Accounting firm leaders need to realize that a data breach, hack or other form of tech attack is going to happen. It’s not a matter of if, but of when.
While many used to think that firms were too small for hackers to focus on, and that the real targets would be large financial institutions, corporations and government entities, the fact is that even if they are “low hanging fruit” to hackers, they are still potential gold mines for bad guys who want to get their hands on the important personal and business data that your firm has within its databases.
Also adding to hackers’ interest in accounting firms is that they often have lesser technology safeguards, or less-rigidly enforced security practices than larger organizations, making them even more vulnerable to data loss or ransomware threats. As most firms have now turned to mostly cloud-based technologies, it is more important than ever that they employ the right technologies and practices to keep their data safe.
The modern firm has potentially dozens of software systems running in the cloud or on its computers. Each one likely requires a password. In a worst-case scenario, they are all set to Password123. If this is the case at your firm, you’ve probably already been hacked and your clients are suffering. But you know better than this. However, while virtually all firms do know better than this, they don’t necessarily perform much better, and often have multiple (or all) of their systems using the same password, albeit a more secure one than above. This is understandable, as humans we can’t remember dozens of different passwords, but it is still a risk.
Ideally, each system your firm uses (and each user on those systems) should have a unique password. To keep up with them all, employ a password management app, such as Keeper, LastPass or Dashlane. These systems are secure, and make it easier to keep all of your other systems secure. Now, you will only need to log in once (to the password manager), and it will remember the passwords for all of the other systems you use. It can also create new passwords that are totally random, and therefore, are more hack resistant. All systems should now be using multi-factor authentication, such as sending you a text when logging in from a new device, or just periodically ensuring that you are really you.
First off, don’t use email to send sensitive client information. Although there are some encryption tools that can plug into email, it is best to use a dedicated and secure client portal, or the portal sharing tools within a professional firm management system. This helps both you and your clients maintain the security of data. In addition to the threat from hackers, using email to send some client documents can result in state fines for violating privacy laws. If clients send you something that shouldn’t be in your email, delete it, then delete it from your trash folder, then contact them and have them submit it through your portal and advise them to delete their emails, as well.
Second, make it a practice to not open any attachments or click any embedded links without knowing who sent them to you, and even then use caution by verifying the URL before clicking. If it just seems odd, send a quick text to the sender asking, “Did you really send me this?” Opening fake attachments and clicking on links are still the top ways that hackers gain access to personal and work computers, either for data theft or creating a ransomware scenario, where the bad guys lock you out of your systems until you pay them. Even if you paid, your firm would still be at their mercy going forward. There are many other rules of thumb, such as being suspicious of bad spelling and grammar, and never submitting your financial institution information via email, but you should already be alert to these.
A Culture of Skepticism
All of the staff in your firm needs to be constantly aware of the threats, and how serious the repercussions could be for the firm. Counsel them to be skeptical of any actions that could result in a breach. Losing client data can mean losing clients or opening the firm up to legal action. Larger practices should have an official data security strategy and regularly organized meetings on the topic. Smaller firms should include data security in their other general meetings and updates. Diligence is key to maintaining data security, since human errors are often the starting point. With more professionals working from home, they need to be safe there, as well.
Verify ACH and Payment Changes
Just as there are controls for accounting functions, firms need to ensure they have a review practice in place when significant financial changes are requested, such as any urgent payments, wiring a payment to a new account. Any such change should require a supervisor/manager notification and a non-email verification with the client to ensure it is legitimate, and this activity and approval should be logged. Even when the firm staff member thinks the request is legitimate, it should be verified, as recent ACH scams have emerged.
The Right Technology
Most firms are continuing to implement cloud technologies, which is not only ideal for productivity, especially with more remote staff, but it’s also better for security. Cloud technologies are routinely updated by professionals at the vendor who are generally experts in technology and data security, monitoring the latest trends and threats. Any systems the firm uses that are not cloud-based should be routinely updated to ensure the latest version, and firm computers (whether in office or at home) should be up-to-date and include virus protection.
User Access Rights
Modern accounting and firm management systems such as BQE CORE offer advanced security features that tightly restrict users to only the functions they need to access. In your firm, someone working on one accounting team generally shouldn’t have access to the clients on another team, and on the client side, someone in sales shouldn’t have access to AP or payroll. By restricting access to their appropriate roles, firms and businesses can dramatically reduce the threat of improper use of their systems, which can also reduce the threat of a data breach.
Have a Response Plan
Accounting firms should have a response plan in case they experience a breach or hack, and should periodically revisit that plan and improve on it. Plans should include accessing the nature and scope of the breach, the data affected, the clients affected, notification of clients, and additional procedures. Data breach insurance is also available to accounting firms.
Once again: It’s not a matter of if, but of when, a breach will happen. Yes, some firms will get lucky or will do everything right, and not experience a breach, but for the vast majority of firms, it is a persistent threat. This does not mean it’s time to give up, but the opposite: It’s time to be more vigilant than ever in developing practices to prevent hackers from getting in, and having a plan of action in case they do.