Episode Transcript

Please note this transcript was generated by AI and contains errors including missing and misspelled words.

[00:00:08] Meryl intro: Hi there and welcome to the podcast. I'm your host Meryl Johnston. The Lifestyle accountant Show exists to help today's accounting firm owners build successful firms while also living a healthy, happy life without sacrificing sleep your weekends or time with loved ones. Today we have Nicole Maloney on the show to talk cybersecurity. Nicole is the COO at Connected Accounting. She's not generally client facing, but runs the other operations at the firm. A couple of examples of recent projects are running a firm rebrand and implementing social media strategies and also rolling out a new onboarding process for employees. And the project that we're talking about today is a cybersecurity project which took about twelve months to run end to end and involved canceling their contract with an IT managed service provider and bringing that in house. I think having some kind of data breach at a firm would have a pretty big impact and it's one of the major risks in our industry and something I think that we should all be thinking about as accounting or bookkeeping firm owners.

[00:01:13] Nicole soundbyte: Accounting firms are becoming a huge target of cybersecurity attacks. I think it really does have to be a priority. I think it's 300 times more likely to be targeted than other sectors. I mean, one in three accounting firms is going to be targeted with some type of attack.

[00:01:28] Meryl intro: Today we cover why they choose to prioritize the cybersecurity project above a long list of other potential projects at the firm. Problems with using password managers like LastPass a better way to handle two factor authentication with team members across different time zones, how to get the team on board with changes to IT policies, the pros and cons of client portals, and Nicole's favorite cybersecurity tools. All that and more, coming right up on the Lifestyle accountant show.

Ad roll - TeamUp

Meryl: Well, let's dive in. Hey Nicole, welcome to the podcast.

[00:02:58] Nicole: Thank you so much. I really appreciate you having me on.

[00:03:01] Meryl: So we're going to be talking about cybersecurity today, but I think we met at QuickBooks Connect, not the most recent one, but a year ago. And I think at the time, I thought you were an accountant, but you work at an accounting firm, but not necessarily an accountant. So could you hear a little of your backstory of how you came to work at an accounting firm and what your role is?

[00:03:21] Nicole: Yeah, absolutely. So the biggest part of my career was I started managing a multi million dollar jewelry store, and from that I shifted into managing multiple emergency rooms across Texas.

And then I've ended up here at connected accounting, where I'm the COO. So I've always done and enjoyed industry jumps. I think it's a challenge, but it really allows me to dive in and get familiar with everything.

The jewelry store I was managing, every aspect of it. The ERs, everything you can think of, I had to learn. So that's the compliance, managing the team, the doctors, everything like that. There was a lot to it. And here it's definitely different, but it's a great different, and I love it. The joke is that I am an honorary accountant because I have done billable work and I have learned a lot, but I try to draw a boundary so that I'm not doing fillable work all the time. So I am not an accountant, but I definitely had touches of accounting in my prior jobs.

I bring the strength of operations and Looking at things differently. So I was the first non accountant hire at Connected.

[00:04:37] Meryl: And so what does a COO do? What does your day to day look like?

[00:04:41] Nicole: Yeah, so it changes day to day, which is why I absolutely love it. Everything that makes the company function, I pretty much have a hand in it. So that could be navigating a client fire, that could be implementing an app, troubleshooting an app, setting a team member up, onboarding a client, assisting in the sales process. Pretty much anything that makes the company function, I have a piece in it. Building out the procedures, the policies, the team engagement, anything is part of kind of what I do. And that's why I love it, because every date is very different, and I.

[00:05:21] Meryl: Think that's a nice lead in to deciding to prioritize and work on this cybersecurity project that you've implemented. But how do you go about. Because there's a lot of different things being thrown at you. That sounds like a very broad range of areas that you're involved in. So how do you decide what to prioritize? Because some of these things sound like they're day to day or something that's cropping up, whereas some of them are bigger projects that would take many months. So how are you making those decisions about what to prioritize?

