A Cybersecurity and Data Protection Plan for Your Accounting Practice
It is an endless refrain in our digital universe, yet one that we can never repeat too often — protect and secure your digital information from misuse and penetration. Accountants have the added responsibility of their clients’ records, including financials, Social Security numbers and credit card numbers. But despite the bad news you often hear about security breaches, here’s what you can do today to mitigate problems down the road:
- Cover the basics. Invest in the basic and bare minimum for security. You need a solid firewall and a respected anti-virus on your computer. Ensure that you both activate your firewall and anti-virus software and that it is working. Run a test. I regard this as the basic blocking and tackling for business protection. This is rudimentary, but whether you’re a one-person firm or you have 50 accountants, protect every computer with this fundamental approach.
- Move it. Take your digital records off-site so that you have a backup unconnected to your network or personal PC. I’ve always wondered over the years why something so simple yet effective seems to evade some of my clients, including accountants. We urge them to take this step. The reason is more compelling than simply having a backup in the case of a disaster at your location. If you become a victim of ransom ware that encrypts your data, the online networking data becomes nothing more than zeros and ones. The backup doesn’t really “know” what it’s backing up. This can become a major issue even if it happens for only a day or two. Without an off-site backup unconnected to your network, the encrypted ransomware can overwrite your backup data. And now you have a real problem. Off-site, out of sight, peace of mind.
- Run a threat test. Conduct a penetration test. Admittedly, this can be expensive for a small firm. What a savvy accounting practice will do is have an outside firm try to penetrate their network. Allow me to share some shocking news: The most frequent targets for hackers are accounting firms, for the reasons I constantly raise. You have, in their eyes, information that is digital gold. Last year, cyberattacks cost small and medium-sized businesses an average of $2.2 million, according to the Wall Street Journal.
- Offer training. Training is important and often the last issue to which companies pay attention. Phishing is a good example. It’s a fraudulent practice with bad actors who masquerade as a legitimate company that sends you emails with the intent of inducing the recipient to share personal information, such as passwords and credit card numbers. Every accounting practice is only as strong as it’s weakest leak. If you have a person — accountant or support staff — and they’re sloppy with passwords or opening attachments from unknown sources, then you have a serious problem. Have your IT person or vendor provide a class that explains the rules of engagement or when not to engage. Be sure new hires receive the same instruction and have the training documented for easy retrieval. You might want to consider a phishing service. They can run a phishing test and teach your staff about current threats, which change constantly. Conduct these phishing tests throughout the year. It is an ongoing process because the threats change.
- Test flash drives. Some clients will drop off a flash drive with a backup or an accountant’s copy of their financial records, frequently QuickBooks. Be sure to run a security scan on the flash drive to ensure that it is virus free. Your client probably had no intention of infecting your system and may be unaware that his flash drive has some type of malicious software.
- Encrypt hard drives. All recent operating systems offer default encryption systems. And unlike those in the past, these should not slow down your computer. If you’re computer gets stolen — especially if it is “the office” — you’ll want to keep thieves from tampering with your data.
- Purchase cyber Insurance. We need insurance for everything else. Cyber insurance protects you against business liability caused by a breach that might affect your clients. This type of coverage might NOT be covered by your general liability policy.