Protecting Your Financial Future: Top Tech and Security Strategies Every CPA & Client Needs to Know - Webinar
Will Nobles: I want to welcome you guys to the webinar today.
Protect your financial future, the top technology and security strategies every
CPA and client needs to know. My name is Will Nobles. I am the founder and CEO
of Vector Choice. A little background on me. I always love to tell the story. I
came from the home of Pepsi in New Bern, North Carolina, and moved to the home
of Coca Cola in Atlanta, Georgia. Started Vector Choice in 2008. Before that, I
was working with Fortune 100, Fortune 500 companies doing consulting for them.
So, Vector choice, let me tell you a little bit about Vector Choice before we
get started here. So, our executive team is an awesome team here. I've got Sarah
Sawyer, our COO, Jon DePerro, that's on the call with us today. He is our chief
Will Nobles: Jon's background is military background with working with the first cybersecurity task force for NATO and also working for the NSA. Beau Dickey is our chief security officer. He has handled everything from cybersecurity all the way to law enforcement and security and law enforcement. Guys, thank you so much for being on today.
Jon DePerro: Thanks for having us.
Beau Dickie: Look forward to it.
Will Nobles: Mike Bazaar is our CTO. He's not here today, but Mike Bazar is our CTO. And then from a management standpoint, we have Gabby, Jon, Daniel, Troy and Jake and all different aspects of our business here. What you need to know, one of the things that you need to know is that we do everything from all the way down to help desk, all the way up to compliance services for medium and small businesses and we do code manage for large businesses as well. Now, I've had the wonderful privilege to work with an awesome team and we've made the Ink 5000 the past four years. We've made the MSP 501 for the past four years as well. The MSP 501 is the top 501 fastest growing managed service providers in the world and then other several other different awards as well.
Will Nobles: Now, where are we located? We are located in several states. Our corporate office is in Lubbock, Texas, but we have offices up and down the east coast. We serve clients all across the country and the world as well. Matter of fact, I had my first call last night with a Japanese company. So, we've done Costa Rica, Netherlands, Dr. And the UK as well. So, I want to give a special offer here is I have a new book, the Compliance formula, and a good read to understand why you should be focused as a company on compliance. Scan that QR code and you'll be able to get that book. It's a great read, not just because I help write it, but it is definitely a good read to help you understand compliance and why compliance is so important when it comes to technology now.
Will Nobles: So, I'm going to stop sharing here, and let's get to the guts of everything. So, Jon and Beau, thanks for being on today. And I know we want to talk to CPAs on what is changing for them. And the new word that some people might not know is FTC safeguards. So, Jon, I want to start with you. What are FTC safeguards?
Jon DePerro: FTC safeguards are kind of a byproduct of Graham
Beach Bliley act, which regulates financial institutions. It's from the 50s,
it's been around forever. And essentially the federal government feels that
financial institutions have been making risk decisions that negatively impact
consumers. So, FTC's job is to protect consumers. So, the FTC has now said,
hey, industry, you're not managing consumer privacy and security correctly. So,
we're going to come up with a whole list of things that every single financial
institution in the US that falls under the FTC now must do these mandatory
Will Nobles: And so, who does it apply to? And I know we're really focused on CPAs. I want to get. But let's a bigger picture. Who does it apply to?
Jon DePerro: So, GLBA defines what a financial institution is, and it's a list of categories, but everything from automotive dealerships to people who arrange or provide financing. If you wire transfer money to and from consumers, print checks. There's a huge list that's going to encompass hundreds of thousands of us companies. But what it specifically mentions are CPAs and people who prepare taxes. They are specifically called out as organizations that must comply with the new FTC safeguards for CPAs.
Will Nobles: Since we're focusing on CPAs today on here is what's going to be different or what is different for them when it comes to their technology or working with their technology provider than they're used.
Jon DePerro: To in the past, the first thing they want to see, literally the very first item, they have to appoint a qualified individual who will be in charge of their information security program. They don't go into a lot of detail about what would qualify you. Right. But I would say it's the same as doing taxes. There are industry certifications that give you acronyms and industry best practices, but there's nothing really stopping any old person from saying, I can do your taxes for you. It just might not be the right risk decision to hire them.
Jon DePerro: So, you have to have a qualified individual who will create a written information security plan. Then there's a whole slew of twelve or 14 other requirements. But the two big things at CPA firms, whether you're a one-man shop or a 30, 40 person shop, you probably don't have a qualified individual who has written an information security plan and that is responsible for enforcing it.