[00:05:52] Nicole: Yeah, absolutely. So Marie Green, who is the CEO of Connected, always wanted to prioritize security and just didn't have the time as many people. That happens. And so I just kind of took that under my wing. I knew it was a priority to her. I understood it needed to be a priority for us. If you look in just superficially, the data, when you're talking about security and cyberattacks and malware attacks and those type of things, the risk is detrimental. And even in my prior jobs, I've always had a saying where it takes years to build a reputation in a second to lose it. And I think that's what, especially being cloud based, technology based, if you have some type of cyber attack and you're not prepared or you weren't proactive about it, then I think you could shut down your business. And so with her wanting it to be a priority, I just made it one of my priorities. I made it digestible and manageable because I do have other projects simultaneously. But I think breaking it down into quarter targets was very beneficial for me because there would just be no way to manage everything. But there definitely is. You're reaching the end of a quarter and you're like, oh, no, I need this last sprint to get this done. And there's no motivation like a deadline. So that did happen a few times, but it just had to be. It was just something where we couldn't continue putting Band Aids on it. It needed to be strategic. It needed to be what would really benefit the business and our clients and our team, because this is their livelihood. And so it took just a minute of being like, we have to get serious about this, and we have to roll something out for this.

[00:07:36] Meryl: And I like what you talked about in breaking it down into bite sized chunks, because I think every accounting and bookkeeping firm owner knows, oh, cybersecurity, we probably should have something in place. There's some risks here. It's a threat to our reputation if something goes wrong. But then it's so broad, so big, that sometimes no progress is made because it's too overwhelming. So when you broke that down, what were some of the first things that you tackled? So what would be some examples in those first couple of quarters of the things that you wanted to achieve?

[00:08:08] Nicole: Yeah, absolutely. So one thing, we were a kind of step ahead of the game where we did utilize a password manager, and I think that's something basic that makes a huge difference, but I also think there's appropriate ways to use that. So the first big priority was making sure that our passwords were secure and with that we had the password manager, but it wasn't necessarily utilized in the best way, meaning access levels. And just because a team is working on a client doesn't mean that they need all the confidential information on a client. So storing that someplace else. So really taking a look at how are we using our passwords, I think we're all kind of guilty of having a common reused one. So moving away from that, putting in some best practices for our passwords was priority because those are the keys to the kingdom, the email and the passwords. And so making sure that that was being utilized the best it could be that we had controls in place and then two FA, so protecting with the two factor authentication, it was one of those things where it's like, oh my gosh, this poor team. I'm going to turn two Fa on and everything and they're going to hate it. I haven't heard a word about it. So I know that change initially is kind of terrible for teams, but that was something minor that I kind of had a moment of, oh gosh, and it was fine. So that was kind of the first piece and then I spun my wheels for a while because you start looking at everything and it's so much information and you need to be doing this and you need to be doing that. So kind of the next piece is protecting your hardware.

What malware protections are you using across the team?

Do you have the budget for cybersecurity insurance? Which we do, thankfully. So that is something that we do utilize. But then taking the next step of, and this is kind of my recommendation, it does take time, but it's worth it. And that's building a data map. And what that is is listing out the apps that you use and think about the ones that have a little bit more of a higher priority or higher risk. And what I mean by that is you take your list of apps, what does this app hold, what does this app hold? And kind of put a risk level on it because obviously you're going to prioritize the higher level risk. Apps like your password manager or your accounting software slack, for example. Might we use that internally? It might present as a higher risk than it should be. So that kind of allows you to evaluate are you using things appropriately but then breaking down, what are the login controls. What are the backups that are available for this app? And what I mean by that is an app can say that it backs up where if it has a failure or a glitch, the platform itself can back up. But that doesn't always mean that user controls that you can get in and pull that data, or that you deleted something and go in and pull it. So looking at what the backup is, when does it back up?

