Ariel Sandell from Securex provides insights on IRS security requirements for CPA firms and talks about motivating others with The Designated Motivator for Accounting Professionals, Dawn Brolin CPA, CFE.
Dawn Brolin 0:01
Hello everyone and welcome to the DM Disruption. I'm the host Dawn Brolin. I'm a certified public accountant, Certified Fraud Examiner, and the author of the designated motivator. We're here to help motivate you to take your practice to the next level.
Have you considered outsourcing your clients payroll? Well, I did and I went with ADP. The resources they provide, along with their partner program become the premier outsourcing Payroll solution. We as practitioners already deal with a ton of compliance. Keeping Up With payroll isn't a value added solution that I should be focused on. If you've considered outsourcing before, reconsider it today. Choose ADP to be part of your starting lineup.
So hello, everybody, and welcome to the DM disruption. We're here excited today to have Ariel from Secure X, who's going to help us understand the motivation behind having a secure system. Now we as practitioners, of course, are the forefront for our clients were their trusted advisors, and we, you know, have the keys to their castle. But guess what, people we got to protect that castle for our clients. And in order to do that, we have to rely on people like Secure X, who can help us make sure that our cybersecurity insurance is valid and things like that, which Ariel is going to explain all those fun things for us. But first of all, Ariel, thank you so much for coming. Tell us a little bit about yourself, and what motivated you to move in this direction to solve these problems for many practitioners and many, many people out there.
Ariel Sandell 1:34
Great. First of all, thank you so much for having me. So first of all, was before most of Originally, I'm from Canada, Ottawa, Canada. So we will sometimes ask about an accent. Okay, I have one, but you know, so and basically, I'm the Chief cybersecurity, and compliance consultant for secure x. We're based out of Howell New Jersey. And basically, we service almost exclusively accountants to help them meet their cybersecurity and compliance requirements. Now, when I say compliance requirements, a lot of time you get what compliance requirements? So the answer is actually the several that has to start with the federal the IRS, they have requirements that you have the practitioner, you know, if you have a PTI number, which you know, other practitioner does, they have to when you knew that you're actually affirming your obligation, there's one of the boxes that they now put in there, just from the last year that you when you check off that box to compete, and you actually are affirming the obligation to have a written security plan, and to protect your clients information. So it's not just you know, about having, you know, we have security, but they want to see, they want that you have to plan for the security for the security of your firm, which ultimately means that your clients, so you have the IRS, they require written security plan, IRS goes on to say that not just any security plan, they want it based on their risk assessment. So there's no you take a thorough inventory of what you have, what you don't, and you know, what the risks involved are. So they have acquired from the IRS. They also have requirements, the same requirements from the Federal Trade Commission, which often works hand in hand with the IRS, every taxpayer has to have that written security plan and risk assessment. And many states that you want example, New York State now requires that you have a written security plan, again, with a risk assessment for to protect your client is the sensitive information you had with your clients. Then when it comes to them, that's just from a compliance perspective, or from a legal standpoint. Of course, from a cybersecurity perspective, every accountant knows how much you know, practitioner knows how much sensitive information they have, you know, you're doing such a tremendous service as an accountant to the world. There's no time without showing you more, you know, during the pandemic, which is, thank god studying to tape it down in many places, but you know, it's still here, and, and especially in the thick of it, and even now, with all the new programs and updates every minute, literally sold people's livelihood, you know, in your hands, the amount of sensitive information that practitioners have. That's something that you know, on its own, you know, when I believe you want to protect it, and safeguard it, that's the lifeblood of the client. It's the lifeblood of the firm as well, you know, without any information with any computers and systems, you know, that's dead wood, then water. So, basically, we could help advise accounting firms specifically how to have a cybersecurity framework, and we help them develop their cybersecurity plan, the documentation of it and the various assessments and In addition, the plan that we give, and the assessment that we provide is to help them also comply with these regulations as well. That's why we say security, cybersecurity and compliance, because you want to ultimately have cybersecurity that's compliant and compliance. That's also secure.
Dawn Brolin 5:21
And so I think you know, this, what's really funny, as we do all these podcasts and all these episodes about motivating people to help their firm get better. And really, this one, kind of a no brainer, this isn't a you don't really, honestly, you don't have a choice when it comes to this, like, you do hold social security numbers, you name it. And that's why the IRS now is requiring people to have this plan written and in place, and it's not really just about to have the plan. Okay, great. I've checked the box, I have the plan, but actually to protect the data. Right? So sometimes, Oh, I'm great. I checked the box. Okay, I'm fine. And off I go, I'm like moving on. No, right. It's way bigger than that.