Will Nobles: So, Jon, we talked about a security, a dedicated security person. Can that be an employee? I know a lot of times a lot of our clients use Beau as the chief security officer for them, but can that be any employee? I know you talked about certifications just like being a doctor. Right? You're not going to do brain surgery if you're a dentist. Right? So, what's the best practices for that?
Jon DePerro: Yeah, CFR title 16 specifically authorizes you to use a vendor for that function. A third-party provider.
Jon DePerro: Like both. So, it's very clearly laid out in the law that you're allowed to use an external resource. Kind of just like taxes. Right. You can outsource having your taxes done, you can outsource having your qualified individual, so you don't have to hire a full-time person at 100 and 5200 thousand dollars a year.
Will Nobles: All right, so Beau, when you get involved in this role for customers, what does that look like for the customer when you're involved?
Beau Dickie: Yeah, basically when I get involved, I come in on a fractional basis. So, it's not that they have to have me on staff full time, but by having me fractional, I count as a member of their staff, so I can sign off on all of those forms for them so that I'm assuming a level of that liability. But then I come in, I do an assessment of what their environment currently looks like, I map that to those controls with Jon, and then we identify what gaps they may have that they need to put in place.
Beau Dickie: And then we work with them through their board of directors or their executive team, to meet and develop a business strategy, program a budget and make sure that those things get implemented and identify what that time frame looks like so that we can work with them to ensure business continuity. Is meeting the cybersecurity, is meeting the compliance aspect.
Will Nobles: And I believe we make this cost effective for customers. So, when you say fractional, what is fractional? Is that 10, 20, 30, 40 hours a week? Right. I think what we do is we just 1 hour a month, that is a bill rate for that. And then if you do additional work beyond that hour, we just bill on what is needed. But at least you can have that hour a month. We have a fractional CISO on staff. Okay, so Jon, go back to know. A lot of people know HIPAA, right? From a healthcare standpoint, even if you're not in healthcare, everybody knows the word HIPAA. But a lot of people, even though FTC safeguards have been around for years, a lot of compliance stuff.
Will Nobles: It seems like it's so new to a lot of people outside of HIPAA, and you got PCI when it comes to credit cards and stuff. But what is so different about FTC safeguard rules or policies that have to be followed compared to a HIPAA? Or is it close?
Jon DePerro: That's a good question. When you look at things like HIPAA or the DoD contracting CMMC stuff, they're pretty much prescribing end states. Don't let people see private health records. They don't really get into a ton of detail how they'll say you have to do an assessment once a year, but they leave a lot of it up to you to figure out. And historically, like HIPAA, from a privacy and security point of view, small and medium businesses have generally just ignored that rule because there's never been a HIPAA police following up and beating you over the head with fines to do it. What's different about the FTC safeguards is the SEC and the FTC are way better at finding people than helping human services. Right. Just Google financial fines and you'll find them left and right.
Jon DePerro: But even more importantly, it's establishing a minimum acceptable practice in that industry where the federal government is telling, in this case, CPAs, tax preparers, you must do these things well. Once you're not doing them, you're opening yourself up for lawsuits left and right. There was a lawsuit this year where a client was able to demonstrate, I'm sorry, a customer was able to demonstrate that they had loss in damage because their medical records provider was not storing their data in a secure, compliant way with HIPAA, and they were given a cash reward and there was never even a breach. The lawsuit was based on the fact that you just had a rule, you didn't follow it.
Jon DePerro: Now I have risk and I think the lawyers are going to drive, the personal injury lawyers are going to drive more change and not to be doom and gloom. Nobody wants to get hacked. There's not a CPA in the world that wants their client's personal information out there on the dark web, right. This is about managing risk as a business owner, as a CPA, as a tax preparer, how do you manage risk? And that let Jon and Beau bring you those risk decisions and be comfortable and spend what makes sense for a business of your Jon.
Will Nobles: I guess that takes me to question, who does it apply to? And focusing on CPAs here, who does it apply to? And I hear you all the time talk about business risk. What risk are you willing to take? I guess it looks like the same thing as having general liability for insurance or errors and emissions or cyber insurance. Right? What is that risk that you're willing to take in your business if something does happen, and I don't think it's the big bad government going to come down on you. It's more the reputation, the local things, the fines, the lawsuits that you can get tied into if you're actually not doing some of these things. Is that a good assumption, Jon?