And then kind of looking at what are your recommendations? So targeting your high priority, looking at it, is there a better way to use this? Are we sharing client data in Slack that we should probably just drop someplace else and take that risk level down? So I think the data map was very eye opening for me. It took time, but prioritized.

[00:11:41] Meryl: That sounds like a big job. How long did that take?

[00:11:45] Nicole: Well, it's helpful that we've been kind of niching down on our apps and things like that. So it probably saved me a lot of time than it would have maybe last year. But it definitely took me pretty much a quarter to get through that data map. But it has been the basis for all the decisions, future decisions of recommended security steps that we take or how we change that. We use certain apps, also how we bring in apps, what are they doing for security? What is their backup? Do we have to have another app to back up what they're doing? So it kind of has evolved how we work in general. But then also is what I built our breach protocol on. Because if I don't know what is where, I don't know what to prioritize to get. So that data map has really allowed me to make informed plans if something were to happen, because you definitely have to approach it as proactive and reactive. You're going to do everything in your power to not let this happen, obviously, but with any emergency that pops up, you need a plan. I think all of us have grown up with weather, you have bad weather. What is the plan? And it's the same thing if you are in a situation that there's an emergency, if you don't have a plan, which welcomed to me in the ER, there were times where we didn't have plans. It is not a good situation. So I think it's taking a twofold approach on this. But the data map was what allowed me to look into that and make decisions. So it is an undertaking. But if you are serious about it, which accounting firms are becoming a huge target of cybersecurity attacks, I think it really does have to be a priority. I think it's 300 times more likely to be targeted than other sectors. I mean, one in three accounting firms is going to be targeted with some type of attack. So it's just a reality that we have to be a little more serious about it. And that data map just opened a big door for me on the next steps.

[00:13:55] Ad roll Tax Valet

I wanted to go back for a moment around the you talked about the passwords and also the two factor authentication. So with the passwords, I know it can be a pain if you've got multiple people that are working on the same client and then they need access to something to complete their work, and then the other person's not available, so then that slows them down. So how do you balance or who controls access, say for a particular client? And how do you get that balance of need to know basis of not giving access if it's not needed, but also not interrupting people's workflows or slowing things down.

[00:15:27] Nicole: Yeah, absolutely. I think for us, if there is a world where you can log in with your own login, that's priority. For example, you have a payroll software. If you have a login to it, you need to use it because that has been set up for the access that you need. You will never need anything else. If you do, then that means I will jump in and help you because it's a one off situation and someone's not available. But that's rare for the passwords that are shared.

It is by client in the vault. And so that is something where we ask for as limited access as possible in those logins because we do want controls. If it is something where we do have to have a higher access to a bank account, for example, for integrations, things like that we send their bank statements to them as well in their month end financials, things like that. Just as a hey, we know we have access to this, but we want to make sure that we're making this as easy as possible for you to review just in their everyday.

Because it's not only just external factors, it's also internal. And you have to think of all these little things, but it is limiting.

And like for example, if you have client specific information, you have a client owner that you have their social or something on that is in a separate vault that only management can get a hold of. And that's something where I have no problem. If someone's like, I need this, then why? What do you need? Is it something that I can handle? Because obviously we want to protect that very sensitive data as much as we can, but using their own logins is definitely a priority because you can audit all of those access.

[00:17:12] Meryl: And what about two factor authentication? Does that go to people's personal phone or how do you manage that? Because I know, again, there can be difficulties in managing that across a larger team or if people are in different time zones or countries as well.

[00:17:27] Nicole: Yeah, and we actually prefer to set that up through the password manager for a few reasons. I travel internationally. If I'm out someplace and my phone's not working, that's a big deal. But also we really promote work life balance, so we don't want stuff going to people's phones. And I know that it's a little bit of a situation where they're working, it's fine, but we want them to be able to shut off when they shut off, to not worry about access to their phones. There's a couple of whitelisted apps that they're allowed to have, but anything outside of that, I just want to make sure there's separation if they want it, and having it set up through one password because there is multifactor to get in because it locks out after a few minutes. It just seemed like the best solution.