Ariel Sandell 5:57
Exactly. Right. So you're spot on, though, it's not just a matter of having a plan, you know, you have to know what they call them. The government calls, you know, people compliance. But they also want to know that you actually implement the plan that you have, and then put into place. That's why we, the laws themselves, as accountants know that laws can sometimes be vague, vague and open to interpretation, you know, but when it comes to security, you know, you need to, you know, have a reasonable assurance and more that you're secure. So, to help clients meet and exceed what they need, what we do is we look at the IRS themselves, they give a lot of recommendations of what they think, you know, we'll meet, you know, the security compliance requirements, even though the legal standpoint, from the strict laws say they may not be written in stone, we certainly, you know, minimums, you know, generating more general not minimum, in general, kind of open to interpretation points, protection, and monitoring and detection, stuff like that, you know, those have to be put in place, or what's called, you know, detection and, you know, protection, etc, of your systems and your staff, etc. So the IRS gives a lot of detailed guidance to that they, they also encourage practitioners look at various technical manuals that do the heavy, that are heavy, you know, cybersecurity content, to formulate the plan. So the offload that heavy lifting, you know, we, you know, we went through that ourselves, and we base the plan based on iOS recommendations. So that way, you know, the goal is that you should be able to meet and exceed, you know, the requirements and have robust security.
Dawn Brolin 7:37
Now, have you have you found at all through your, you know, I would say, you know, collaboration or working with accounting professionals, that a lot of them are just, I don't know, this, this may not be true, but are they aware, like, of any of this? Or is this become a surprise to most practitioners? And you're like, Hey, listen, you're you're talking to an account, like, these are the requirements with the IRS, which is fairly new, right, within the last year, year and a half or so. But are you finding people just like, shocked that this is a thing now?
Ariel Sandell 8:04
Yes, um, no, but largely, yes. It only came into the is when we gave an actual notice about this. December 2019. Literally, the last few days of December, and then they were very vocal about it at the beginning of 2020. And rolling out guidance on it, and, you know, April, and then the march, February, March area. And then, of course, you know, with a different world, you know, that time mobile changed and, right. I mean, obviously, a lot of that was, you know, put on the backburner for a lot of people. So, no, a lot of people are not aware of it. And especially, you know, a lot of practitioners, you know, for example, New York State, they're not aware that in March 2020, it came into effect that the requirement to from state standpoint, to have a written security plan. So people are still the mistake, because, you know, obviously, New York State and it was busy grappling with the pandemic, right? Oh, no, we're not aware of it. And also, a lot of people just don't really know, the dynamics of security enough. Once explained to them, it's like a no brainer to them, why they need this, you know, for example, I get a lot of times, I get people saying, I have a tax program, that's, you know, as useless so that, you know, all tax whatever, you know, I use, isn't that secure? Yes, but, uh, no, because, of course, they have a lot of safeguards on the front and on the back end. But, you know, at the end of the day, you're signed into the program, anyone who can access your computer, right, you know, that's a you know, it's, it's a it's an end game. And there's so much as I'm sure every practitioner knows, for dining time that you can also you also agree that there's so much sensitive customer information in every email and on Word documents and excel That's the lifeblood of a lot of accountants. Where's the Excel going to? It's going to a cloud with protection to that cloud, what do you have enabled, so the basically, the vital information spills out of the tax program, or doesn't even get in the first place. And that's also governed by these laws have to be protected. So question of why my tax program takes care of this needs a code to my phone, something like that. Good. And they see the compliance, so the compliant for whatever they need to be compliant for, but that doesn't make you compliant, whatever you need to be compliant for.
Dawn Brolin 10:31
Exactly, you know, in a fine to that. You know, it for an example, we I was again, met with fishbowl last week, and we were talking with them a little bit about from a hosting perspective, people think that, Oh, I'm in a hosting solution. I'm all set. Well, guess what? You have to get to that hosting solution from your local machine. It's not magic. And you're right, like the sir. Yeah, you log into the cert to go into your tax software, but they're not monitoring your technology in any capacity whatsoever. And so people I think, take kind of take for granted Oh, well, I'm always in the cloud, I use cubio, or I use, you know, all these other cloud based solutions. As a matter of fact, when you are someone who is primarily cloud based, and you're not maybe not even using Ozean solution, you are the biggest threat out of I mean, like you go over the top when it comes to that. So for people to understand that this is not just a thing, this is required. And I think we as the practitioners have been, I mean, a little bit, I'll say lakhs because I think they didn't know, there were companies like secure X out there that could could do the evaluation, which I'm in the middle of right now, the evaluation of what does your tech look like? You know, how does it answer this? How does this work? And you can actually tell us, hey, you need to do things a certain way. Right? So that's one of the part of the service that Secure X will do the evaluation to have that written plan that we talked about. But you'll give action steps to say, hey, you might want to think about doing something this way. Right? Is that that's part of what you guys are doing. Yep.
