Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:30
Welcome to another QB
0:32
Power Hour. Today, we're going to be talking about,
0:35
so you missed the FTC deadline.
0:38
Now what? So
0:40
we've got Jon Melloy from Practice
0:42
Protect joining us here today. He's
0:45
going to be talking us through, notice that
0:48
Michelle is not here.
0:50
She's actually in Ecuador and aggravated
0:52
her foot. So she was going to
0:54
try to join us from. From
0:58
Ecuador. So this really would have been a worldwide
1:01
QB power hour since Jon is actually
1:03
based in Brisbane, Australia.
1:05
And I'm here in the Pacific Northwest.
1:08
So let's kick this off a little bit and
1:10
go with some introductions and we'll go
1:12
from there. As Michelle is
1:15
our international speaker, co host not
1:17
joining us here today. But we're encroaching
1:20
on 15, 000 members in the Facebook
1:22
group for the QB Power Users
1:24
group. We invite you to join us there if you haven't
1:27
already. My name is Dan DeLong
1:29
owner of Danwidth. Worked at Intuit for
1:31
nearly 18 years. Co hosting today
1:33
as well as the workshop Wednesdays over at schoolofbookkeeping.
1:36
com. Just wrapping up another
1:39
tech editing duties of the QBO for Dummies
1:41
series. We hope to have the author
1:43
joining us here, which was an interesting.
1:46
Topic about how do you write books
1:48
about technology that changes
1:50
constantly, which is one of the
1:52
interesting side notes of the writing
1:55
authoring books on tech. But
1:57
Jon, go ahead and introduce yourself for
1:59
the folks that may not know what and who
2:01
Jon Melloy is in Practice Protect.
2:04
Yeah, awesome. Great to be on. And yeah,
2:07
thanks for, yeah. Thanks for having me on here, Dan. So
2:09
yeah, for those of you who haven't met me before
2:11
I'm Jon Melloy and I'm the head of growth
2:13
at Practice Protect. I've been working
2:16
with Practice Protect for just over six
2:18
years now. So I've been with the company for a long
2:20
time and over that time I've
2:22
worked with. Hundreds probably
2:24
getting into the thousands definitely thousands
2:26
of firms assessing their cyber
2:29
security and putting in best
2:31
place security to help them to
2:33
reduce risk, manage compliance
2:35
and meet all of their different obligations.
2:38
Yeah, so Practice Protect as you can see
2:40
there with the leading cyber security
2:42
platform for accountants worldwide. We're
2:45
working with just over 24,
2:47
000 accountants
2:49
and bookkeepers. globally.
2:52
And yeah, as Dan put there,
2:54
so yeah, working with CPAs, bookkeeping and CAS
2:56
firms. And really the reason
2:58
why we exist is because, and I'll talk
3:01
a bit more about this, but cybercrime
3:03
is increasing. As I said, I've been with Practice
3:05
Protect for six years now. And
3:07
every year since I've been with the company
3:09
has been a record year for cybercrime. Okay.
3:12
That is a, not a great stat,
3:15
but I guess that makes sense why why you even
3:17
exist, right?
3:18
Yeah. And it's just, it's becoming more sophisticated
3:21
and really it's because
3:23
that's where the money is. It used to be that people
3:26
would rob banks or if you go further back
3:28
in time, people would rob trains because
3:30
that's where all the good stuff was. But
3:32
now it's online and it's so
3:34
much more lucrative. Hackers can
3:37
hack into businesses without leaving the
3:39
comfort of their homes. And
3:41
that's really broken down a lot of barriers
3:43
when it comes to crime, because it used to be, say if
3:45
I was a criminal and I wanted to steal your wallet, I'd
3:48
have to be in the same room as you. Whereas
3:50
now. From the other side of the world,
3:52
I could log in online and I can steal your online
3:55
identity and
3:57
coupled with that, you've got more and more
3:59
of our information is going online
4:02
and we're definitely we're. Practice
4:05
Protect to a huge cloud advocates.
4:07
Definitely that is the way which firms
4:09
should be working. And it is, if
4:12
it's managed correctly, more secure, but
4:14
that's the caveat. It's that it does need
4:16
to be managed correctly. And
4:19
that's why we exist as data
4:21
security is more information is going online. How
4:23
do you structure that in a secure way? How do
4:25
you secure the new risks
4:28
which we're seeing for the modern firm?
4:30
Yeah, and that's something that I noticed when I was
4:32
working at Intuit in the accountant
4:35
space is that, an accountant
4:37
is a gatekeeper to a lot of sensitive
4:40
data. So they, they are literally
4:43
the, the new world train from
4:45
a hacker's perspective of oh, they've
4:47
got lots of good information. If I can get into
4:50
an accounting firm or accountant, I
4:52
have. Inside information
4:54
on, social security numbers and all
4:57
sorts of client data so
4:59
it definitely behooves accountants
5:02
to be good stewards of that, right?
5:04
Yeah. Oh, yeah, definitely. And that's it.
5:06
And it's accountants, it's almost like a honey
5:08
pot because hackers know
5:10
that if they target, accountant, bookkeeper,
5:12
CAS firm, they're not just getting
5:14
potentially one business. They could potentially get
5:16
the business to, sorry, potentially get
5:19
the access to hundreds of businesses
5:21
information. Okay. So that's
5:23
why we're seeing that accountants are disproportionately
5:27
targeted by scams.
5:30
And it's also interesting seeing
5:32
how much more complex
5:34
scams and cybercrime is becoming.
5:37
It used to be, it used to
5:39
be quite easy to spot a scam and I always
5:41
feel nostalgic thinking about it in
5:43
a way. So you used to get, you'd
5:46
be surfing online and you get some emails
5:48
pop up on your screen saying,
5:51
sorry, you used to get some pop ups saying that you'd won a free
5:53
Motorola razor, or you'd get
5:55
a email from a. overseas
5:58
prince somewhere asking for
6:00
a donation. But we all
6:02
got quite desensitized
6:04
to those. And now what's happened is it's become
6:06
so much more personalized. Okay.
6:09
And it's the same trend that we're seeing just across
6:11
everything. Online. So there's
6:13
so much different information and data points
6:15
on us. And hackers are using this to craft
6:17
the best personalized kind
6:20
of scams possible. They know about
6:22
our business. They know who we are. They know who we work
6:24
with. They know who our clients are. And
6:26
on top of that, there's all this different information that has
6:28
been leaked by leaks about us on different data
6:31
breaches online and hackers
6:33
are using that to send the
6:35
most targeted scams possible.
6:38
So yeah. I guess that's the
6:40
reason why we're existing because this
6:42
is becoming so much more complex
6:44
and the cost of not acting is so high with
6:47
the cost of a breach being 80,
6:49
000, 88, 000 that it's,
6:51
far cheaper, far effective to
6:53
put in place the correct prevention to
6:55
stop that from happening. Oh,
7:01
Dan, I think you're on mute there. You
7:05
are correct. Sorry about that. Let's talk
7:07
a little bit about some of the housekeeping things for
7:10
the QB Power Hour and then we'll dive into
7:12
some of these guidelines and what what accountants,
7:14
bookkeeping professionals can do
7:16
about it now that the deadline has has
7:18
passed. So the QB Power Hour
7:20
is, of course, every other Tuesday at CPE. But
7:26
check the website for upcoming events.
