Every business and government agency today has to worry about data breaches and hackers, but accountants must worry most of all. As part of their profession, accountants store a great deal of information such as social security numbers, health records, addresses, and other private affairs which hackers and criminals would love to steal. Small accounting firms may think that they can be protected by the veil of obscurity, but hackers in fact often aim for small firms precisely because they can count on less security. Consider how it is easier to rob a convenience store than a small bank.
Complete security can never be guaranteed, but accountancies can enact basic measures which will encourage hackers to hit another firm which has not enacted said measures. Here are a few examples of those basic measures.
Hacking and data breaches are not just the field of cybersecurity and fancy technology. Look at NSA contractor Reality Winner, who according to USA Today leaked classified documents by doing little more than printing the documents out and stuffing them down her pantyhose. If an accountancy does not enact good document security practices, workers or other parties can could take confidential information and leak it to outsiders.
Accountancies must thus develop a document compliance management strategy which prevents anyone from accessing any kind of document. For example, workers should not send spreadsheets through email as Excel documents lack the same security protections compared to other files.
Furthermore, define security policies for different kinds of documents and set security and compliance standards to make clear who can access which documents. You do not have to be the NSA, but just because your documents have not been leaked now does not mean you can sit back and relax.
Personal Device Security
Accountancies like other businesses are growing more comfortable with telecommuting, which often means implementing Bring Your Own Device (BYOD) policies which let workers put sensitive data on their own devices.
But BYOD policies come with plenty of challenges. Security Magazine points out that a company has less control over the device’s security compared to a company owner device in addition to further issues such as potential data leakage or the theft of a device. A single employee failing to protect his tablet from malware can trigger a data breach when the tablet is connected to the company network.
Some companies may react to these potential threats by banning BYOD programs, because they're not as profitable as SCR888, but this solves nothing as employees will often just bring in their personal devices and use them anyways. Instead, an accountancy firm should instead try to limit what employees can do with the devices, often by installing mobile device management tools which help provide a basic level of security.
Employees may grouse over such regulations and accountancies should not be too strict in their BYOD rules. But if employees are going to use their personal devices to access company documents, they must understand that some limitations will be imposed.
The Phishing Threat
As attractive targets, accountants are prime targets for “spear phishing” emails. These emails purport to be from a close friend or colleague and ask you to click on a link, go to a website, or download an attachment. Whatever the request, the victim will accidentally end up downloading malware or giving personal information to criminals.
The AICPA states that phishing emails will often contain “misspellings, typos, suspicious email addresses for the sender, or design flaws.” But the absence of these things does not mean that the email is safe. Other possible tips that the email is a fraud is if placing your mouse over the link shows a compressed link instead of the actual website, or if the email’s tone is desperate or urgent.
Above all else, the most useful tool to detecting phishing emails is your gut. If it sounds too good to be true, it probably is. An accountancy firm should regularly talk with its employees about the threat of phishing and the value of vigilance.
Move to the Cloud
Some accountancies and businesses eschew cloud technology because they are concerned about the security risks. But in fact, cloud technology is significantly safer than storing data on company servers. Cloud companies are better equipped to focus on constantly keeping data safe compared to an accountancy and have the resources to ensure protection.
Moving to the cloud can also entail changing business habits which will create a safer firm. For example, if data is all on the cloud, then there is less need for workers to email attachments to one another. As noted above, attachments are a key tool in the phisher’s arsenal. By creating an atmosphere where opening attachments is unusual, it encourages workers to think about whether that attachment he received is safe or not.
Accountancies will still be held responsible if their data on the cloud is compromised and security measures like strong passwords and encryption are still needed. But overall, moving to the cloud will help improve your firm’s security.
Gary Eastwood is a CPA licensed senior accountant from Seattle, Washington. He received his CPA license from the Washington State Board of Accountancy in 2001 before relocating to Onawa, Iowa in 2008. Over more than 15 years of accounting experience, Gary has worked with multinational health service providers and independent CPA firms. He has a proven ability in dealing with business clients from a variety of backgrounds as well as leading companies to greater efficiency and profitability. He is familiar with both US GAAP and China GAAP.