Ariel Sandell 11:58
Exactly. And in terms of has no so you know, but, you know, helps motivate me to help others. This is something which practitioners because also adapt to their own perspective, in terms of security in terms of their own business, the lives in life actually, is like this, I feel that very strongly that anyone has like a core value, and a core motive operation, the two different things to give example, you know, myself how it's manifesting Secure X, I feel very much identify my day, much as a person who wants to help others wants to protect others, not just, you know, give them a plus, but also that to protect them from, you know, stress and pain, especially if the stress and pain is caused by, you know, bad actors, and, you know, you know, evil forces literally, that want to, you know, infiltrate the computer and use, you know, the internet and compare the Anon, anonymity is afforded by technology, to get away with whatever they want, sort of protect people against those threats. So it's my desire to help them protect people, that motivates me, but also, my mode of operation is the detective and like the cop, you know, to solve puzzles, riddles, you know, because it is the thing that you can't get past you can't, you know, so. So I want to do my me find a way around, you know, and so, I see a client, you know, I don't only want to help protect them, but I also see, you know, opportunity to I could use detective work to find out so where is the information hiding? Do you use this? Do you them? So many times clients have told me that so appreciative of the service we provide, because they weren't aware that, you know, they're storing tons of data would say, a window in the OneDrive as well. Yeah, because you excel, for example, is the it's linked to your OneDrive. And it's just there, and anyone could get it, just so you can access it from anywhere. So So do you know, a bad actor is it Oh, but I never do it, that doesn't mean that someone else will try to. So and then appreciate that, you know, they were that they want to we have so many different kind of keys to the castle that are literally kind of lying in the open. So that so you get that core value of helping others protecting others, you know, and also, that mode of operation of detective work and thinking so a lot of practitioners can think like this, it was a different personality trait, some people viewing industrials, some practitioners that the mindset is, is I like to take something and grow and expand it toy with an idea and make it you know, alive whether for their own business for their clients. You know, it's a different personality. So but frequent like this, I don't really have to say I don't care about security. I don't know what the cipher text into web stuff is. But you do want to be industrious and grow your business grow your clients, help them thrive. So think of it from that mindset. And that string is a person who wants to help their business and their clients thrive and grow and make you know, have more sense more financial systems. Would it help if all the computers were locked up, and all the tax returns, information was stolen and they can find the file? You just did, but you can't find it, would that help anyone's industry? I don't think so. So, from that perspective that will leverage them, they can leverage that mindset, that core value, they enter being industrious and the mode of operation to go a bit out of the comfort zone. So, you know, it's a, you know, another example, you know, people, you know, sometimes people in the cybersecurity industry, you know, not everyone's different, but sometimes they can be more, you know, less less of the outgoing type, you know, more focused on the security of the task right in front of us. And, sometimes we know, but it's, we actually use that, you know, that I use that core value, right now, and I'm gonna push the personal note, I use that core value of wanting to help people, and you do it and through detective work, etc, to get the word out, and, you know, promote, you know, what needs to be promoted to that get actually help others. So to get out of my comfort zone, so to speak. So that's, you know, that's something I've always drawn. And I try to incorporate into Secure X.
Dawn Brolin 16:04
And, you know, I think that that's one of the pieces that we sometimes as practitioners are missing, like, Yeah, we don't really understand how does somebody really hack are? Well, we have passwords, and passwords are a big problem, right? For many practitioners, they've got them on a notebook, or they have it like you were saying in an Excel spreadsheet, linked to a one drive or a doesn't matter, Microsoft, whatever, one drive, or a Dropbox or something like that, like, oh, I have I already have that in place. I'm already all set. Well, wait a second. You that is the least safe, if anything is probably an excel in the cloud is the worst out of all, I mean, I hate the notebook where they have a notebook, they got all the passwords written down. That's terrible in and of itself. But when you expose those passwords in that kind of a way, those are like, low hanging fruit for those bad actors, like you're saying, right? I mean, you must see a lot of those when we talk about security from a security plan perspective, because of either insurance or IRS mandates, or whatever that may be. But it's, it's so much bigger than that. What about passwords? What do you what are you seeing out there in the industry with regards to passwords? And you're checking this right when you're doing your plan?