[00:18:15] Meryl: I didn't know that was an option. We use LastPass rather than one password. So how does someone get the code? Does that come through to when they're inside of one password?

[00:18:27] Nicole: Yeah. So the way that it's set up is actually when you go to log in, it will auto fill that code because we don't want people copying data because if you copy it, you can paste it someplace else. Everything should be set up to auto fill through your password manager. And so once you go through and you put your username and your password, and then it goes to verification code. It automatically prompts it and so it puts it in. So it actually saves you a little bit of time, which is kind of nice.

[00:18:54] Meryl: We're still messing around with phones and then a company, a central phone, when we only have one user.

[00:19:03] Nicole: We do have that as well. If it's something where it can't be set up through the one password. We do have like a Google phone number for codes, but we've set it up pretty nicely. It's efficient.

[00:19:15] Meryl: And so what are some of the other things that you've implemented possibly around hardware or email security or some of the things you mentioned around malware?

[00:19:26] Nicole: Yeah. So there has been a lot. I'll be very transparent. I feel like you can talk about this for a full day because there's so many pieces that go into it, but kind of at a higher level. The laptop access, for example, only the team member should have access. Nothing is saved on the local drive. It needs to be saved to the cloud and that it gets shut down at night, that you have to log in to get into it. Basic things like that. As for phones, whitelisting certain apps that are low risk for us but might be convenient for the team but not requiring it. Implementing VPNs. If you do have those apps on your phone, you need to use a VPN, because as soon as you step out of your house, those apps are still running. But now you're on unsecured networks, VPN on your laptops when you're traveling, same type of thing. You cannot use unsecured WiFi. That's just a big no. And then we've done different phishing testing through what we use for our malware software and all of our team pass.

[00:20:41] Meryl: So how long did it take you from starting the project? So agreeing with Marie? OK, this is a priority. I'm going to get started. I mean, it's probably never finished because there's probably some ongoing component, but feeling like you've got the foundation in place and most of that project is done and you're in maintenance mode, how long did that take you?

[00:21:01] Nicole: Yeah, I feel like it's been a good year, and I still feel like there's more that we can do. But as for the basics for us, I think we've really got it in place over a year, but it's going to be a forever thing for us, for sure.

[00:21:16] Meryl: Yeah. The AI one's interesting. I was at an accounting event last week called Accounting Business Expo, and I was on an AI panel, and one of the topics that came up was there's a trend in the industry that AI, particularly chat GBT, is being built into some of these tools. So you can go in and have a conversation or ask for a financial report to be summarized. And that app hasn't built their own model. They're using an API with something like Chat GPT or the OpenAI product.

So then it's important to ask, well, what's the privacy around that? So is the information that we're sharing within this app, is that being shared back? Is that going into building to teach the AI product more? And so I think that's an important question to ask as more and more of the practice tools that we use are having AI embedded into them. And I imagine, or you've talked a little bit about the training that you've done with your team, and I imagine if you were changing policies or implementing some things that, particularly if it makes something more secure, but it might slow them down, or they've got to change their behavior in some way. How did you manage that? Because I think you can have a policy, but reality can be quite different to the policy, and it can be hard to change behavior. So let's talk about this from the perspective of the team first. But then I've got some follow up questions about the perspective of clients.

[00:22:46] Nicole: Yeah, absolutely. So I think my priority in all of this was trying to be as less of impact as possible. It wasn't going to be, let's implement this.