7:28
We also have other events available
7:31
there. There's a e com as you are
7:33
discussion over at Roundtable. So you can
7:35
register for those things as well. But
7:37
if you need PDFs of the slides, recordings
7:40
of podcasts, we have qppowerhour.
7:42
com slash resources for you. If
7:44
you have specific questions about
7:47
what Jon's talking about here today, please
7:49
put those in the Q& A. Makes
7:51
it far easier for us to follow up, especially
7:54
if there is a a follow
7:56
up necessary. But if you have general comments
7:58
concerns things to just talk about amongst
8:01
ourselves here please put those in the chat
8:04
comment. And then, of course, we have the slides
8:06
there for the webinar archive and
8:08
and resources as well. Essential
8:12
steps for for accountants and bookkeepers
8:15
with regards to these FTC safeguard
8:17
rules. So let's talk a little bit about first these.
8:20
Why these FTC safe what
8:22
are these safeguards and why was there
8:24
this ominous June deadline?
8:28
Yeah, also, I think it's important to, to talk
8:30
about the why as well, Daniel, as you
8:32
said, because it helps frame up why was
8:34
it being implemented. And the reason why is because
8:37
cybercrime is increasing. As I said at the start,
8:39
we're seeing records being broken. Every
8:42
year for cybercrime and it's becoming
8:44
too expensive not to act.
8:47
So there was a report which
8:50
was put out last year by the
8:52
FBI which was looking at the
8:54
Most commonly committed internet crimes.
8:57
So if you're a cybersecurity
8:59
nut like myself, you can look it up online.
9:01
So it's the FBI internet internet crime
9:03
report, and it shows
9:06
where, what the most damaging scams are. And it's
9:08
really interesting to see this because the
9:10
cost of this is getting so high. So the amount
9:12
lost to the U S economy from
9:15
email scams, so business email compromise
9:18
last year was 2. 4 billion.
9:21
That was the most costly scam that
9:23
we were seeing there. Yeah.
9:28
That skews
9:29
the that skews the 88,
9:31
000
9:32
a little bit, I think. Yeah, and it's such a costly scam and that's
9:34
the top one. You're seeing, on top of that, there's another
9:36
100 million lost to ransomware
9:39
and other scams. But the cost
9:41
of not acting is so high.
9:44
And what's interesting as well
9:46
is. When we hear about
9:48
cybercrime, we often think about it affecting
9:51
the bigger businesses because that's what hits
9:53
the headlines. Okay. Typically when you
9:55
see cybercrime in the news, it's,
9:57
some top 100 company has
9:59
been hit by ransomware. That's
10:02
not what makes up the bulk of it. Okay.
10:04
When you actually. dig beneath and you look
10:07
at the stats, it's for smaller firms
10:09
that are smaller businesses that are
10:12
the worst, that are the worst hit. And that's because naturally
10:14
they don't have the same kind of
10:16
cybersecurity measures as
10:19
the big companies. So
10:21
I was looking at a stat recently,
10:23
and this was in Australia, but
10:25
it was saying that PwC,
10:28
Deloitte, the big four, they're sponsoring.
10:30
800 overseas visa
10:32
applications for cybersecurity roles.
10:35
So they're really investing heavily in this area.
10:37
And there's similar trends, but we're seeing in the U S
10:40
as well, where the big four are investing.
10:42
They've got whole divisions dedicated
10:44
to cybersecurity. Okay.
10:46
So what we're seeing is because of that, hackers are
10:49
moving down the food chain and
10:51
they're then going for the smaller businesses who. Naturally,
10:54
you don't have a chief
10:56
information officer.
10:58
Yeah, you, you look at, you go to any city,
11:00
right? Like downtown central city,
11:03
they've got bars in the windows, they've got,
11:05
locks on the doors. But,
11:07
you go out into the suburbs or the, or,
11:09
the rural areas, people leave
11:11
their doors unlocked those types of things.
11:13
So I think that's an equating to what you're,
11:16
to what you're talking about. These cyber
11:18
criminals are now leaving
11:20
the city. And going into the
11:22
more rural areas where people are more apt
11:24
to leave their doors unlocked
11:26
or on those types of things. Is
11:28
that what you're seeing? Yeah.
11:30
Yeah, definitely. So they're moving to
11:32
smaller firms and they're going to the firms that
11:35
don't, haven't taken the
11:37
correct steps to secure themselves.
11:39
And that's why there is
11:41
becoming, there is more and more regulation.
11:44
Coming out around this. So obviously
11:46
we've got the FTC safeguards rule, which we'll focus
11:48
on today. There's also the IRS
11:51
4557 safeguarding taxpayer
11:54
information guidelines. And
11:56
on top of that, you've also got some state based guidelines.
11:58
And the point I'd like to make is as well, is that I
12:00
do see this as actually being a real positive,
12:03
because it's now giving people a Benchmark
12:06
and showing people what they should
12:08
be doing because for the longest
12:10
time, it's almost been, the Wild West where
12:13
just get a business. Get a laptop
12:15
and you're off. Okay. But
12:18
there are basic steps that you take.
12:20
And if you put in place, some simple
12:22
measures, you can reduce your risk massively
12:25
by 80, 90%. Okay.
12:27
Just by some simple low cost
12:29
steps. And the point
12:31
is with cybersecurity and when we're seeing
12:33
hackers targeting small businesses,
12:36
they're not necessarily targeting
12:39
your business. Okay. So
12:41
they're not waking up in the morning saying
12:43
I want to break into Melloy accounting,
12:46
a five user firm in Idaho. Okay,
12:49
they're not targeting me specifically. They're sending
12:51
out scams targeting hundreds of
12:53
business, thousands of businesses, and
12:55
what they'll do is they'll get into the ones that have the
12:57
worst levels of security. Okay,
13:00
so that's why these guidelines are here is
13:02
to give you basic steps
13:04
to really basic steps
13:06
to secure your business. It's not about
13:09
going crazy and going putting
13:11
in step in putting in place the same levels
13:13
of Securities enterprises,
13:16
but it's about putting in place small steps.
13:18
And that's what we'll look at today. Got
13:20
it
13:21
So let's talk a little bit about what it is. We are going to
13:23
cover a little bit more in detail So
13:25
we'll talk about what is the it's ftc
13:28
safeguard rule. When was the deadline?
13:31
How does this affect me and what do I need to
13:33
do? Let's start off with with a
13:35
poll to get get us started.
13:38
And the poll is, which
13:41
will be shared now, how prepared are you
13:43
for the FTC safeguards rules, right? These
13:46
have you heard about it before? Are you fully prepared?
13:48
Are you getting there, just getting started? Or
13:51
what the heck are these rules to
13:54
begin with? Maybe if you, Jon, if you want
13:56
to Tea us off there about, what are these
13:58
rules that we actually were talking about? So we mentioned
14:00
the FTC safeguard.
