm trying to keep it, topical

41:43

and I may just want to silo

41:46

those to the very end.

41:48

So Let's just burn through these requirements

41:50

and then we'll field preform the

41:52

questions, I think, at the end.

41:55

Okay, perfect. That sounds great. Awesome.

41:57

So the basic requirement is to

41:59

develop an incident response plan. And

42:02

again, I was talking about assigning

42:04

the fire warden earlier. Think

42:06

of your incident response plan in the same way as a fire

42:09

response plan which most businesses

42:11

have. So in the case of a fire.

42:14

What do you do? Who do you call? Where

42:16

do you gather? What are the next steps

42:18

immediately in the aftermath to secure

42:21

everyone and contain the fire?

42:24

And it's the same for a

42:26

cyber incident response plan. Okay.

42:29

Also, if I continue that analogy, it's important

42:32

that you act fast to contain the breach.

42:34

Okay, just as a fire can get out of control

42:37

rapidly, so too can

42:39

a cyber security incident. So

42:41

really, when it comes to it, the first hour

42:44

is absolutely critical. Okay,

42:47

so the FTC does outline

42:49

what the plan should cover. And

42:51

I won't read this through bullet by bullet. I know

42:53

that these are available as a handout, but

42:56

go through and they say what it

42:58

should outline. And again, I

43:00

do want to stress here that when you're putting the incident

43:02

response plan in place, it's about

43:04

doing something which is appropriate to the size and

43:06

scale of your business. Okay. So if

43:08

you are a sole proprietor obviously this

43:10

would be a shorter plan than, someone who

43:13

has an office with 50 people Okay.

43:17

And so these points covered from out

43:19

here, and also you can go online.

43:21

You can look for us, my templates online.

43:24

How can we help now we have our

43:26

clients by having this plan available.

43:28

So we've got an incident response plan

43:31

inside of our university which is available

43:33

to all of our clients. Awesome.

43:37

Now the seventh requirement

43:39

as I said, this one can seem a bit daunting, but it's actually

43:41

one of the easiest to knock over in

43:43

about 15 minutes or so. And

43:45

it's to periodically assess the

43:48

security practices of your service providers.

43:51

Okay. So what BFTC says

43:53

is that you should select service providers.

43:56

With the skills and experience to maintain

43:58

appropriate safeguards. So

44:01

what should you do here? So firstly,

44:03

just do a bit of research and then you

44:05

can document that. So say if you Google

44:07

app name security, most providers

44:10

have a section of their website. where it outlines

44:12

their security measures. Okay.

44:15

Also reach out to your key providers.

44:17

Now, the point of this is that you don't need to be

44:19

cyber security professionals to

44:21

assess this, there are actually different

44:24

security certifications, which

44:26

a lot of companies are compliant with. So

44:28

if you check to see if they have these, then

44:31

That's you doing your due diligence as well. You

44:33

don't need to pour through every finer

44:35

detail of their security plan. Okay.

44:38

So ask them what security certification

44:40

may have. Again, most companies actually have

44:42

this listed on their websites. If you just Google

44:44

app name and security, you can find this

44:46

out. But when it comes to

44:48

security certifications SOC

44:51

2 001 are

44:54

the international standards. Okay.

44:56

And then once you've done your research again,

44:58

the one thing with this plan is that it should be written.

45:01

So just document the links

45:03

and who has what. And

45:06

just for everyone knows with us with

45:08

Practice Protect, we're actually SOC 2

45:10

compliant there. And

45:13

the requirement is to implement

45:15

multi factor authentication or

45:18

another method with equivalent protection.

45:20

Now, as we saw earlier, this is one

45:22

where everyone is pretty pretty well covered

45:24

with this. I think the vast majority, 73%

45:27

of people have put multi factor

45:29

in place. And I think we're all pretty

45:31

familiar with multi factor is

45:35

it can be annoying at times. When

45:37

it's popping up every time you're logging into something, but

45:39

as I've said, it really is the first step,

45:42

the first line of defense when working online.

45:44

So make sure that you've got it implemented across

45:47

all of your apps. And how

45:49

can we help we try to make it a

45:51

little bit less annoying if possible.

45:54

That's where we can help with multi factor. So

45:56

we've got our access hub, which

45:58

can help provide an easy way to enforce

46:00

multi factor across multiple

46:02

applications. Awesome.

46:06

Awesome. Great. All right. Onto the third poll then.

46:09

Third

46:09

poll here. Let me go back here

46:11

so I can launch this one. So

46:13

on a scale from one to five, how

46:16

confident are you in your firm's

46:18

cybersecurity measures? So it's a good

46:21

pausing point, right? To maybe talk

46:23

about some of the questions that, that

46:25

popped up. So Danielle

46:28

asked this question. What is the practical language

46:30

to use with your clients to let them know that you

46:32

are Compliant. And

46:34

then how do you prove that what you've done

46:37

is FTC compliant? Knowing

46:39

that most of your clients may be

46:42

familiar with the, with these

46:44

rules. How do you, is

46:46

there like a badge certification? How

46:48

does that work for for a business to

46:50

let them, to let their clients know?