Ariel Sandell 17:10
Yeah, exactly. So. So in passwords, I mean, I've seen, you know, sadly, you know, we've seen it all. I've seen people who, you know, we're not even talking about now that people are still using the Windows XP. We've had clients like that. But think of the upgrade to Windows 10. Pro, but but we have clients who have no patches on their computers, no passwords on their phones, even. And I asked him, so do you or your employees access email, client emails on your phone? Today? Everything's on a phone? You know, too much practitioners that you know, you don't have them working on their phone, you know, you can't there's no cell phone app. You never know one day, but if now there's not so much as email on the phone. So these Oh, yeah, sure you have a password is the password 1234 By any chance, you know, in the academy, you know, I don't have a password.
Dawn Brolin 18:08
11111!
Ariel Sandell 18:11
Right so that's, that's a problem. And so it gets your phone your phone somewhere by mistake. And that's it. Now, you a whole bunch of your client emails, oh, from the last five years old compromised. You know, that doesn't occur to people. But even with good password, what's a big novelties even with good passwords, and what's a good password, we addressed that as well, based on you know, IRS recommendations, and other government recommendations. If you have a good password, many times the bad guys know if they say get hold of a computer, and laptop, a single laptop, which is sadly not a hard thing to do. You know, if person could enter in some cities, a person leaves the laptop in the car overnight, leave a GPS in the car overnight, it's not there, the next day, laptop, same thing. A bit of laptop is stolen, then even with a good password on it, there are so many ways the bad guys could actually get into the computer still to override the password or to swap the drive. And then they get through the computer a different way to hook it up to a machine and that's it. And by the way, they don't care that doesn't matter your password. But so there's actually measures that are taken, you know, what's called disk encryption to stop that from happening and even if someone steals your computer and they have full control, which insiders goodies like the worst thing, physical access to the target the victim is like most people like they got it. It's all in their hands. But even when that situation, you know they can it's almost impossible for them to get in and reasonable by the government standards not considered an issue if you encrypt the drive. Now the IRS recommends encryption. They don't recommend it. They see they say it as person should encrypt the drive. That's part of the guidance they do in the law doesn't say encryption, but IRS thinks this is secure. So you don't want to play with them and argue with them. So What standard of encryption? So we, again, we use guidance to, you know, get into that as well. And to work also with the clients it to help implement that, because that's a very important part. We don't expect them practitioners, you know, to always be up to date and like what we call the Star Trek speak to, you know, you tell them you need to, you know, do a full disk encryption of the 128. Yes. And they'll be like, I don't know what this. So he told me it that and I say, oh, yeah, I get it. Okay. We'll turn the sign now. Right. That's what the password. So yeah, we've seen that passwords, we've seen very high risk situations where they had passwords in place, right. But it wasn't properly taken care of, you know, in terms of other protections.
Dawn Brolin 20:45
Right. And yeah, and so I think that's, you know, for the for the people who are listening, or even watching this today, we we are the trusted advisors, like when you say trusted adviser trust is a really big word. That is a huge word when it comes to what your how your clients think about you, like, I don't worry about Dawn, you know, losing my tax documents, or I'm not worried about this or that happen. That's like, almost like an inherent, there's an inherent trust, when it comes to when you say, Okay, I'm your CPA, or I'm your accounting professional, I'm your trusted advisor, they literally are trusting us. So if we're not taking those steps, which cybersecurity and this process is critical to protect our business, because I can tell you, one hack can put you out of business, you're done. If the word gets out that you obviously you have to notify all your clients, if there's a breach in any capacity, you've got to notify your clients and say, Hey, listen, remember how you trusted me? Why didn't take any steps to protect your data. And I just ignored it because it was, you know, that's just an administrative thing I didn't want to deal with, that's not a really great message that you're going to basically be inherently saying to them in the event that your stuff gets stolen, or gets hacked into. And you know, like you were saying, imagine a laptop right in the back of a car. Well, what about your house, a lot of us are working from home, now we have maybe an office on our property. Somebody comes in and steal stuff in your home and they grabbed the computer and the computer is gone. Yeah, they're gonna have access to everything. So it goes so much further than just making sure your internet's secure and those things which are critical. But we're physically, right. If anyone remembers audit, that was one of the where's the physical computer itself? Is it protected? Is it password? Like, I want to have it where I go, Okay, if they don't know the password, they haven't guessed it for three times the computer blows up like that would be my proper like it literally melt in and of itself. Right? Yeah. And I think that's the is Mission Impossible. Boom. Like, I just think for me, I've always tried to tell my clients, I'm never trying to scare you, I'm trying to prepare you. And in this case, practitioners, I am trying to scare you, because you know what, you can prepare yourself. But if I don't scare you, and motivate you in a way that listen, it only takes one bad actor to steal your information, you're out of your practice, knowing that now you can't sell it, you've now lost every investment of time, money, blood, sweat, and tears that you've just worked for. And so, um, so tell us, Ariel, how do people get in touch with you guys? I mean, obviously, we'll have all the stuff at the bottom of the podcast, they can click on and get to you guys, but just give us like, kind of a sense of what's the website, that kind of thing. Make sure you spell it out, because I know it's not a standard spelling.