14:05
Yeah, sure. So the FTC safeguards for
14:07
all it's actually been around for a fairly
14:09
long time. So it was first introduced
14:12
in 2003. But
14:15
what we saw, and it
14:17
was in place then, but back then it was quite vague.
14:20
It doesn't have a specifics, but it does now. But
14:22
what it's about in short is.
14:25
Prepare to provide guidelines for
14:27
businesses on how to maintain
14:29
safeguards to protect the security
14:32
of customer information. Okay.
14:34
So yeah, it took effect in 2003,
14:36
but it was updated in 2021
14:40
and the 2021 update
14:42
provides more concrete guidance
14:45
for businesses. Okay. So what
14:47
it does then is it reflects provides
14:49
more guidance and more specifics around what firms
14:51
should and shouldn't be doing. To secure
14:54
their data there. Yeah,
14:56
let me go
14:57
ahead and share the results. And while
14:59
I'm doing that, I'm going to stop sharing so that
15:01
you can pick up because that way you can
15:03
go through your cadence of the slides here.
15:06
And an interesting point of someone
15:08
in the chat here they picked up
15:10
that you've got a little accent there.
15:13
You're based out in, you're based out of Australia.
15:16
How does how does practice, how did Practice
15:18
Protect get into, US based cybersecurity
15:21
and protection?
15:23
Yeah, it's good. And it's a funny point.
15:25
And I can definitely see the irony.
15:27
I find it quite interesting. Because
15:30
also, as well, I'm from what I live in Australia, but
15:32
I'm from the UK, originally. So I'm from the
15:34
UK, I work for an Australian company. And I
15:36
spent a lot of my time talking about FTC
15:38
and IRS guidelines. And
15:41
that's because to answer that question
15:43
is because we work heavily with
15:45
US firms. So we've,
15:48
as I said at the start, we're working with over 24,
15:50
000 accountants and bookkeepers,
15:53
and that's across both Australia and
15:55
the U. S. So a large
15:57
portion of our client base are based in
15:59
the U. S. So naturally,
16:02
we're experts in two areas. It's Australia,
16:05
cybersecurity legislation, and U.
16:07
S. Cybersecurity legislation,
16:09
because when it comes to security, and I'll
16:12
talk more about this later, it's not just
16:14
about the technology that you put in place.
16:16
There is different compliance and regulations
16:19
that you're doing. So say if we were just providing
16:21
a software platform, we'd only
16:23
be doing half of the job. So as
16:25
part of what we're doing with working so heavily
16:28
with US companies, We've had
16:30
to brush up on these these guidelines
16:32
and make ourselves experts in these areas.
16:36
Yeah. So these guidelines started in 2003.
16:39
They were updated in 2021,
16:41
and then they impose this nebulous
16:44
deadline because people are
16:47
creatures of habit. They only do things when
16:49
there's a deadline associated with them, right?
16:52
Yes. Yeah. Correct. And
16:54
so the deadline this is one of the main
16:56
questions we get is when was that and
16:58
the deadline to comply with some
17:01
of the updated requirements was on the 9th
17:03
of June, and it's really important to note that
17:06
it's some of the requirements.
17:08
It's not every single requirement.
17:11
The FTC have listed
17:13
on their websites, what specifically
17:16
needs to be done in these areas and that's
17:18
what I'll talk about today. So if you go online if
17:20
you look at the FTC safeguards for all it is.
17:22
a lengthy document and it will have a
17:24
lot more requirements from what we speak about
17:27
today, but there are some different breakout
17:29
articles from the FTC where they reference
17:31
what needs to be done for this specific
17:33
deadline. Okay.
17:36
And really then the next
17:38
question that we get is
17:41
does this apply to me?
17:44
Okay. And there has
17:46
been When I've been speaking to firms
17:48
about this, there has been a bit of a misconception
17:51
out there amongst some, and I think it's
17:53
almost a willful misconception,
17:56
as when I've been speaking to, speaking
17:58
about the set of events, so particularly
18:01
with some bookkeepers and CAS firms, they've
18:03
interpreted it as not applying to them
18:05
which isn't necessarily correct
18:08
and the reason for that is because there has
18:10
actually been a lot of education over the last
18:12
few years around Be around
18:14
data security if you're a tax practitioner. So
18:17
if you're a tax practitioner, there's obviously
18:19
been that IRS 4557
18:21
legislation, which sets out what
18:23
you should be doing to secure your taxpayer
18:26
data. And also when
18:28
you fill out form W12
18:31
for the PTIN application
18:33
you have to sign off saying that, yes, I
18:35
have a data security plan in
18:37
place. And I think that. Question
18:39
on the form has been in place for three years
18:42
now. So there's been a lot of
18:44
information and education around this,
18:46
but that what that's meant as
18:48
well is that when I've been speaking with companies
18:51
and they don't prepare taxes,
18:53
they've been flying under the radar a little
18:55
bit of thinking that this isn't as relevant to them
18:57
because they're not filling out that form
19:00
and ticking that box. But
19:03
if you look at the definition
19:05
of who the FTC safeguards rule applies
19:07
for from the FTC, that's
19:10
not necessarily the case. Okay,
19:12
so the safeguards rule applies
19:14
to financial institutions
19:17
subject to their jurisdiction. And
19:20
when you look at their definition, According
19:22
to this section, an entity
19:24
is a financial institution if
19:27
it's engaged in an activity that is
19:29
financial in nature. Okay
19:32
that is a very
19:33
Broad stroke. Isn't
19:36
everybody right?
19:39
Yeah we're all, any businesses is
19:41
financial in nature because we're
19:43
in the business of making money,
19:46
which is financial in its core. So
19:48
you could go that broad with your definition,
19:51
but I think narrowing it down is if
19:53
you're looking at What is your core business
19:56
function? Okay. And when it comes
19:58
to, bookkeepers obviously CPAs,
20:01
CAS firms, their core business function
20:03
is finances, advising
20:05
on finances, keeping accounts. And
20:08
that is by definition financial nature.
20:10
So even if we narrowed down that definition, it
20:12
would then apply to CPAs,
20:15
accountants, and CPAs, bookkeepers, and CAS
20:17
firms.
20:19
The natural question and Nancy
20:21
asked it in the chat. What are the consequences
20:24
of missing this deadline? Is someone
20:26
going to show up at their door and be like, where
20:29
is, where are all these compliances?
20:31
And would there be a fine or something like
20:34
that if it were actually to
20:36
be discovered that they're out of compliance
20:39
with it? Yeah. Yeah. Great question.
20:41
And yeah, it's definitely, it's
20:43
not that they're knocking and
20:46
knocking on doors, checking in businesses.