46:53

Yeah, really good question. And it's a really good point because

46:55

it is something which you should be talking

46:57

to your clients about. So definitely

47:00

an area. And one of the things that we

47:03

recommend to our clients is to have something in your

47:05

client engagement letter. Around this.

47:07

So you can talk about your data security

47:09

measures in that, but

47:12

also if you put new measures in

47:14

place send it, one of the things I'd recommend

47:16

is send an email send an email blast

47:18

to your clients, let them know, Hey, my

47:21

lawyer counting, we have done X, Y, Z, we

47:23

are compliant with these FTC requirements,

47:26

and I think it's really important to do that, to demonstrate

47:29

that your. Doing the right thing, because

47:32

obviously you're asking them for access to

47:34

their sensitive information. So it's important

47:36

that at the same time, you let them know that you've taken

47:38

the correct steps with due diligence to secure

47:40

that. Yeah, I'd say definitely

47:42

the engagement letter, privacy policy

47:45

and the emails as well. Oh,

47:52

sorry, Dan, you're on mute again there. Oh,

47:54

yeah, sorry.

47:56

Somebody knocked on the door and I had to mute there

47:59

but I'm sharing the poll

48:01

results and I appreciate people being candid

48:03

about, their self assessment

48:05

that they do need to, put some more

48:07

measures in place and

48:09

that's partly why you're here is just to make

48:11

sure that, people are educated

48:14

on, on, on these guidelines and guidances and

48:18

put that in Thank you. Putting

48:21

it out there, right?

48:23

Yeah, definitely. And as well, I'm conscious, and

48:26

one of the things we'll say with cybersecurity is there is

48:28

no silver bullet. There are no guarantees

48:31

when it comes to cybersecurity. The only guarantee

48:33

is that you can never be 100%

48:35

secure. It's about putting in the

48:38

correct steps, taken the correct due

48:40

diligence to ensure that you've lowered

48:42

your reduced. So sorry to make sure

48:44

you've reduced your risk profile to an acceptable

48:46

level. And that's all that any business

48:48

can do.

48:51

So let's let's move on then and talk

48:53

about practice, protect how practice

48:56

can protect, can actually help with all

48:57

of it. Yeah. Yeah. Awesome. Conscious.

49:00

I'm conscious of time as well. So we've covered

49:03

off a lot of this, but just to recap

49:05

where we come in and how we help is that we're

49:08

America's largest cyber security platform

49:10

for CPA bookkeeping and cash

49:12

firms. And again, why we're existing

49:14

why we're doing what we're doing is because cyber crime is increasing.

49:17

Data security is becoming more and more complex.

49:20

There's more requirements. There's more guidelines.

49:22

So what we're here to do is

49:24

to provide a holistic cyber security

49:27

platform that helps across

49:29

these areas. So

49:32

In short, we've got three

49:34

hubs which enable us to help

49:36

firms to secure their businesses. So

49:39

device email and access, because

49:41

as I said just a second ago, it comes to cybersecurity.

49:44

There is no single approach. You need to

49:46

be taking different steps across different

49:48

areas and that's where we can help. So

49:51

firstly, the device hub. Is

49:53

all about securing your PCs,

49:56

your workstations. Okay. So

49:58

we protect your workstations

50:01

against threats, such as malware, viruses,

50:04

ransomware if you use AI to

50:06

scan for known and unknown

50:08

viruses. So that's

50:10

really locking down your PC because if your PC

50:12

gets infected, then potentially everything

50:15

that you connect to everything that you work to from.

50:17

Work on from there could then be

50:19

compromised. Our next system

50:21

is the email hub, which is all about

50:23

safe guiding your inbox from different

50:26

threats, such as phishing, malware

50:28

and spam. And this is so

50:30

important because as I mentioned at the start, the

50:33

cost of email cybercrime

50:35

business email compromise to the U S economy last

50:38

year was 2. 4 billion. Email is the most

50:40

targeted application, so we

50:42

put a big emphasis on making sure that

50:44

your email system is secure. And

50:47

lastly is our access hub.

50:50

So what this does is

50:52

it enables you to easily

50:54

manage identity and passwords

50:57

across team members because

50:59

working with CPAs, bookkeepers,

51:01

CAS firms, we know that it's not just your passwords,

51:04

it's also your clients passwords. You've

51:06

got access to not

51:08

20 applications. It's. 500,

51:12

600, so many different applications because of all of the client

51:14

apps. So what we're about to do there

51:16

is providing you with a secure solution

51:19

to manage this so that team members

51:21

can access client work without knowing

51:24

all of your clients passwords, their mother's

51:26

maiden names, whatever it may be. Okay,

51:28

making sure that all of this information is

51:30

locked out and secure. Awesome.

51:36

So that's it in one breath what we

51:40

Got it Just want to throw out the

51:42

last poll question here is

51:45

if i'm

51:47

going to launch it here. Would

51:50

you like an accounting

51:52

security consultation with Practice Protect seeing

51:55

if if this will actually, assist

51:57

so while people are answering that Meryl

52:00

asked a good question. If one, if someone

52:03

has Practice Protect, do

52:05

they need cyber insurance? Or is it

52:07

how does that work with with

52:09

regards to cyber security insurance?