Ariel Sandell 23:27
Yeah. So basically. So first and foremost, you can reach us through our website, which is Securexcyber.com. So that's secure, then the letter X is an x ray, then the word cyber.com. So it's one word, securexcyber.com. And once you know on the website, there's various resources for you know, accountants, and contact links, that we encourage people to schedule with your VA, we offer Calendly links, where they could schedule on their own convenience, kind of best to speak to us, they could also fill in a landing page where, you know, they would make a call request contact form, they can send one into the website. So you know, when they're on LinkedIn as well. And you keep your eyes out in many, you know, accounting periodicals know, within their accounting web, you know, tax practice. And so you'll see us there as well, with links to the to the website.
Dawn Brolin 24:34
Awesome when and I just encourage everybody to check it out. I mean, you've you this isn't something to go, oh, let me just go look at their website. Oh, that's great. Okay, X, Y, and Z. It's like, Listen, go make your appointment, because number one, not I would say 90% of us are in violation already. We need to get this up to date. We need to protect our clients. That's our job is to protect the public. That's part of our mission as a CPA or as an enrolled agent, or even a book keeper, Kevin professional doesn't matter. You have people's financial lives at stake. And if you're not protecting yourself, meaning your firm to protect your clients and you're doing a total disservice to the client so what I would say is from a motivation perspective, go get signed up if you have questions you want to ask me how I process when, you know you can contact me or email me at dawn at powerful accounting comm go to Dawn Brolin comm submit a form, contact me, whatever, I'm on LinkedIn, and Twitter all that too. But I really think this, this solution is absolutely critical for all of us. So Ariel, thank you so much for coming on. I mean, I think that this is a topic as even with the pandemic, I think it's even more of an issue. Obviously, we're not meeting face to face with clients, like we used to be, they're sending us their documents, are their documents secure when they get to us, we don't want that responsibility. So any last words, Ariel that you'd like to share with people?
Ariel Sandell 25:55
So basically, yeah, I've gotten so many times phone calls from, you know, accountants from people who are partners with accountants saying, Hey, listen, you know, this accounting firm, had a, we had, or this cat, this accountant or department accountant, had a breach, all the returns were stolen, they were cashed and everything, they asked me a number for a lawyer. So I said, well, first of all, um, you know, if there's a break in, you know, you don't do the house, you don't first you know, pick up the phone, call a lawyer, first call 911, you know, make sure that everyone's safe, because I set up something okay to deal with that. So I said, I mean, that's talking about only post breach cleanup. That's, you know, not a one, you know, on the spine sets a whole different can of worms entirely, you know, already gotten into our computers already encrypted with ransomware. Things are said, you know, what we focus on is the not post breach, but the preventative, rather, the cybersecurity and compliance to prevent this from happening the first place, but it's sad to hear it pains me to hear so many people who, you know, that already, they didn't take hit the annals of prevention. And now they're already in the mega ton of cure that they have now. Come on to.
Dawn Brolin 27:11
Absolutely, yeah. So we're, we're encouraging you to take the steps now and be proactive, as opposed to be reactive when it happens. And that's the case. So secure X, go check them out, secure x cyber.com. Go get yourself protected. I'm telling you right now, because it's only going to get worse as these bad actors get smarter and smarter every day, get ahead of them, and make sure you're protecting your data. But again, Ariel, thank you so much for coming on the DM disruption, we are out here to motivate the accounting professional makes changes and make our lives safer, more secure, and just better in the long run. So again, Ariel, thank you so much. This was wonderful, and I look forward to keeping my process going and learning more and more as we go. I hope you enjoy this podcast. Feel free to visit DawnBrolin.com in order to motivate you to improve your practice. Wishing you all the best. Have a great day.