Data security is important to everyone on a personal level, but it’s doubly critical for those of us who come in contact with people’s private information during the course of everyday business. Our livelihoods and reputations are on the line, after all.
If you’re aware of this problem but unsure of its scale, just consider the fact that 781 data breaches exposed nearly 170 million private records in 2015, according to the Identity Theft Resource Center, doing billions of dollars in damage in the process. And as of May 31, there have been another 430 breaches so far in 2016, exposing about 12.6 million additional records.
Your goal is to avoid becoming a statistic. In addition to shoring up your insurance coverage, make a concerted effort to improve your data-protection policies. But because accounting’s your forte, not IT security, it’s understandable if you’re unsure about where to even start. You can begin with these four must-follow steps:
1. Stress the human element of security. Insiders pose perhaps the greatest threat to private information security, as they have access to sensitive documents and databases, they know their way around your systems, and termination provides an obvious motive for malicious activity. The best way to mitigate such a threat is to start at the beginning. Thoroughly screen all job applicants by doing both background and credit checks, as well as speaking with former employers. Furthermore, it’s a good idea to use employment agreements that have significant financial penalties for disclosing sensitive or proprietary information. Trust but verify, in other words.
Beyond the hiring process, make sure to establish clear policies about who can access sensitive information, how to stop them from copying that data, and how unauthorized individuals will be prevented from accessing it entirely. Then follow up with regular – at least quarterly – policy reviews and password updates.
Finally, to bring things full circle, you also need a plan for handling employee termination, both amicable and acrimonious. Having a checklist of tasks – restricting permissions, changing passwords, etc. – will make an already hectic time more manageable. And with a solid plan in place, the fact that 63 percent of data breaches involve weak or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report, probably won’t worry you as much, either.
2. Limit data retention. It’s not the size of your business that makes you an attractive target for hackers, but rather the type and amount of juicy data that you have for the taking. So, minimize the personal information that you request from clients and further limit what you retain.
Don’t ever store credit card numbers, for example. And if you only need a client’s Social Security number once per year, request it by phone each time instead of keeping it on file. After all, Social Security numbers are uniquely valuable given their widespread use throughout our lives, and roughly 64 percent of executives say payment information is the hardest personal info to secure. These steps may pose some minor inconveniences, but people ultimately like to know their information is being kept safe.
3. Encrypt everything. You can pretty much consider all unencrypted data to be public. So, don’t save or post anything online – including to the cloud – before it has been properly encrypted. Fortunately, you might have at least part of the solution already at hand. Microsoft users can encrypt their hard drives by enabling BitLocker, for example, and anyone can encrypt Internet communication by setting up a VPN. Plus, there are plenty of other reputable software options available.
So, there’s really no excuse to slack in this area. And the risk imposed by inaction is significant, considering that credit card theft is the most common result of hacking, while exporting data is the most likely byproduct of malware, according to Verizon’s report.
4. Test your vulnerabilities. What you don’t know about your business’ security flaws can and will hurt you, and that makes an outside perspective paramount. You need someone familiar with how intruders work to evaluate the measures that you’ve put into place. Don’t worry, you don’t need to interact with any criminal elements to accomplish this. There are many reputable services that will perform security audits on your business and help you patch any vulnerabilities that may come to light.
Just don’t forget about the real-world threats that parallel cybersecurity concerns because physical theft and social engineering can be just as damaging as an online data breach. So, find a consultant who can evaluate your operations holistically, including minutia such as whether employees lock their computers when they get up from their desks, if passwords are ever written down, and how visitors are monitored. And perform this step at least twice a year.
At the end of the day, it’s important to remember that while you didn’t enter the accounting industry just to deal with IT all day, your ultimate goal is to serve the needs of your clients. And that, in this day in age, means recognizing that improperly implemented or managed data security practices are a ticking time bomb, especially given the rise of reviews in the financial services space.
So, devote a bit of time and energy to this issue now, and your wallet will certainly thank you in the long run.