Accountants and CPA firms hold large amounts of their clients’ financial data. That data makes them and their information systems very tempting targets for hackers who would use that data to perpetrate financial fraud and other criminal conduct. Protecting and storing that data properly is a function of a few basic mechanisms.
- Full disk encryption extends data encryption to all systems and devices that enable this encryption methodology. With this technology, all data that flows through a device or network is automatically encrypted such that even if it is stolen, a cyberthief will not be able to read or interpret it.
- Firewalls and network security procedures will block known threats and reduce the visibility of a CPA firm’s wireless network to outsiders. A more robust firewall will include monitoring of all data that flows into and out of a network and alerts an IT specialist when regular data flow patterns are interrupted.
- Strong password requirements will eliminate one of the weaker links in a CPA firm’s data protection strategy. For convenience and simplicity, a firm’s employees might default to simple passwords that are easier to remember. If they use more complex passwords, they might fail to change them frequently. A hacker might be able to slip a keystroke logger into an employee’s workstation that allows the hacker to capture strong passwords. If using and changing strong passwords is too much of a burden, a password manager can simplify the task.
- Educate and train all employees on how to exercise good cybersecurity practices. Those practices include refraining from using free public Wi-Fi, not clicking on attachments in emails from unknown sources, using VPNs and secure networks when working remotely, and not sharing logins or passwords with third parties.
- Create an event containment plan that is automatically initiated when a data breach does occur. The strongest cyberdefenses and best employee training strategies will not prevent every data breach occurrence. When a CPA firm does experience a cyberattack, that containment plan should dictate the personnel who are responsible to limit the losses and to assess any damage that might have occurred. A critical part of damage containment is confirming the availability of resources to pay for losses and liabilities associated with the breach. A CPA insurance company can offer coverage for those losses and liabilities with a cyberinsurance policy that reflects the value of the CPA firm’s data and its relationship with its clients. The biggest casualty of a data breach is often the CPA firm’s reputation as a professional entity that can be trusted with confidential client information. The protection offered by a cyberinsurance policy can help a CPA firm to get back on its feet and to resume operations quickly after a data breach, while providing resources to protect the interests of the firm’s clients and to give those clients assurances that the data breach event is being taken seriously.
- Do not ignore the physical security of computers and workplace environments. Data theft can occur when a CPA’s computer or smartphone are lost or stolen. This problem is intensified when small portable storage devices, such as thumb drives, are used to move data between computers. Remote data wipes can offer some protection when a user realizes that a device has been lost or stolen.
- Place limits on “bring your own device” policies. A CPA firm that allows employees to use their own smartphones and tablets to access the firm’s information systems risks losing control over stored data. An employee’s device can include apps that have access to every part of the device, and those apps can provide a pathway for hackers to steal data. At a minimum employee should be cautioned to turn off the access and rights that apps on their personal devices might have to other aspects of those devices.
And finally, remember to stay up to date with all the latest cybersecurity news. While these tips are evergreen and widely applicable for CPAs everywhere, new cyberattacks are constantly being developed. By keeping on top of the media landscape, you can better defend your organization against data breach.