20:48
We haven't seen so far that there have been any
20:50
proactive checks and
20:53
really the trend that we're seeing in cybersecurity
20:56
is that this is policed. After the
20:58
fact. Okay. So what
21:00
we're seeing is they're not doing prior to the audits,
21:03
but say if your firm is hit,
21:05
if you do have a data breach,
21:07
if you do have a hack, then after that,
21:10
there's usually, an investigation
21:12
and that's when penalties could
21:14
then be applied. Also this
21:16
could turn into a double, like a triple
21:18
whammy, because if
21:21
you don't have the correct measures in place, but firstly,
21:24
obviously you're more likely to be hit. With
21:27
these at their core, it is about securing
21:29
your business, putting in the correct measures. So if you don't have that in
21:31
place, you are more likely to be hit. Secondly,
21:34
if you haven't followed the
21:36
guidelines, and if you haven't put the correct measures
21:38
in place, you're likely not going to be compliant
21:40
with your cyber insurance. Because
21:43
cyber insurance companies do require
21:45
you to take certain steps for them
21:47
to actually be valid. So that's
21:49
a whole separate webinar and conversation
21:52
to have. But it is something to be aware
21:54
of when we talk about security is making sure
21:56
that you're actually doing what you said
21:59
you're doing. It's the same thing. If you
22:01
just think about it, it's the same thing as your car insurance.
22:03
Okay. If you left your car unlocked
22:06
and the keys in the lock, they're probably not going to pay
22:08
out. Okay. There's that.
22:10
And the third point is, so
22:13
you would also be hit by not getting the cyber insurance
22:15
money back because you haven't taken steps. And
22:18
third, there are also penalties for non compliance.
22:21
So I guess that was a little bit long winded.
22:23
So to answer the question, yes. Could
22:25
there could be fines for this,
22:28
but we're only seeing them being enforced
22:31
after a breach. That's when it's being investigated.
22:35
Got it. So very similar to the
22:37
insurance adjuster going, okay this
22:40
is this is what happened.
22:42
Oh, this is why it happened. Okay.
22:44
This is now would
22:46
there be, would they levy a fine? Is that
22:49
what it would ultimately be after the fact
22:52
when there's an investigation like that?
22:55
Yes. There, there could be a fine. And really
22:57
the cost of a fi the amount of a fine really
22:59
depends on the business. So it depends
23:01
on the amount of data that was exposed. It depends
23:04
on the damage fat was done. So we've
23:06
seen wide ranging ones from, smaller
23:08
ones in the tens to thousands to, far larger
23:11
fines for bigger businesses.
23:15
All right, so let's talk about what the compliance
23:18
has to deal with. So there's what eight?
23:21
Yes. Yeah, correct. As I said earlier, VF
23:23
to C safeguards rule. It is a long
23:25
it's a long piece, but there are some specific
23:28
guidelines which they outlined in one of
23:30
their article. And
23:32
this is what you'd be needing to comply
23:35
with. So I'll just run
23:37
you through quickly what these are. So the first
23:39
one is to designate a qualified
23:41
individual to oversee your information
23:44
security plan. Next
23:46
up, it is to develop a written
23:48
risk assessment. The
23:50
third point is to limit and monitor
23:53
who can access sensitive customer
23:55
information. Next
23:57
is to encrypt all sensitive
24:00
information. There's also a training
24:02
aspect, so you have to train security
24:04
personnel. Also you need to develop
24:07
a incident response plan. Next
24:10
up is to periodically assess the
24:12
security practices of your service providers,
24:15
which When I speak with firms, it always sounds
24:17
a bit daunting, but that's actually one of the easiest ones
24:19
to do. And lastly,
24:22
it's to implement multi factor authentication
24:25
or another method across everything
24:27
that you use to access customer information. Got
24:30
it.
24:31
Now, Don in the chat has raised up
24:33
an interesting point. And this is something that I
24:35
think you want to drive this point home
24:37
is that Don is a one person firm.
24:40
And these things seem so nebulously
24:43
like a large firm type of thing
24:45
needs to do. You want to talk a little bit
24:47
and we'll unpack these these regulations
24:50
or guidelines a little bit more
24:52
in detail as we go through the slides here.
24:54
But let's talk a little bit about first about scale,
24:56
right? What is, designating a person?
24:59
If I'm a one person firm, I guess that's me, right?
25:02
Yeah. Yeah, definitely. I'll jump back to,
25:04
we'll have a poll, but I'll come back to that in a second.
25:06
We can jump back because I think this is the question
25:10
is how am I meant to do
25:12
all of that? And that's a good question
25:14
from Don. And the point
25:16
is, and I always do emphasize
25:19
this is for when you're putting this
25:21
in place you need to focus
25:24
on your business. Okay. So before
25:26
you panic and get overwhelmed around
25:28
those eight requirements, it's really important
25:30
to keep perspective. and follow
25:33
the guidance of the FTC and look at what they're saying
25:35
because they are actually being very
25:37
common sense about this. So
25:40
I thought I'd jump to this slide just because this is
25:42
straight from the horse's mouth. So
25:44
this is from the FTC's website, but
25:46
what they're saying is that your information
25:49
security program Must be
25:51
written and it must be
25:53
appropriate to the size and complexity
25:56
of your business, the nature and scope
25:58
of your activities and
26:00
the sensitivity of the information at issue.
26:03
Okay. And I really want to emphasize
26:06
that point because I think often. When
26:08
we talk about cyber security and
26:10
technology, things can get over complicated.
26:13
But if you're what you'd be doing is
26:15
applying something that's appropriate to your business.
26:18
OK, so if you're a large multinational
26:20
company, you've got 500 team members
26:22
across the country, different offices. You're
26:24
going to need a very robust information
26:27
security program. Okay, if
26:29
you're a smaller firm, if you're a sole practitioner
26:32
then you need to put something appropriate to
26:34
the size of your business. Okay, so
26:36
do you need a 60 page
26:39
document outlining whatever
26:42
it is over 60 pages? Probably
26:44
not. Okay but the thing is, you
26:47
do need to do something, okay?
26:49
As VFTC says, it must be written,
26:52
okay? And it must be appropriate to your business.
26:55
Okay what you can't do is to
26:57
bury your head in the sand and to do nothing.
27:00
But it's about putting in place something simple,
27:02
something effective to demonstrate due
27:05
diligence, which is appropriate to
27:07
your business. And I will
27:09
talk a bit more about the hows
27:11
of these eight requirements shortly. Okay
27:14
let's
27:14
launch that that second poll, which is which
27:16
compliant, which requirements you want to bring
27:18
that slide back up where we have. The
27:21
eight on there, but I think I did put them
27:23
all in the in the options
27:25
for the poll, which of those requirements your firm
27:27
already compliant with. Now, don't
27:30
be afraid to answer this poll. I'm not going to send
27:32
this to anyone who's passed the
27:34
deadline and whatnot. So don't
27:36
worry about that. We just want to get an understanding
27:38
as to, which which of these
27:41
are, are you already, Okay. Already
27:44
in compliance with and might give us some
27:46
guidance as how far we need to unpack some
27:48
of these things based on those poll results. But
27:52
a lot of things, a lot of things I'm seeing in the chat
27:54
about, little questions
27:56
about what Practice Protect is and
27:58
what they do. And I think as we go through these
28:01
requirements you do offer a
28:03
free resource, a way that you know, a
28:05
accountant or bookkeeper practitioner can do
28:08
these things themselves, but also
28:10
how Practice Protect helps with these
28:12
compliance guidelines as well,
28:14
right? Yeah,
28:16
definitely. And I'll cover that off the areas that we help.
