6 Tips for Protecting Your Firm’s Data and Reputation: Part I

IMGCAP(1)]CPA firms are both data collectors and data overseers, and they rely on numerous forms of technology to accumulate and distribute data. From tax preparations to audit documents, CPA firms are responsible for countless pieces of information for both their customers and their firms. This makes them doubly at risk for cybercrimes. And no business, even a CPA firm, is safe from cyberattacks.

Over 60 percent of all online attacks in 2014 targeted small and midsize businesses (a 50 percent increase from 2013, when the number of cybercrimes targeting smaller companies was 31 percent). Small businesses don’t always have the protective resources in place that larger companies do, and this makes them easier to infiltrate.

Should a firm’s data security be breeched, clients’ personal information could be compromised, negatively impacting the firm’s reputation. It’s important for all accounting firms, big and small, to understand the appropriate ways to keep themselves safe against cyber threats.

Here are three ways an accounting firm can bolster its security and safeguard its reputation.

1. Avoid open access and implement controls.
Sensitive data such as check registers, balance spreadsheets, valuation analyses, legal documents and private employee records should not be accessible to every member of the firm. A firm should have controls in place that determine who can access, share, and edit documents. A receptionist may not need the same level of access as an executive, and it’s imperative that the correct permissions are in place to prevent unauthorized access to sensitive files. In addition, controls should be updated regularly. Staff members may change roles within the organization or require only temporary admittance to files, so such changes should be tracked and adjusted accordingly.

2. Back up and encrypt data.
Every CPA firm should back up its important data to avoid a data loss incident. If possible, your firm should store copies of its data offsite, preferably out of state or in a region that would remain unaffected if a natural disaster were to occur. However, data back-up is not enough to protect your firm’s sensitive information. Encryption of data at rest and in transit is necessary to ensure hackers are deterred from unauthorized access to your organization’s valuable records. Firms should implement full-disk encryption on portable devices and desktop computers when the technology is not in use. When sending confidential client information, members of your firm should encrypt the data and check with the client to determine their preferred method of correspondence.

3. Build defenses.
Protecting data requires firms to have sufficient security measures in place to hinder a network compromise. These measures should cover the technical and physical aspects of your firm’s IT environment.

Physical safeguards with security measures to control access to files or the device storing the files are necessary. Firms should maintain facility access controls that limit who can enter the site and at what time. Common practices include a visitor sign-in and badge system in place and multi-factor authentication process required to access the firm’s electronic systems containing sensitive data.

Other, yet sometimes overlooked, measures include making sure visitors are accompanied in an area where confidential electronic files are stored, securing workstations with complex passwords, and restricting employee access to server rooms where valuable files are stored.

Technical safeguards should also be incorporated on hardware and software used throughout a firm. By implementing access controls specific to the role of the employee viewing and sharing the information, managers can easily monitor and restrict access to information. By performing internal audits by installing antivirus, antispam, malware and instruction detection software, managers can measure how the firm’s security defenses could be potentially compromised. They can also verify that all software is active and has not been turned off by the end-user.

For the next three tips, view the second installment of this post.

Bryan Gregory is the president of Aldridge, the IT-services professionals and outsourcing company headquartered in Houston. Bryan is responsible for the general management of Aldridge's Dallas office, including marketing and sales, new business development, human resources, and oversight of day-to-day operations. He joined the company in 2008 as its first sales representative.

 

For reprint and licensing requests for this article, click here.
Technology
MORE FROM ACCOUNTING TODAY