Accounting firms shouldn’t embrace cybersecurity and data protection out of fear, according to Adam Lovingood, head of legal for Xero Americas, but because it’s an opportunity to add value for clients.
“Data security is an opportunity to make your practice stronger and do more for your clients,” he told an audience of CPAs during a session on cybersecurity at the 2018 Illinois CPA Society Summit, held in Chicago this week. “If you want a better outcome, start with a better reason. I don’t think your data security plan should be based just on compliance -- it’s a fine catalyst, but it should be in pursuit of something bigger, something you want to do because it’s the right thing to do.”
“Cybersecurity should be part of the value you’re providing clients,” he said.
That said, he acknowledged that there are certainly compliance issues, citing the European Union’s General Data Protection Regulation, which recently came into effect and creates strong safeguards and rules around companies’ use of individuals’ information. GDPR is specifically meant to apply to any company that collects data from EU citizens, regardless of where the company is based, so business clients with operations or connections in Europe can potentially be affected.
Among its top provisions are a right to data portability, a “right to be forgotten,” specific and extensive rules for documenting how data is used -- and potentially huge fines of up to 4 percent of global revenue for companies that don’t comply.
And even if companies escape the EU rules, Lovingood said, California recently passed a strong data protection act that is due to go into effect in January 2020.
“The days when the U.S. could safely ignore this area are over,” he said.
Prepare yourself, then your clients
Grappling with cybersecurity and data protection is critical -- but not a subject for terror, Lovingood assured attendees: “Don’t be scared about cybersecurity -- it’s about educating yourself and your clients.”
Accountants can start by identifying their own policies. “Write a data mission -- what’s your view of the data you hold? What do you view as your responsibility?” he suggested.
Then firms should look at their software. If they are using desktop software, they’ll need to take responsibility for making sure everything is secure. “You should probably outsource your planning for implementing security,” Lovingood recommended.
“If you’re in the cloud, identify reputable vendors who employ strong security that works for you,” he said -- and be sure to ask them about the following:
- Where data is stored;
- How breaches are handled;
- What their notification process/data recovery is;
- If they have other customers in accounting (or your clients’ industries) or in heavily regulated industries;
- How their terms and privacy notices read;
- How easily you can get your data back at the end of the contract; and,
- If they have a security team.
Once firms have looked to the security of their own systems and the data they control, they can begin to engage their clients
“As you’re looking at your firm and figuring out what you need to do and what you need to have in place, share what you learn with clients -- bring them along on your journey,” Lovingood said.
“Your clients might think that most attacks are against large businesses, but 61 percent of cyberattacks are against small businesses,” he warned, “and 71 percent of data breaches occur in companies with less than 100 employees.”
“It’s not about scaring clients or getting frightened by all these statistics, but they need to know about the issue, and that there are things they can do to mitigate the risk,” he said, and then offered a short list of quick things accountants and their clients can do to improve security immediately:
- Good passwords;
- Password management;
- Sanity check on emails (not clicking on anything without thinking);
- Strong authentication/two-factor authentication; and,
- Regularly implementing software updates.
Of those, the top two items were probably the most important, Lovingood said: “Strong passwords are the green leafy vegetable of IT security -- we know they’re good for us, but we don’t really like them.” To help, he recommended using passphrases or longer, more complicated passwords, but storing them in a password manager.