If you run an accounting firm that serves small businesses, odds are that one of your clients or even your own firm has experienced a virus, malicious software (malware), ransomware, a system crash, or has even been hacked. While the hacking of large consumer retail giants makes the news frequently, accounting firms are also ripe targets for the bad guys, since firms routinely manage sensitive financial data.
If your firm does get hacked or otherwise compromised, the consequences can be dire. System downtime from a virus or crash can cause serious delays and disruptions in client service, which can be especially painful during tax season or near year-end. And if your clients’ data is actually compromised, your firm can suffer even more catastrophic results. You will have betrayed your clients’ trust, and you could be liable for damages.
According to a recent Wall Street Journal study and an FBI report, the biggest cybersecurity risk to a small business comes from its own employees, either because of careless actions or intentional wrong-doing. With more (almost all) employees working remotely these days, it is more important than ever to drill down into cyber risks and reinforce best practices.
10 Data Security Tips for Your Firm
Data security, in even the smallest practices and businesses, is critical. Fortunately, strengthening your security doesn’t take much financial investment. However, it does require taking a few extra steps and investing a little time to ensure you are following best practices that can help keep your clients, and your firm, secure. You may have heard these tips before, but redundancy is often necessary when learning new routines or eliminating bad habits.
Use the security settings on your programs.
Keep your software up-to-date.
Completely erase data from old computers, tablets, and other devices.
Secure your business wi-fi.
Use antivirus software and keep it updated.
Restrict physical access to business computers.
1. Be suspicious of all emails that include links or attachments.
You don’t need a link to get to a website, particularly if it’s one you’ve used before. Whether it’s a note from your bank or an ad that seems too good to be true, simply open your browser and visit the website manually, even if it takes a few extra seconds. Clicking a link directly may take you to a website that looks genuine, but is a shell that prompts you to enter your login information in order to steal it.
As far as attachments: you shouldn’t be sharing anything confidential with clients via email. Doing so can expose you to additional threats and is even prohibited in several states. Portals are safer and provide heightened security features, including tracking and management tools that can help your firm be more efficient.
Phishing scams pop up even more during tax season, and new scams involving Covid-19 or the Paycheck Protection Program are increasingly targeting tax professionals. So be cautious and reinforce safe email rules for your staff and clients.
2. Beware of Whaling.
You’ve heard of phishing, but scammers are increasingly going after the “big fish.” Whaling is similar, but instead of casting a wide net, these bad guys are targeting senior staff and managers at firms and businesses. With just a little additional research and effort on the part of the scammers, they are sometimes able to con even experienced professionals into wiring funds or otherwise compromising firm data.
3. Use secure passwords, and don’t reuse them.
You’ve heard this a million times, but if it takes a million and one, it will be worth it. According to many sources, the most common passwords are 123456, 123456789, qwerty, and password. Simple variations with numbers and letters are also common. It can take less than a second for automated systems to hack these, so why even have a password? The latest password tip from security experts is that longer phrases are better than short codes.
Of course, having a password that you can’t remember isn’t effective either, especially if you have 10-20 different passwords for different programs and websites. Many professionals rely on a reputable password management system, which offers the ability to remember all of your passwords and automatically apply them, while you only have to remember one. Most systems can also generate unique, secure passwords for you. While it may seem counterintuitive, these systems are widely respected and are considered much safer than trying to use the same password across all systems and websites.
4. Multi-factor authentication is even better than simple passwords.
If you have the option to use this feature on your systems, then do so. In short, multi-factor logins require more than one method to login: usually a password, along with a PIN, security question, a hardware key, or a swipe card.
The most common of these, and which you have almost certainly encountered, is the security question. Most secure websites now require users to set up a series of potential questions, which act much like a sentry asking for the “code of the day.” They frequently include the name of a childhood best friend, the make of your first car, the city where you were married, or your best man’s name.
However, they can also be used in an alternative manner. For instance, the name of your first pet (or best man) can often be anything you want it to be, including your mom’s phone number, your neighbor’s address, or your favorite business client. Your answer is up to you, and the more nonsensical it is, the less likely a hacker will succeed in figuring it out.
5. Use the security settings on your programs.
All software developers (online and installed), including those that make professional systems for tax prep, accounting, and firm management, offer various degrees of system security. At the minimum, these systems should include a user name and password, but they should also offer user groups, client groups, user roles, or other ways to segregate users. This allows a low-level worker, for instance, to access the files and data they have a legitimate right and need to access, without having access to other clients or areas of the business, such as payroll and management reporting data.
Also, the more granular the security settings, the more detail that management can get if something goes wrong. Similar to an audit trail, some systems offer detailed tracking of user actions within the accounting or tax program.
6. Keep your software up-to-date.
Most programs that are installed on your desktop or servers periodically connect to the vendor for system updates. Many programs are good about keeping these updates transparent, such as performing them in the middle of the night so that business operations aren’t affected. In addition to fixing minor interface issues or adding new features, some of the updates are intended to fix critical security flaws that arise as new viruses find vulnerabilities. Skipping these patches leaves your systems, and data, open to potential loss.
An exception to this rule: if there are programs that you no longer use, you don’t need them updating or even on your system. Delete them whenever possible.
7. Completely erase data from old computers, tablets, and other devices.
If you don’t use a tool specifically designed for erasing data, much of it can be left on hard drives when you get rid of an old computer. Many old systems are donated to charities or schools, but some end up salvaged overseas for valuable internal parts, and what’s more valuable than your clients’ personal financial data?
When performing the data deletion yourself, look for software that uses the “DOD Wipe” standard, which is the level of security used by the Department of Defense and other agencies. Or you can have the geeks at Best Buy or other major computer retailers do it for you. Microsoft offers additional data deletion tips.
8. Secure your business wi-fi.
You don’t need to have a degree in computer science to understand the basics of wi-fi security. Yes, understanding security options like WEP, WPA, and WPA2 can help you heighten security even more, but the simplest steps to safeguarding your network and data are similar to password security:
Select a unique SSID Name (username) and Key (password).
Turn off the remote login option, which stops users who aren’t “hardwired in” to your network from making system changes.
Separate your business wi-fi from the wi-fi you offer your clients. Keeping them separate protects your critical data while providing the convenience of connectivity to your visitors.
9. Use antivirus software and keep it updated.
Many users go years thinking, “I’ve never had a virus before, so why should I worry?” You should worry for the same reason you have insurance: you pay, even though you hope you never need it. And in the case of antivirus software, the premiums are so much cheaper. The systems automatically update when new viruses appear around the globe, and can even prevent or alert you and your staff to unsafe actions—such as opening an email attachment. Check out PC Magazine’s top-rated security suites.
10. Restrict physical access to business computers.
When it comes to computer security, it’s easy to think of the “bad guys” as some shadowy group in a basement. However, there are many people who come near your computers every day with the potential to gain access or view confidential information. Whether leaving your desk for a short break or at the end of the day, make sure you close or log-off from your programs.
And don’t keep passwords written down next to your computer! While you’re gone, this gives anyone passing by access, including maintenance, cleaning crews, or even disgruntled coworkers.