Jon DePerro: Or even just a loss of confidence? If you saw in the news this week, and there's a new one every week, but Dish Network just had to notify 3000 employees and their family members that all of their personal information, their benefits, their medical enrollments, all the personal information was compromised and is out on the dark web now and they know it was compromised. Do you want to have to send that notification to every one of your customers saying, you trusted me with your most sensitive financial data, and I didn't protect it and now it's out there. That's just an email. I would never want to have to look.
Beau Dickie: One of the things Jon mentioned was that it wasn't the customers that dish had to send that to, it was their own employees. So, now you've got your employees that are wondering, what are we doing? And that's going to impact the way that they deal with the customers that they're having to interface with too, because now they've lost confidence in the company that pays their bills, protecting their information. And now that's out there for them, too. So, that's another impact.
Will Nobles: Yeah, that happened to our two boys. Goes to local doctor and they had to send the email, and I got a letter from them stating that they were being compromised and all that good stuff, and they were taking these measures and everything. I would hate, even for vector choice, to have to send that out. I know for a CPA, a small CPA firm, because I'm looking at now, like, do I need to go back to this doctor? Because if they were neglecting my kids information, do I want to move on to another doctor? Hopefully that is taken seriously. And I think when it comes to doctors, lawyers, and CPAs and IT professionals, I think the four of us have probably more information and access to personal information, personal data than anybody else in the world does. Those four industries are there.
Will Nobles: So, Jon, what specific things that FTC calls out that maybe a company is not doing today? Because I know a lot of companies, even when Vector Choice is acquiring companies and from other smaller it firms, the basic firewall backup antivirus is sort of what people are doing and thinking that they're secure. And, you know, I know we teach at Vector Choice about layers of security when it comes to that. And I think really, that's what FCC is really pushing, is having that layer of security. But what's some of the things that are common that they might not be doing today?
Jon DePerro: Well, first, let me make one slight observation. There's a difference between being compliant and being secure. You can be completely compliant and be wide open to be ransomware, and I can have you completely locked down, or both can have you completely locked down secure, but you'd fail an external compliance audit. So, where it gets to risk management and what small businesses are not doing, the FTC made these safeguards because of things that people are not doing. MFA not for all critical data. They might have MFA on their computer, but do they have MFA on QuickBooks? So, MFA across all critical logins and encrypting the data.
Jon DePerro: If someone stops in your office and grabs a laptop and steals it, can you honestly represent to a court, to an attorney, to your clients that everything on that computer is encrypted and they have no worries that data has been lost?
Jon DePerro: And that's just a laptop, that's emails, that's recorded phone calls. I mean, think of how much data, when you're talking to a client about their taxes, how much data is being just shared over the phone, or if you're using a VoIP solution, which is the phone that goes through the computer. If you record your calls, which a lot of businesses do, you're literally recording everything that the client is telling you, credit card numbers, Social Security numbers, is that thing locked down. So, the number one thing you can do is understand that companies don't understand where their critical data is and do they have a written plan for how to secure it in the event of a. Yep.
Will Nobles: Beau, any comments? Know, sort of the other things that FTC is sort of calling out from a security standpoint.
Beau Dickie: So, one of the biggest things that the FCC is calling out is that you not only have to have those security measures in place, you have to have a system that monitors those measures, logs, all of the data for those, and that you have someone, a qualified individual, that's reviewing all of those logs to make assessments and adjustments to the infrastructure live as they're happening. So that's one of the biggest things. We call it a sim. That's one thing that a lot of companies may have the antivirus, they may have the endpoint detection and response. They may even have a third-party security operations center that's monitoring them live.
Beau Dickie: But if they don't have one of their own sims, that all of that stuff's being logged in and tracked and copied with an export every 30 days, that's the piece that's going to fail them. And this is one of those compliance standards where it's not, you can be 80% and be good to go because it's a law. You have to be 100%.
Will Nobles: And for everybody that's listening, I think one of the biggest things is it's not FTC. You've got to look at things like PCI compliance. They just passed PCI DSS 4 March 2023. Some new policies are coming there, local state policies or local government policies as well. So, you've got to really pay attention to that because a lot of states are pushing down their own rules or regulations or safeguards around the state side of things. So, you got to remember which state you're in, which local government, all the way up to the federal level as well. So, a lot of times people think, hey, you IT guys, you're securing us, right? Well, yes, today, based on what's available and technology is available, but doesn't necessarily mean that you're being compliant or actually truly being secure. So, I want you guys to really think about that.