28:18
And I can see I can see that there are some questions
28:20
around pricing as well. Definitely more
28:22
than happy to answer those at the end. And I can walk you
28:24
through what that looks like as well.
28:27
Okay. Yeah. Perfect. Awesome. Cool.
28:30
But I guess it's interesting seeing
28:32
these poll results coming in and seeing
28:34
the split and which ones are most
28:37
which ones firms are most compliant with
28:39
and which ones need a bit more help. So
28:43
if I'm going to, And I'm
28:45
going to share the results so everybody can see what we're
28:47
talking about here. Yeah, it's a smattering
28:50
of compliance across
28:52
the board there.
28:55
Yeah, definitely. And I think you can see
28:57
which ones are the big winners where people have
28:59
most security already in place. And
29:02
it's good to see these two, which is often what
29:04
I've seen. People are
29:06
limiting and monitoring who can access central information.
29:09
That's at 73% and
29:11
72% have implemented MFA.
29:13
And that's fairly consistent with what I'm seeing.
29:15
There's obviously been a large focus
29:17
on multi factor. And I
29:20
think implementing MFA is probably helped
29:22
by the fact that for a lot of apps,
29:24
it's not optional. I
29:29
think that does definitely help there and that's
29:31
great because when it comes to MFA is really,
29:34
the first line of defense when it comes
29:36
to working online. So that's great. Also
29:38
great to see. There has been a lot
29:40
of education around the information security plan.
29:42
So 58% people have
29:45
an individual there, which has been awesome. Awesome.
29:49
Great. Without further ado as I said
29:51
we're not just here to tell you what it is
29:53
and not give any solutions. So we can
29:55
go through and take a look at
29:57
how you can simply and
29:59
easily meet these requirements.
30:02
We are talking about. FTC
30:05
requirements. So I guess an advanced warning.
30:07
The next eight slides as we're looking at these, they're
30:09
all going to follow the same kind of structure.
30:12
We've gone too crazy with the design of the slides.
30:14
So we're all going to follow this format. So
30:16
what we'll look at is first what the requirement
30:19
says. Straight from the FTC, what
30:21
the wording is. And then after that,
30:24
the FTC on the website, they do also have some
30:26
further information. So I'll take you through
30:29
additional info that the FTC says. And
30:32
then after that, talk a bit about what
30:34
should you do? Okay, breaking that down,
30:36
interpreting the requirement and what the FTC says,
30:39
what practically should you do?
30:42
And then look, I wouldn't be doing my job
30:44
if I didn't say how we can assist
30:46
firms in these areas. So I'll
30:48
talk a little bit about how we
30:50
can help our clients in these areas.
30:53
So make sure we'll let you know how you could do
30:55
it yourselves and also where
30:57
we could help and assist too. Okay,
31:01
but this first requirement is
31:03
to designate a qualified
31:05
individual to oversee the information
31:08
security program, and this one's
31:10
great. It's nice and straightforward.
31:13
But there are a couple of caveats with who
31:15
that person should be. So the
31:17
FTC says that this person must
31:20
have the requisite skill and experience
31:22
to fulfill the role. It could be someone
31:25
internal. So it may be a partner or
31:27
employee of the firm, or it could be
31:29
an outside service provider. Okay.
31:32
So if you are using a service
31:34
provider, then you still remain
31:36
responsible and you should identify someone
31:39
to oversee them. Okay. So
31:41
what should you do? Pretty
31:43
simple with this one appoint someone
31:45
in the firm or an outside provider to oversee
31:48
your program. Okay. But it is really
31:50
important to consider who you
31:52
are appointing. So you can appoint
31:54
someone in the firm, but they have to have the skills
31:57
to oversee the program. So that is the caveat
31:59
there. So that could be yourself. It
32:01
could be an office manager, could
32:03
be internal it, or
32:05
it could be an external provider. Okay.
32:08
And the one thing we saw earlier with
32:11
these steps is that it must be written. So
32:13
make sure that this is documented. Okay,
32:15
so document who this is clearly and
32:17
keep that on record. And
32:19
what we then recommend is to review
32:21
who this individual is or who this company
32:24
is annually. Okay, so just
32:26
set up a recurring task to review annually.
32:29
And how can we help? So
32:32
for our clients that we're supporting
32:34
across all of our services, we could actually be listed
32:37
as their qualified service provider
32:39
for information security. Awesome.
32:44
Awesome. So the second I'm
32:46
sorry, Dan. No,
32:48
That seems pretty straightforward. Designating someone
32:51
to be the manager of this of this
32:53
whole process. So
32:56
let's move on to number two.
32:58
Yeah, and I think it's similar to a lot of
33:00
these guidelines when we talk about them, and I'll use this comparison
33:03
a lot. It's similar to when you think about fire
33:05
safety. In an office you'll have
33:07
a fire warden Okay?
33:09
So you have someone, he's got some responsibilities
33:12
around that. So very similar
33:14
kind of approach. The second requirement,
33:17
Is about developing a written
33:19
risk assessment. And
33:22
I always think that this is a great place to start.
33:24
When I talk to firms about cybersecurity,
33:27
it's one of the questions I ask them. I say,
33:29
do you have a risk assessment? And
33:31
often when they say no, I'm like that's the first thing
33:33
to do, because it helps you identify
33:36
what you should then do. to
33:38
secure your business. But what
33:40
BFTC says is that you should conduct a
33:42
risk assessment to identify an
33:44
inventory customer information where
33:47
it's stored and foreseeable risks
33:49
and threats to these. It should be in writing
33:52
and updated periodically as operations
33:54
change. So What
33:56
should you do? So some areas to consider
33:59
is where is this data physically
34:01
stored? Okay. Do you have files? Do you have folders?
34:04
Also, what hardware is
34:07
data being stored on? So are there
34:09
laptops, mobile phones going
34:11
up a level? What applications
34:13
are being used? Where is
34:15
the data being stored online? And
34:17
then lastly, who has access to what data?
34:20
Okay. So that's really the first thing is to list down
34:22
the different locations and then
34:25
think about the risks. So what are the risks
34:27
or threats to these locations? Okay.
34:30
So the physical data fire
34:32
still, I don't know why I've just got fire on my mind now,
34:35
but that could be stolen as
34:37
well. What risks are there around
34:39
the team members, PCs, do we have personal
34:42
PCs and then what
34:44
security is in place. And then again,
34:46
with this, it's about documenting it and reviewing
34:48
it annually. Okay.
34:51
So those are the steps for you to do. How can
34:53
we help? How can we make this easy for our clients?
34:55
We actually supply a WISP, so
34:57
a written information security plan, which
34:59
has a risk assessment to all of our clients.
35:02
That was one of the questions that that we saw
35:05
here from Stephen. How is... These
35:07
guys, how are these guidelines different from
35:09
a WISP? And if you could say that
35:11
again what a WISP is you know what
35:13
that stands for?