It's all about your ROI. Is there going to be something looking in the future of if we do this, is this really going to help us? Is this going to make us more secure? And the team is full of accountants, so they're data driven, and you can pull some of those scary cyber attack data numbers, and it's like, look, this is on you. 82% of cyberattacks are human error, whether that's email or sharing passwords. And I think that the one in three accounting firms being attacked, the reality is it's going to take all of us. And we trust our team, we love our team, they're amazing. And when we have conversations of, look, this is why we have to do this and talk about, we are cloud and tech based, and we do have to protect our reputation and our firm and your jobs and our clients, and this is just something that comes with it. They didn't say anything begrudgingly to me, but there's also a little bit of grace that needs to be given, because these are changes. So if someone shares something in slack where I'm like, hey, friendly reminder, let's drop this someplace else. It's not an immediate, oh, my gosh, you're going to be fired because you broke this security protocol thing. There's got to be a little bit of grace in some of this, but it's a constant learning because you get in habits and you have to form these new habits with security. That's really what it is. But I can't speak highly enough about our team and I think that that's something where if you explain why you're doing what you're doing, what it impacts the impact of not doing it. I think especially with data driven people, the data is there.

[00:24:35] Meryl: And what about with clients? Was there anything that required a behavior change from them? Whether it was having to set up new logins for you or maybe not using email for some kind of correspondence? Was there anything on the client side?

[00:24:49] Nicole: There was, and I think there will continue to be more. We're very sensitive to it.

But again, it's kind of the same with our team. We're protecting their data. We are trying to make where they are more secure. They're trusting us with some of their most prized information, truly. So I think that that's the piece where they know we're being sensitive to it. We don't do a lot of things that impact our clients in crazy ways. So I think that when we do make a change and explain them to explain why we're doing it, that they're pretty open to it and most of the ways have been beneficial for them as well. I mean, for example, trying to eliminate getting data through emails and using content Snare, for example, where they could have a code if they need to plug it in for secure reasons and upload all their data, having that all there versus in an email with bullet points was also beneficial. So I think there's been changes that we've made to enhance our security that have also been beneficial and more user friendly for our clients.

[00:25:57] Meryl: So on the client side, you use content snare to gather information from clients. So you're sending requests and they're filling out the form or attaching things based on what you've customized for that client. And so that's in a secure location. What about if you're sending them, say, a financial report or something like that? What do you use there?

[00:26:20] Nicole: Yeah, so currently we use a desk system and I think there is room for improvement in that regard. That's probably going to be the biggest shift. And I think where you see a lot of projects fail for clients because they don't want to use logins, they don't want to use certain things. So password protecting what you can, but also kind of putting in their ear like we might do something else, but for now the system that we're using is okay, but I think there's room for improvement on transferring that data. But if we have to send something to a tax team, for example, it has to go to a portal. Or if we have to send something that has something sensitive, it needs to be redacted or password protected, something to that regard. So there's always another little step, but that's probably the piece that we could improve the most on moving forward.

[00:27:12] Meryl: I find the client portal thing interesting, so as a user of other agencies, I find it so annoying if they've got a different system and then I can never remember the password. And if it doesn't allow you to use that single sign on where you can use your Google account or a different account, then it's just so annoying to manage. And so I think the user experience is poor for online portals, but it's so much more secure than email. So particularly for clients that aren't risk averse around security, I think it's a hard sell to get them to change their behavior to use products like that.

[00:27:49] Nicole: Yeah, and that's a big adjustment for the team too. And I think that's why there are some options, but there's pros and cons with every app that's out there and every portal. And it's like if there's not something that's 100% for our team and our clients, it's going to be hard for us to shift because it is a big headache and we know it. And it's kind of like, I don't really want to do that yet, but there's other little things you can do until you decide to put it into your strategy again, it's kind of prioritizing what you're targeting to.

[00:28:27] Ad Roll Live Flow

Meryl: Now let's do some rapid fire questions of the tools that you're using, because I think that's really interesting. So you've mentioned one password, you mentioned content Snare. So could you just list out the list of other tools that you find useful from a cybersecurity perspective? So just the name of what it is and then what problem it's solving for you.