Will Nobles: When you're making a decision of picking an IT company or hiring someone, make sure that they're giving you the right advice there. So, let's talk a little bit as well. What are some questions that people listening today can go back and ask their current IT provider or their current in house it staff about FTC and about security and know and I'll let you guys go. And I'm throwing this out to you guys and didn't really prep for this, but hopefully you guys can answer. But what are some of the good questions that could be asked to in house or outsource it company?
Jon DePerro: Yeah, I got two right off the bat, to solve all your problems. Question one, pretend I'm filing an insurance claim, or the FTC has come to audit me. Show me right now that I was doing everything correct eight months ago, not today. Because when you have an incident and they audit and they investigate, it's 6812 months after the actual incident.
Jon DePerro: Show me today that you have all the documents that I was doing everything correct eight months ago. If you can't, you don't have a compliance program. Two, if someone says, I can handle your compliance for you, I will ask for very specific examples of compliance programs and audits they've been through in the past. You can be a great it professional and be really good at security and networking and Microsoft provisioning but have no idea how to actually prepare a company as a business function to go through audit.
Jon DePerro: So, if they've never been through external audit, you're going to wind up paying them to figure out how and it will come at your expense.
Will Nobles: Beau, anything to add to that?
Beau Dickie: Yeah, from the technical perspective, the IT side of it, the first thing I would ask is what does our backup strategy look like? How long are you retaining data for our backups, and can you verify that? Can you prove to me that you test that regularly to make sure it works? Most providers will put a backup solution in place. They set it and forget it, and then they just assume that it's working. So, a good it provider is going to be testing that. And then another one is, one of the things I had mentioned was about the SIM earlier and making sure that exists.
Jon DePerro: Ask to see it.
Beau Dickie: Have them show you that it exists and that it's there. Let them show you that they're doing what they say they're doing with it.
Jon DePerro: To piggyback on that, FTC safeguards require you not just to have encryption, not just to have MFA, not just have a written plan, but you have to actually test it. Something we call a penetration test. Right. FTC requires you to not just have security in place, but to test it. Ask to see the results of the test. How frequently are they testing it? Monthly, quarterly, annually? And where are the results of those tests?
Will Nobles: Yeah, I think the world has changed so much over the past year, three, five, especially ten years when it comes to technology, because I remember when I started the company that, hey, my focus was it support, making sure I have my remote monitoring management tool where I could do patch management and antivirus and backup. Right. That was the thing back 1014 years ago. Unfortunately, things have changed with compliance with regulations, with cyberattacks that has carried over this to you guys and why we want to educate you guys on the changes that are happening, because it is not just it anymore, it is it. Cybersecurity and compliance roll it all into one big bundle.
Will Nobles: These days, one of the things that we do, Jon's team does is we do a compliance as a service for customers where Jon talked about these reports, and we actually produce these reports on a monthly basis to you. So, you can actually prove again, going back in and improving that if you get compromised, that you can go back and prove 3567 months that those things are actually being done at that snapshot of time. So, think of security as a snapshot. Think of compliance really as a snapshot. What's compliant and secure today? One change can happen tomorrow and take you out of compliance. Right. So, it's really proving that snapshot. Jon and Beau is that a good analogy from.
Jon DePerro: And, you know, you talk about how it's changed, we all get the data is a critical business function. Nobody can operate without email, without all their storage files. It's a critical business function. Security compliance has to be viewed as a business function. No longer an IT task.
Jon DePerro: Like 10, 14 years ago, getting email to work was just an IT task. What we're looking at now is that intersection between, you signed a contract with an insurance company for insurance. You said you would do it stuff. You signed a contract with a credit card vendor that says you'll do it stuff. You actually signed a lot of contracts where you committed to do it stuff, whether you rent it or not, to be honest, you signed it. Right? Because if you take Ach, if you take credit cards, CPAs get paid somehow, right? If it's straight up check, cool. But a lot of CPAs take other weight methods of payment. You made some commitments that maybe you don't even realize.
That's what we do in my department.
Jon DePerro: I'm going to look at your insurance, I'm going to look at your credit card agreements, I'm going to look at the FTC safeguards, I'm going to look at your state. Every state has different reporting requirements and we're going to tie everything together for one product that you don't have to worry about. Just every month you get a summary saying, yes, I have a high degree of confidence that we are good. And then if we have to make a risk decision as a business leader, I bring you three options. There's cost, time, price. You make an informed risk decision, say, cool, I'm going to fix this one today. I'll get to this one next quarter. But at least you're bringing that decision to the risk owner instead of you just living with a risk you didn't even know you had.