35:15
Yeah, great. So the WISP is a written
35:17
information security plan. So
35:20
that, and you're right, if you have that in place,
35:22
just Go and check it because it should tick
35:24
off a lot of these boxes. So a
35:27
risk assessment is usually contained
35:29
within the WISP. So most firms
35:31
have that in place. Some people call it a data
35:33
security plan as well. So
35:35
that's the wording that was used on
35:37
that question on the PTIN form.
35:42
But yeah, definitely check your WISP to make sure it's covering
35:44
these areas. Awesome.
35:47
I see it.
35:47
I see a lot of people actually doing
35:49
this risk assessment in the chat, because
35:53
I don't even charge credit cards or, things
35:55
like that. Those are things that come up with,
35:58
this type of risk assessment, right?
36:02
Yeah, definitely. Definitely. Yeah.
36:05
Awesome. Now this third requirement really
36:07
flows on from the second one. So once you've done your risk
36:09
assessment, you've seen what
36:11
the different areas are. Now you need to
36:13
limit and monitor who can access
36:16
sensitive customer information. And
36:18
the FTC says that you need to determine who
36:20
has access to customer information and
36:23
consider on a regular basis, whether
36:25
they have a need for it. So what should you
36:27
do? Go back, look at your risk assessment
36:29
and look at where your data is stored
36:32
and consider what measures you have in place
36:34
to control access across the
36:36
team. Think about whether you have an easy
36:38
way to grant and revoke team member
36:40
access, because if somebody
36:43
leaves, if they. Suddenly stop
36:45
working at the firm. How are you going to make sure that
36:47
they don't have sensitive information
36:49
passwords stored in their head? So
36:51
make sure that as you're sharing information, you're
36:53
doing it in a controlled way. And
36:56
how can we help? That's a core part
36:58
of our business. So with our clients,
37:01
we perform an assessment to determine what
37:03
your sensitive applications are and
37:05
our access hub puts in a system to
37:07
easily control team members, access
37:10
lockdown and secure passwords
37:12
from your team members. Awesome.
37:17
The fourth requirement is
37:19
around encryption. So making
37:21
sure that you encrypt all sensitive
37:24
information. And the
37:26
FTC says that you need to protect by
37:28
encryption all customer information
37:30
held or transmitted by you both
37:32
in transit or over external networks
37:35
and the rest. So what should
37:37
you do here? So really,
37:39
again, it's about considering where your data is
37:41
sat. Do you have data encryption
37:43
in place on all of your company devices?
37:46
If not, set that up. A
37:48
client passwords encrypted when
37:50
shared with your team members consider
37:53
where your data is stored and
37:55
then check with your apps that store
37:57
critical data around what their
37:59
encryption levels are. Most companies,
38:02
if you go to their websites, if you go to
38:04
if you Google them and put security afterwards,
38:07
you can usually find their security accreditation
38:10
or encryption levels. And
38:13
lastly review the encryption levels
38:15
around your local file storage. Is
38:17
it locked as well? And
38:20
how can we help? Not with the last point, we
38:22
don't sell padlocks. So that's
38:25
the answer to you guys to source. But when
38:27
it comes to your online information, we can definitely
38:29
help with that. Our access hub encrypts
38:31
sensitive client and company passwords.
38:33
We also have our device hub, which can.
38:36
Encrypt and remotely wipe lost
38:39
and stolen devices. And
38:41
lastly, our email hub provides
38:43
additional security around
38:45
email and file storage as
38:48
well. Awesome.
38:53
Okay, great. And the fifth
38:55
requirement is a nice and straightforward
38:57
one, and it's all about training. Okay.
38:59
So you need to train your security personnel.
39:03
And when the what the FTC
39:05
says is that you should provide your people with
39:07
security awareness, training, and schedule
39:10
regular refreshes. So
39:13
what should you do here? So
39:15
firstly it's about. members.
39:18
Okay. So put a cyber security
39:21
training plan in place for your new employees.
39:24
Okay. So that's something which we really focus on,
39:26
it's so key. The first 90 days of someone
39:28
in the business Is is key across
39:30
all areas and cyber security is no
39:32
exception. So it's important, but
39:35
you've taken your due diligence, even if you're hiring
39:37
someone who has a cyber security
39:39
qualification, okay, it's about
39:42
covering yourselves, so make sure
39:44
that they have done your version
39:46
of cyber security training. So
39:50
make sure you've got something for new employees. But
39:53
then after that, make sure that you put a
39:55
training plan in place for existing
39:57
employees. Okay, because it's all well
39:59
and good someone doing something in
40:02
the first 90 days, but if they stay with you
40:04
for five years and haven't done any training
40:06
after that, you haven't taken
40:09
the correct steps and due diligence. So
40:11
make sure that you're putting something in place for,
40:14
which has at least an annual cadence.
40:16
That's what we'd recommend. And
40:19
also you can help enforce this with policy
40:21
to cover yourselves as well. So
40:23
one of the things that we do and we recommend
40:26
our clients do is have team members sign an
40:28
it and internet usage policy confirming
40:31
that they have access to
40:33
cyber security training and
40:36
how can we help? So we've got
40:38
over 18 hours of cyber security
40:40
training in our Practice Protect university
40:43
which is available for all of our clients on demand. And
40:46
we also supply an IT and internet
40:48
usage policy. Yeah,
40:52
that's a big, that's a big burden,
40:54
I think, for for smaller firms
40:56
to, to create that. Is
40:58
there other resources that are out
41:01
there that That they would need to resource
41:03
it themselves.
41:05
Yeah, definitely. But the good thing is it's like with anything,
41:07
there's heaps of different cyber security
41:10
resources online. There
41:12
is a government,
41:16
I'm not sure of it. If you, I'll see if I can
41:18
grab it at the end, but there's some cyber security
41:20
training from a
41:22
federal level. There's some really good courses.
41:25
And if I get a chance to at the end,
41:27
I'll grab the link to that. Okay, there's
41:30
definitely lots of free training out there, which is
41:32
great. Awesome. Yeah, I've
41:34
seen we've had a few questions and chats
41:37
come in down. Is there anything we should highlight
41:39
at the moment?
41:41
I'm trying to keep it, topical
41:43
and I may just want to silo
41:46
those to the very end.
41:48
So Let's just burn through these requirements
41:50
and then we'll field preform the
41:52
questions, I think, at the end.
41:55
Okay, perfect. That sounds great. Awesome.
41:57
So the basic requirement is to
41:59
develop an incident response plan. And
42:02
again, I was talking about assigning
42:04
the fire warden earlier. Think
42:06
of your incident response plan in the same way as a fire
42:09
response plan which most businesses
42:11
have. So in the case of a fire.
42:14
What do you do? Who do you call? Where
42:16
do you gather? What are the next steps
42:18
immediately in the aftermath to secure
42:21
everyone and contain the fire?
42:24
And it's the same for a
42:26
cyber incident response plan. Okay.
42:29
Also, if I continue that analogy, it's important
42:32
that you act fast to contain the breach.