[00:29:39] Nicole: So spanning, I think it's under a new name currently, but that backs up your Google Drive data. So we use Google Drive heavily. So that's going to be something where it encrypts it. I can go and pull that data from that at any point. So that's going to be one. Webroot is where our laptop protections live. I manage that and then it goes to all the endpoints. So that's kind of another piece.

And then there's obviously different backups for different things where you have rewind for QuickBooks. I know that you're heavily in a zero market, so there's going to be some differences on apps and integrations, but those are probably the biggest security specific apps that we have.

[00:30:27] Meryl: And then with something like a VPN, do you manage that centrally? So do you have one product that you use that then team members would implement?

[00:30:34] Nicole: Yes, sorry. So that's another one, Nordlayer, I forgot about that one. But that is something where I manage. So it goes to their work email and then they download it and then it's ready to use. So it's pretty user friendly.

[00:30:48] Meryl: And would you have any advice for an accounting or bookkeeping firm? They've probably got some of these foundations in place, but they're a bit worried they've got some gaps.

What would you recommend for them if they're trying to tackle this project in how to move forward but not get overwhelmed?

[00:31:07] Nicole: Yeah, I think it goes back to looking at what has the most risk for you. Where does most of your risk lie? And starting there, I think that's what you need to prioritize because it is so incredibly overwhelming. There's so much information.

Reach out to your peers. If you do already have cyber insurance, reach out to them. Sometimes they do run audits on your system, things like that, which can be beneficial. They might have recommendations, maybe it's even something that lowers your fees.

[00:31:40] Meryl: And did you consider using an MSP or an external provider to handle this for you. And what did that evaluation process look like?

[00:31:51] Nicole: Yeah, we did. We actually had worked with someone for a very short time, and I felt like it was actually more work for me than it was less work. And so it was one of those things where I just decided I would do it. I think, again, you have to look at what really works for your team, because sometimes you see things, you're like, that's great, that's great, that's great. And you get excited, but you don't really think about the implications or like, yes, they're going to take these pieces, but how do they get those pieces, or how do they get that information? And for us, it added more work versus saved. Now, I'm sure there are great firms out there, companies that handle these pieces, and we just didn't explore as many maybe as we should. But I could also build capacity a little bit to manage this project. So I think that's a big difference. I think if you don't have time, but you really want to make it a priority and you just really can't, then it's something you have to build into your budget, because again, what are you going to prioritize?

[00:33:03] Meryl: So what made it more time Consuming for you?

[00:33:05] Nicole: Time consuming to have the external team? Yeah, it was getting the data to them. If changes had to be made access wise, then it was following that funnel. It wasn't just a simple, this just needs to be changed. It was create a ticket in order to do this. And then we kind of had to follow up on these tickets, but it was still coming to me. But then instead of just fixing it there, I then had to go to someone else, and then I had to wait, and then I had to follow up, and then I was then the middleman of information versus just doing. And I think for me, let's just get, I'm here to help the team and keep them making sure they have the tools they need to do the job that they need to do well. And I think it just felt like it was becoming more of a block, a roadblock instead of help.

[00:33:57] Meryl: So that is a common complaint I've heard of in working with the managed service provider, where it's just particularly with login access if it takes 4 hours, but someone needs to do that job now, that's just too slow. And then the other complaint I've heard is that you don't know where the gaps are because you think, oh, I've outsourced cybersecurity they're taking charge of everything. But actually, if you look at the scope of work, they're probably not taking responsibility for that much. And unless you do a detailed review, there's potentially gaps. And you think, oh, I've outsourced it, but actually you kind of have to look at it in a bit more detail either way, even if you're going to work with a provider or manage it in house. Anyone listening that has a great provider or is one, there's lots here with the business I'm involved in team up, which recruits Filipino accountants directly. That's a common issue of, okay, well, I want to hire accountants overseas, but I need to make sure I've got the cybersecurity piece nailed down. So that's something that I'm thinking about and hearing about a lot more often these days.