Will Nobles: So, guys, what is the first step of getting FTC safeguard compliant or even knowing where to start? We've talked about, okay, you got to be compliant. Got to be compliant. But where does a CPA actually start? Or anybody, matter of fact, and I encourage anybody listening today that is not a CPA, I would encourage you to go to your CPA and say, hey, do you know if you guys are FTC safeguard compliant? That's probably a good question to be asking your CPAs these days. But guys, going back to my question is, where do they need to start?
Jon DePerro: I'll start with you.
Beau Dickie: We need to start with an assessment of the network, the infrastructure. Just identify what they have, what needs to be protected, and then build a plan of how to protect the data that's traveling through that infrastructure. So, that's the first step, is to do the network and security assessment. Then we move into a gap analysis to identify where there are holes that need to be plugged. And then we move into the mapping of controls, identifying how the organization needs to shift some of maybe what their existing practices are to move them to a more secure way of doing them.
Beau Dickie: One of the biggest things that I end up doing for an organization when I come in as their vCISO is most of my work isn't just securing the environment, it's business continuity, making sure that what I'm providing them from a security and an IT standpoint is enabling their business to run effectively regardless of what's going on around them in the.
Will Nobles: Jon, any final advice there?
Jon DePerro: Yeah, I would agree with Beau's comment on the first thing. We can do some pretty quick assessments to show you what your gaps are.
Jon DePerro: And that's really the first step. Find somebody, whether it's vector choice or not, find somebody who's done this before and ask them for a gap analysis. A gap analysis being, here's where I am, here's where I need to be, what's in between those two? Right. And those are pretty painless. Those are pretty easy. Beau made a comment earlier that when it comes to federal compliance, there's no 80% passing, there's 100%, there's every other score. But when you're talking risk management, what we try to help business owners do is say, look, just because you're not 100 doesn't mean you shouldn't be 80.
Jon DePerro: How can we quickly get you the most done for the shortest amount of effort, lowest cost, so that if you had to stand in front of a judge and jury, you look like you're really making an honest effort to meet the intent of law and protect client data. Right. Even if you're not at 100, let's get you looking really good at 80% while we work on the last 20 and that gets back into that informed risk decision. But I 100% agree with Beau. Just let someone who's done this before do an assessment for you.
Will Nobles: No, I agree. And so, guys, thank you so much for being on today. If you have any questions about what we've talked about, you can email us at firstname.lastname@example.org or give us a call at the 877.468.1230 number, but also for being on today. If you're a CPA firm or you would like to send us to your CPA firm to do this, or if you want us to do it for you, we can actually do a free pin and vulnerability assessment for you. You can scan the QR code, fill out the form, and we will reach out to you and get that scheduled. And then we'll have Jon and Beau review that for you as well and get that information back. No hard sell, guys.
Will Nobles: We just want to make sure that you are taking the right direction within your my, I'm putting my marketing hat on here. I think also from a marketing standpoint, you can go to your clients and say, hey, we're a CPA firm. We want to do your taxes; we want to do your books. And by the way, we meet all the FTC safeguard compliance requirements that are required. Right. I think that's a good marketing tactic for you as well doing that. So, we want to definitely help you guys out. So, take advantage of the free pen test, vulnerability test. Even if you're a current customer on this call and you want us to do this because you might have signed up years ago and you don't have some of these things with vector choice, feel free to scan it. We'll be glad to do it.
Will Nobles: Any final thoughts, guys, that you guys have or any comments that you guys have for the audience?
Beau Dickie: Yeah, we've got the offer valid through June Eigth because June 9 is the deadline for when you are supposed to be at this compliance standard as a CPa or one of the organizations that's now clearly defined under the GLBA. So, just want to make sure that's on everybody's mind there.
Will Nobles: I was wondering why June eighth, the marketing team, put that up there for me. I was wondering, where did June Eighth come from? This is why I have an awesome team here to keep me informed of what's going on as well. So, take advantage of that. If you want to email us, reach out to us. We can have more conversations with you about it as well. Share it with other CPAs. We'll be glad to do that. I know tax season is over. This is sort of your slow season right now, and when a lot of you guys go on vacation. But I'll say definitely you want to take this seriously. So, to help to protect yourself, your employees, as well as your clients.
Will Nobles: Beau, Jon, thank you guys so much for being on today and hope this was informative for everyone. Have a wonderful day.