42:34
Okay, just as a fire can get out of control
42:37
rapidly, so too can
42:39
a cyber security incident. So
42:41
really, when it comes to it, the first hour
42:44
is absolutely critical. Okay,
42:47
so the FTC does outline
42:49
what the plan should cover. And
42:51
I won't read this through bullet by bullet. I know
42:53
that these are available as a handout, but
42:56
go through and they say what it
42:58
should outline. And again, I
43:00
do want to stress here that when you're putting the incident
43:02
response plan in place, it's about
43:04
doing something which is appropriate to the size and
43:06
scale of your business. Okay. So if
43:08
you are a sole proprietor obviously this
43:10
would be a shorter plan than, someone who
43:13
has an office with 50 people Okay.
43:17
And so these points covered from out
43:19
here, and also you can go online.
43:21
You can look for us, my templates online.
43:24
How can we help now we have our
43:26
clients by having this plan available.
43:28
So we've got an incident response plan
43:31
inside of our university which is available
43:33
to all of our clients. Awesome.
43:37
Now the seventh requirement
43:39
as I said, this one can seem a bit daunting, but it's actually
43:41
one of the easiest to knock over in
43:43
about 15 minutes or so. And
43:45
it's to periodically assess the
43:48
security practices of your service providers.
43:51
Okay. So what BFTC says
43:53
is that you should select service providers.
43:56
With the skills and experience to maintain
43:58
appropriate safeguards. So
44:01
what should you do here? So firstly,
44:03
just do a bit of research and then you
44:05
can document that. So say if you Google
44:07
app name security, most providers
44:10
have a section of their website. where it outlines
44:12
their security measures. Okay.
44:15
Also reach out to your key providers.
44:17
Now, the point of this is that you don't need to be
44:19
cyber security professionals to
44:21
assess this, there are actually different
44:24
security certifications, which
44:26
a lot of companies are compliant with. So
44:28
if you check to see if they have these, then
44:31
That's you doing your due diligence as well. You
44:33
don't need to pour through every finer
44:35
detail of their security plan. Okay.
44:38
So ask them what security certification
44:40
may have. Again, most companies actually have
44:42
this listed on their websites. If you just Google
44:44
app name and security, you can find this
44:46
out. But when it comes to
44:48
security certifications SOC
44:51
2 001 are
44:54
the international standards. Okay.
44:56
And then once you've done your research again,
44:58
the one thing with this plan is that it should be written.
45:01
So just document the links
45:03
and who has what. And
45:06
just for everyone knows with us with
45:08
Practice Protect, we're actually SOC 2
45:10
compliant there. And
45:13
the requirement is to implement
45:15
multi factor authentication or
45:18
another method with equivalent protection.
45:20
Now, as we saw earlier, this is one
45:22
where everyone is pretty pretty well covered
45:24
with this. I think the vast majority, 73%
45:27
of people have put multi factor
45:29
in place. And I think we're all pretty
45:31
familiar with multi factor is
45:35
it can be annoying at times. When
45:37
it's popping up every time you're logging into something, but
45:39
as I've said, it really is the first step,
45:42
the first line of defense when working online.
45:44
So make sure that you've got it implemented across
45:47
all of your apps. And how
45:49
can we help we try to make it a
45:51
little bit less annoying if possible.
45:54
That's where we can help with multi factor. So
45:56
we've got our access hub, which
45:58
can help provide an easy way to enforce
46:00
multi factor across multiple
46:02
applications. Awesome.
46:06
Awesome. Great. All right. Onto the third poll then.
46:09
Third
46:09
poll here. Let me go back here
46:11
so I can launch this one. So
46:13
on a scale from one to five, how
46:16
confident are you in your firm's
46:18
cybersecurity measures? So it's a good
46:21
pausing point, right? To maybe talk
46:23
about some of the questions that, that
46:25
popped up. So Danielle
46:28
asked this question. What is the practical language
46:30
to use with your clients to let them know that you
46:32
are Compliant. And
46:34
then how do you prove that what you've done
46:37
is FTC compliant? Knowing
46:39
that most of your clients may be
46:42
familiar with the, with these
46:44
rules. How do you, is
46:46
there like a badge certification? How
46:48
does that work for for a business to
46:50
let them, to let their clients know?
46:53
Yeah, really good question. And it's a really good point because
46:55
it is something which you should be talking
46:57
to your clients about. So definitely
47:00
an area. And one of the things that we
47:03
recommend to our clients is to have something in your
47:05
client engagement letter. Around this.
47:07
So you can talk about your data security
47:09
measures in that, but
47:12
also if you put new measures in
47:14
place send it, one of the things I'd recommend
47:16
is send an email send an email blast
47:18
to your clients, let them know, Hey, my
47:21
lawyer counting, we have done X, Y, Z, we
47:23
are compliant with these FTC requirements,
47:26
and I think it's really important to do that, to demonstrate
47:29
that your. Doing the right thing, because
47:32
obviously you're asking them for access to
47:34
their sensitive information. So it's important
47:36
that at the same time, you let them know that you've taken
47:38
the correct steps with due diligence to secure
47:40
that. Yeah, I'd say definitely
47:42
the engagement letter, privacy policy
47:45
and the emails as well. Oh,
47:52
sorry, Dan, you're on mute again there. Oh,
47:54
yeah, sorry.
47:56
Somebody knocked on the door and I had to mute there
47:59
but I'm sharing the poll
48:01
results and I appreciate people being candid
48:03
about, their self assessment
48:05
that they do need to, put some more
48:07
measures in place and
48:09
that's partly why you're here is just to make
48:11
sure that, people are educated
48:14
on, on, on these guidelines and guidances and
48:18
put that in Thank you. Putting
48:21
it out there, right?
48:23
Yeah, definitely. And as well, I'm conscious, and
48:26
one of the things we'll say with cybersecurity is there is
48:28
no silver bullet. There are no guarantees
48:31
when it comes to cybersecurity. The only guarantee
48:33
is that you can never be 100%
48:35
secure. It's about putting in the
48:38
correct steps, taken the correct due
48:40
diligence to ensure that you've lowered
48:42
your reduced. So sorry to make sure
48:44
you've reduced your risk profile to an acceptable
48:46
level. And that's all that any business
48:48
can do.
48:51
So let's let's move on then and talk
48:53
about practice, protect how practice
48:56
can protect, can actually help with all
48:57
of it. Yeah. Yeah. Awesome. Conscious.
49:00
I'm conscious of time as well. So we've covered
49:03
off a lot of this, but just to recap
49:05
where we come in and how we help is that we're
49:08
America's largest cyber security platform
49:10
for CPA bookkeeping and cash
49:12
firms. And again, why we're existing
49:14
why we're doing what we're doing is because cyber crime is increasing.
49:17
Data security is becoming more and more complex.
49:20
There's more requirements. There's more guidelines.
49:22
So what we're here to do is
49:24
to provide a holistic cyber security
49:27
platform that helps across
49:29
these areas. So
49:32
In short, we've got three
49:34
hubs which enable us to help
49:36
firms to secure their businesses. So
49:39
device email and access, because
49:41
as I said just a second ago, it comes to cybersecurity.
