Yes, It COULD Happen to You: Keeping Data Secure | AccountingWEB

Yes, It COULD Happen to You: Keeping Data Secure

By Anita Campbell - I woke up Christmas morning to find that one of my websites had been hacked! What a present.

In my case the site was purely a content site. The site databases had no customer data, no credit card information, no sensitive company information.

I couldn't help but think how much worse it would have been, had the site contained sensitive information. What if the hackers had managed to reach my most treasured company data? Or my customers' data? What a nightmare THAT would have been.

I was always security conscious. But now I've kicked my security up another notch. (Well, actually, I've gone from "yellow alert" to "paranoid," but that's another story ....)

With that hacking experience fresh under my belt, I thought this would be a good time to share the following 10 tips about data security, online or off. These came into my inbox from a company called Kroll Fraud Solutions. They're a good reminder as we start the new year, to take a look at our processes and procedures. Trust me, if a security breach could happen to me, it could happen to your company.

Top 10 Tips for Businesses: A Guide to Data Breach Prevention and Response

  • 1. Look beyond IT security when assessing your company's data breach risks. To eliminate additional threats, a company must evaluate employee exit strategies (HR), remote project protocol, on- and off-site data storage practices and more – then establish and enforce new policies and procedures and physical safeguards appropriate to the findings.
  • 2. Establish a comprehensive pre-breach response plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Your efforts will demonstrate to consumers and regulators that your organization has taken anticipatory steps to address data security threats. Disseminate this plan throughout the management structure to ensure everyone knows what to do in the event of a breach. In preparation, consider the following:

    a. Who will have a role in reviewing the policies and procedures on a predictable timetable?

    b. What are the physical security elements? When and how will they be tested?

  • 3. Educate employees about appropriate handling and protection of sensitive data. The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules.

  • 4. Thieves can't steal what you don't have. Data minimization is a powerful element of preparedness. The rules are disarmingly simple:

    a. Don't collect information that you don't need.

    b. Reduce the number of places where you retain the data.

    c. Grant employees access to sensitive data only on an "as needed" basis, and keep current records of who has access to the data while it is in your company's possession.

    d. Purge the data responsibly once the need for it has expired.

  • 5. In the event of a merger, all newly acquired systems should go through a thorough data assessment. As the controlling company, it is in your best interest to take inventory of the new data now in your possession. After all, how can you account for information you didn't know you had? This is an area where both internal audit and specialized external resources may be very useful.

  • 6. Beware the Wi-Fi. Use of wireless networks means your data is being transmitted over open airwaves, similar to a radio transmission. If not properly secured, data can easily be picked up by an uninvited party. Many offices, including Kroll's Fraud Solutions headquarters, have disabled Wi-Fi because it cannot be locked down to satisfaction.

  • 7. Retain a third party corporate breach and data security expert to analyze the level of risk and exposure. An evaluation performed by an objective, neutral party leads to a clear and credible picture of what's at stake, without pressuring staff who might otherwise worry that their budgets or careers are in jeopardy if a flaw is revealed.

  • 8. While it is best to encrypt sensitive data, don't rely on encryption as your only method of defense. When used alone, it gives businesses a false sense of security. Although the majority of state statutes require notification only if a breach compromises unencrypted personal information, professionals can and do break encryption codes.

  • 9. Keep current with security software updates (or "patches"). An unpatched system is, by definition, operating with a weak spot just waiting to be exploited by hackers. Admittedly, applying patches takes time and resources, so senior management must provide guidance on allocations and expectations.

  • 10. Hold vendors and partners to the same standards.

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.


Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.


Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.


Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".


William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.


Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (, a software development firm of high-volume, high-productivity accounting and payroll technology.


Eva Rosenberg, MBA, EA, is the publisher of, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.


Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website:
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.


The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.


FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.


Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.


Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of a website devoted to training for governmental auditors.


AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish share their ideas, insights, and perspectives from across the pond.