52:13

Yeah, definitely. Great question. And yeah, so we

52:15

were on the prevention side. Okay. So we're

52:17

all about making sure that you

52:20

guys don't have an incident, but

52:22

at the same, but we're, so we're not an insurance company,

52:24

so we do recommend to all of our clients

52:26

that they do have cyber insurance as well.

52:29

So we can help make sure that you're compliant with that,

52:32

but definitely we recommend you still have

52:34

cyber insurance.

52:36

Does having something like like

52:38

this help with the, like

52:40

the approval process or maybe a discount

52:43

or something like that having, it's like a safe

52:45

driver course or something like

52:47

that for your teenagers is there, does

52:49

that work

52:50

for that? Yeah. Yeah, definitely.

52:52

So yeah, we see that because when

52:54

you're getting cyber insurance, you do have to fill out forms

52:56

saying we do X, Y, and Z. And

52:59

we help you achieve that. So they're asking

53:01

questions similar to this. So do you have a

53:03

information security plan in place? Do

53:05

you have MFA? Can you restrict access?

53:08

And that's what we do and how we help. So yeah, we

53:10

help firms get the approval because they are compliant

53:13

with it. And also, yeah, correct. Dan,

53:15

I'm getting discounts because you have the correct security

53:18

in place. We see that very often as well.

53:22

Another question that came up again from Merrill

53:24

and this is more of a scenario type

53:26

of situation. So what is,

53:29

what does somebody do when

53:31

a client will consistently not

53:33

use the encrypted method of

53:35

sending sensitive information to you? They

53:38

Here's my bank statement or

53:41

let me just send that via carrier

53:43

pigeon or something like that, right?

53:45

How does one address those cyber

53:48

security concerns when they're

53:51

not doing that?

53:53

Yeah it's a good question. And I

53:55

think there's always one isn't there across

53:58

every business. There's always that one client.

54:00

It won't move. So definitely, we've

54:02

recommended, you need to make sure that you've got a secure

54:05

message, secure way of sending information.

54:08

And one of the things I'd say is

54:10

going back to that earlier point about letting your clients

54:12

know about the security you've put in place, trying

54:14

to educate your clients around the

54:16

why. Why it's important.

54:19

Okay. And the potential damage that they could

54:21

do to themselves by sharing information

54:23

over email. So I'd

54:26

say that would be the first step trying to educate

54:28

them on the risks. Yeah,

54:31

it's like you said, there's always one that

54:33

will do that. And despite your

54:35

efforts, they continue to

54:40

do that. Is there a point where,

54:42

you would recommend like. Disengagement

54:45

of those types of things just or is it more

54:47

of, how does one, delicately,

54:51

talk to talk to somebody about

54:53

that.

54:54

Yeah. Yes. It's a good question. I

54:57

think it's about. Like I said, trying to educate

54:59

and engage with them and it's

55:03

it's ultimately it's the firm's decision whether

55:06

what the risk is around that

55:08

information and whether you would disengage

55:10

with that client. And I think it's always

55:12

for the thing that I'm trying to do is

55:14

all the things for. But one of the things

55:16

I'd recommend is communicate with them how you want

55:18

to be communicated with so if they are

55:21

sending stuff, don't Then

55:24

default back to sending unsecure

55:26

emails, keep using the system

55:28

that you set up, whether that's Alicio or

55:30

whatever for sharing documents, but

55:32

always revert back to that and try

55:35

to get them to engage with that.

55:38

So whether it's resubmitting, resending

55:40

that link saying, Hey, I need you to put this here,

55:42

not there because of X, Y, and Z reason.

55:44

All right. Makes sense.

55:47

We appreciate you, Jon for joining us today. We're

55:49

here at the top of the hour. Our power hour is

55:51

con concluded. So hopefully

55:53

this has been educational for folks as

55:55

we close out of the Power Hour, when you,

55:57

when we end it you'll be prompted

56:00

with a survey. We appreciate any feedback.

56:02

We actually do read that and try to take

56:04

it take it into account. Appreciate

56:06

you joining us today, Jon, any

56:09

closing remarks on your side?

56:11

No, it was great. And it was awesome seeing all

56:13

of the questions and comments coming in. I've yeah,

56:16

I tried to keep up with the chat as much

56:18

as I can. So yeah, it was great seeing that. Also

56:21

I just saw I'll just drop a link in the chat

56:23

cause I saw, obviously there's a few people asking

56:25

for a review of their setup, so there's

56:27

a link there. So if you want to jump in and book a time

56:29

for a call you can do so there. That's the easiest

56:31

way to do it. Fantastic.

56:34

Thank you again for joining us, Jon, and

56:36

all of you that that, that joined us on the Power

56:38

Hour. Great discussion that we saw

56:40

scrolling through the chat and whatnot. So

56:42

we appreciate you joining us and we'll see you

56:45

next time on the QB Power Hour. Have

56:47

a great day, everyone. Cheer.