49:44
There is no single approach. You need to
49:46
be taking different steps across different
49:48
areas and that's where we can help. So
49:51
firstly, the device hub. Is
49:53
all about securing your PCs,
49:56
your workstations. Okay. So
49:58
we protect your workstations
50:01
against threats, such as malware, viruses,
50:04
ransomware if you use AI to
50:06
scan for known and unknown
50:08
viruses. So that's
50:10
really locking down your PC because if your PC
50:12
gets infected, then potentially everything
50:15
that you connect to everything that you work to from.
50:17
Work on from there could then be
50:19
compromised. Our next system
50:21
is the email hub, which is all about
50:23
safe guiding your inbox from different
50:26
threats, such as phishing, malware
50:28
and spam. And this is so
50:30
important because as I mentioned at the start, the
50:33
cost of email cybercrime
50:35
business email compromise to the U S economy last
50:38
year was 2. 4 billion. Email is the most
50:40
targeted application, so we
50:42
put a big emphasis on making sure that
50:44
your email system is secure. And
50:47
lastly is our access hub.
50:50
So what this does is
50:52
it enables you to easily
50:54
manage identity and passwords
50:57
across team members because
50:59
working with CPAs, bookkeepers,
51:01
CAS firms, we know that it's not just your passwords,
51:04
it's also your clients passwords. You've
51:06
got access to not
51:08
20 applications. It's. 500,
51:12
600, so many different applications because of all of the client
51:14
apps. So what we're about to do there
51:16
is providing you with a secure solution
51:19
to manage this so that team members
51:21
can access client work without knowing
51:24
all of your clients passwords, their mother's
51:26
maiden names, whatever it may be. Okay,
51:28
making sure that all of this information is
51:30
locked out and secure. Awesome.
51:36
So that's it in one breath what we
51:40
Got it Just want to throw out the
51:42
last poll question here is
51:45
if i'm
51:47
going to launch it here. Would
51:50
you like an accounting
51:52
security consultation with Practice Protect seeing
51:55
if if this will actually, assist
51:57
so while people are answering that Meryl
52:00
asked a good question. If one, if someone
52:03
has Practice Protect, do
52:05
they need cyber insurance? Or is it
52:07
how does that work with with
52:09
regards to cyber security insurance?
52:13
Yeah, definitely. Great question. And yeah, so we
52:15
were on the prevention side. Okay. So we're
52:17
all about making sure that you
52:20
guys don't have an incident, but
52:22
at the same, but we're, so we're not an insurance company,
52:24
so we do recommend to all of our clients
52:26
that they do have cyber insurance as well.
52:29
So we can help make sure that you're compliant with that,
52:32
but definitely we recommend you still have
52:34
cyber insurance.
52:36
Does having something like like
52:38
this help with the, like
52:40
the approval process or maybe a discount
52:43
or something like that having, it's like a safe
52:45
driver course or something like
52:47
that for your teenagers is there, does
52:49
that work
52:50
for that? Yeah. Yeah, definitely.
52:52
So yeah, we see that because when
52:54
you're getting cyber insurance, you do have to fill out forms
52:56
saying we do X, Y, and Z. And
52:59
we help you achieve that. So they're asking
53:01
questions similar to this. So do you have a
53:03
information security plan in place? Do
53:05
you have MFA? Can you restrict access?
53:08
And that's what we do and how we help. So yeah, we
53:10
help firms get the approval because they are compliant
53:13
with it. And also, yeah, correct. Dan,
53:15
I'm getting discounts because you have the correct security
53:18
in place. We see that very often as well.
53:22
Another question that came up again from Merrill
53:24
and this is more of a scenario type
53:26
of situation. So what is,
53:29
what does somebody do when
53:31
a client will consistently not
53:33
use the encrypted method of
53:35
sending sensitive information to you? They
53:38
Here's my bank statement or
53:41
let me just send that via carrier
53:43
pigeon or something like that, right?
53:45
How does one address those cyber
53:48
security concerns when they're
53:51
not doing that?
53:53
Yeah it's a good question. And I
53:55
think there's always one isn't there across
53:58
every business. There's always that one client.
54:00
It won't move. So definitely, we've
54:02
recommended, you need to make sure that you've got a secure
54:05
message, secure way of sending information.
54:08
And one of the things I'd say is
54:10
going back to that earlier point about letting your clients
54:12
know about the security you've put in place, trying
54:14
to educate your clients around the
54:16
why. Why it's important.
54:19
Okay. And the potential damage that they could
54:21
do to themselves by sharing information
54:23
over email. So I'd
54:26
say that would be the first step trying to educate
54:28
them on the risks. Yeah,
54:31
it's like you said, there's always one that
54:33
will do that. And despite your
54:35
efforts, they continue to
54:40
do that. Is there a point where,
54:42
you would recommend like. Disengagement
54:45
of those types of things just or is it more
54:47
of, how does one, delicately,
54:51
talk to talk to somebody about
54:53
that.
54:54
Yeah. Yes. It's a good question. I
54:57
think it's about. Like I said, trying to educate
54:59
and engage with them and it's
55:03
it's ultimately it's the firm's decision whether
55:06
what the risk is around that
55:08
information and whether you would disengage
55:10
with that client. And I think it's always
55:12
for the thing that I'm trying to do is
55:14
all the things for. But one of the things
55:16
I'd recommend is communicate with them how you want
55:18
to be communicated with so if they are
55:21
sending stuff, don't Then
55:24
default back to sending unsecure
55:26
emails, keep using the system
55:28
that you set up, whether that's Alicio or
55:30
whatever for sharing documents, but
55:32
always revert back to that and try
55:35
to get them to engage with that.
55:38
So whether it's resubmitting, resending
55:40
that link saying, Hey, I need you to put this here,
55:42
not there because of X, Y, and Z reason.
55:44
All right. Makes sense.
55:47
We appreciate you, Jon for joining us today. We're
55:49
here at the top of the hour. Our power hour is
55:51
con concluded. So hopefully
55:53
this has been educational for folks as
55:55
we close out of the Power Hour, when you,
55:57
when we end it you'll be prompted
56:00
with a survey. We appreciate any feedback.
56:02
We actually do read that and try to take
56:04
it take it into account. Appreciate
56:06
you joining us today, Jon, any
56:09
closing remarks on your side?
56:11
No, it was great. And it was awesome seeing all
56:13
of the questions and comments coming in. I've yeah,
56:16
I tried to keep up with the chat as much
56:18
as I can. So yeah, it was great seeing that. Also
56:21
I just saw I'll just drop a link in the chat
56:23
cause I saw, obviously there's a few people asking
56:25
for a review of their setup, so there's
56:27
a link there. So if you want to jump in and book a time
56:29
for a call you can do so there. That's the easiest
56:31
way to do it. Fantastic.
56:34
Thank you again for joining us, Jon, and
56:36
all of you that that, that joined us on the Power
56:38
Hour. Great discussion that we saw
56:40
scrolling through the chat and whatnot. So
56:42
we appreciate you joining us and we'll see you
56:45
next time on the QB Power Hour. Have
56:47
a great day, everyone. Cheer.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More