[00:35:04] Nicole: It's definitely being brought to the table more and I think rightfully so, because I know it's not the most glamorous topic. It can be overwhelming. But getting familiar with some of the terms that are used is helpful in our security handbook. At the end, there is a little vocabulary section because I think it is important to say these words and what does that mean? What does that mean? And I think it's helpful to have a little basis of knowledge. Same for with our clients who don't understand accounting terms. We all speak different languages depending on what we're doing. And I think to bridge that gap a little bit, it just has to be when you want to fit that in, but it's definitely important.

[00:35:48] Meryl: So just to wrap up, what did the deliverables look like? You mentioned you had, I think it was called a data map of reviewing everything. There was a handbook for the team. Were there any other things like that that you produced as part of this project for people to refer back to?

[00:36:06] Nicole: Yeah. So actually, the quarterly security trainings were really beneficial to drop in the changes I was making. So there was about a year of the, okay, these are changes. Then on the next training, it'd be like just to recap, these were some of the changes. And here it is moving forward. Repetitive. Let me just keep stating this. So that was helpful. And then it's also, this training is recapping everything in the security handbook, which is everything that we've gone through before. I don't want it to be a ton of new information every time, because that is challenging to retain. It's challenging to have buy in into it if you're making so many changes every time. But I definitely had non team and client facing deliverables every quarter. The password and app usage was definitely a little more team facing. The data map really wasn't team facing at all. And then creating breach protocol is also something that was kind of behind the scenes because I want to be proactive and reactive at the same time for this topic.

But yeah, there were definitely in my trainings, I would say this won't impact you, but just so you know, it's happening, just to be like, things are going on but don't scare you.

So, yeah, there were different quarterly deliverables that I had set for myself just to kind of keep myself on track.

[00:37:37] Meryl: Well, Nicole, thank you so much for coming on. Do you have any final thoughts about security for accountants and bookkeepers? Any parting words?

[00:37:46] Nicole: I think the big thing is don't be afraid to reach out for help. I know, know Marie reached out to her network, her peers, and even if it's not something that you can use, because truly, I didn't use a lot of that data, it helps to spur thinking or how people are thinking about security. So use your network. If you need to reach out to me, you're more than welcome to, but I think you have to have the mindset of this is for the better good of your company, for your clients, for your team.

It's your livelihood. You're putting everything into it as a business owner and you don't want that to fall apart because of one incident, because someone went to an unsecured website, something silly like that. But truly, that's what happens.

So I think, don't be afraid of it. Make it bite size. And I think that's where it becomes manageable.

[00:38:43] Meryl Outro: Amazing. Well, thanks so much for coming on. I feel like I learned so much.

It was great chatting with Nicole today about cybersecurity. Some kind of cyber breach is a major risk to accounting firms. And I think that many small firms think they've covered this risk by working with an IT provider, when in reality there may be many gaps around what the IT company is covering, but also what isn't covered. A few parts of the conversation that stood out to me were that Nicole spent almost twelve months running this project, but she still considers their cybersecurity protocols never quite complete. So she's done the heavy lifting and made an impact with this project. But there will still be changes or things that they can improve over time, and the team will need ongoing training. She mentioned repetition a few times, so when making changes like this, not expecting the team to remember every change immediately. But she repeated the message over time, repeated the message in multiple training sessions, and also tried to reduce the amount of change happening at any one time so that she wasn't overwhelming the team. I was also interested in what the deliverables were in running a cybersecurity project. So it sounds like the main deliverables were initially creating the data map and identifying all of the software they were using and the risks, creating a security handbook with their policies and procedures, and also a breach protocol plan in case the worst happened. So they were the deliverables. Outside of the changes that were made with tightening up things like the use of passwords.