The costs of cybercrime and data breaches are well documented as large corporations, the U.S. government, and other major organizations have lost millions of dollars and critical information to hackers and activists. While countries are signing agreements to fight cybercrime and stepping enforcement, businesses must understand that protection begins with themselves.
This is especially true for accountants. Accountants and their firms are at particular risk from hacking as they contain valuable, sensitive financial information which criminals would love to obtain. Consequently, they must understand potential security concerns, how hackers can strike, and basic security measures which can deter an attack.
1. Weak and Shared Passwords
Cyber experts have been saying for years that passwords in and of themselves are no longer sufficient security. A major reason for this is that far too many individuals practice poor password security. They use weak passwords like “password” and share the same password for multiple accounts.
Update employees on the importance of strong passwords and mandate that they reset their password after a specified period of time. To prevent them from reusing the same password, use a password manager to store all your passwords as opposed to writing them down on a Word document or on a piece of paper placed in your desk. Also consider stronger forms of protection such as encryption to prevent hackers from bypassing the password check.
2. Be Wary of Biometrics
As more individuals turn away from passwords, biometrics appear to be a more secure alternative. You can’t forget your fingerprint or face like you would a password and an estimated 500 million biometric scanners will be in place by 2019.
But think of every spy or heist movie where the thief breaks into that DNA-protected vault, and you may begin to have an inkling of the problems with biometric protection. People leave their fingerprints everywhere for criminals to obtain. And while you can change your password if you think the password is compromised, you cannot change your fingerprints.
Biometrics may work for your firm or not, but be aware of the risks surrounding them.
3. Personal Devices
As telecommuting becomes more popular, your workers may conduct more and more business on their personal laptops or tablets. If you have an office building signal booster, you will have that many more connected devices in your building. That may be more convenient for workers, but a hacker only needs one tech-illiterate person who does not know how to protect his device to start a breach. And that does not even touch on the very touchy legal and privacy issues surrounding personal devices used for work.
A firm should establish a formal “Bring your own device” policy which informs employees of how they can protect their devices and makes clear what rights your firm has over their computer. Also consider limiting what data they can access on their personal devices versus the company devices.
4. Malware and Phishing
Some cyberattacks have become more sophisticated, but basic malware and phishing attacks remain some of the most effective means to trick employees into giving cybercriminals information. An estimated 30 percent of phishing emails gets opened, likely because they offer compelling content and an employee will never think they are the victim of an attack.
Basic IT security and policies as well as constantly reminding employees of such attacks are the most effective countermeasures to such basic attacks. Also remind employees that they contain valuable, financial data from other firms and make clear that a breach is no joking matter. A healthy company-wide skepticism can keep your accounting firm safe.
5. Cloud Security
If your business has not moved to the cloud already, you at least have almost certainly heard of cloud technology. Storing data with the cloud is cheaper and can be more easily retrieved from another computer, and firms with a lot of data like accounting firms should move to the cloud as soon as possible.
But moving to the cloud entails being aware of the security risks. Companies, not the cloud supplier, are responsible for keeping their data safe in the cloud. Look at security systems designed for the cloud and implement the same ideas of strong passwords and professional skepticism which your firm should use to keep all of your systems safe.
6. Being Prepared
While implementing the measures listed above can make your firm less likely to be attacked, it is impossible to completely guarantee that hackers cannot break past your defenses and cause a breach. But if your firm has a contingency plan for what to do in the case of a breach, the effects and damages can be limited.
The U.S. Department of Justice released a useful guide for how to prepare for a breach, and correctly identifies steps such as making it clear who is in charge of what in the event of a breach and quickly notifying law enforcement. An effective response should see your firm quickly uncover what data was lifted, and you should promptly let your clients know the extent of the breach and make clear what countermeasures are being taken. If you fail to inform your clients, they will assume the worst and your business’s reputation will be hit even harder.