Information Security is a hot button topic on which business owners and top decision makers are looking for answers on how to better protect their sensitive data with the always evolving cyber threats. Accounting firms are often targeted because of the type and quantity of sensitive data they handle. Here are some basic IT security strategies for accounting firms to help protect clients’ information, your data, reputation and your business.
1. Company-wide Policies for Protecting Physical and Electronic Data
Regardless of the size of the company (1 employee or hundreds), communicating policies for data protection is critical. Security is everyone’s responsibility within an organization, and only with universal adaptation of standards and policies can policies be maintained. It is industry best practice to provide new hires with information protection policies and consistently enforce them. For organizations that are just implementing these policies for the first time, it is best to have company-wide seminars reviewing and explaining the policies with a signature collection at the end confirming acknowledgment.
Polices should include but are not limited to:
- How and where to securely store physical media including paper files and portable digital media.
- Rules and encryption requirements for company owned laptops, mobile devices.
- Rules and accountability for access to sensitive company and client data.
- Rules for physical and digital file retention schedule based on industry and regulatory requirements.
- Rules for internet use on company owned devices.
- Enforcing and limiting the use of software to only company vetted and approved programs.
- Enforcing and limiting the use of files and share drives (local or in the cloud) to only company vetted and approved programs.
- Enforcing and limiting the use of remote access to only company vetted and approved methods.
- Enforcing and limiting use of WiFi access points to only company vetted and approved networks.
- Firm wide data backup and retention procedures.
2. Tools to Manage Possession of Client Files
It is best practice to use an industry specific CRM system to manage and control access to all documents and communication related to your clients. Another good option would be to use a secure document management system. While the document management system won’t have all of the CMR features like business process automation or client communication tracking, it will keep all of your client documents secure and organized. These systems will have a client login portal where your clients can securely transmit any sensitive documents. These systems will allow you to control employee access to client records on a granular level.
The following are some CRM solutions used by accounting firms:
- Zoho CRM
- Sage CRM
- Microsoft Dynamics
The following are some industry leading document management systems:
- Prosystem Fx
- Intuit Document Center
3. Educate Your Staff
Educating your staff on Generally Accepted Account Practices (GAAP) and Generally Accepted Privacy Principles (GAPP) will help ensure your clients information is kept safe. Additionally, the American Institute of Certified Public Accountants has established principals for data protection. Some of these are:
- Sharing client information with third parites only after client consent and as required to conduct business.
- Limiting WiFi use within the office to only when absolutely necessary to conduct business and having an encrypted password protected connection.
- Securing physical client files offsite or in a locked area of the office with an access control in place.
- Ensuring credit card information is handled in accordance with PCI compliance security and privacy standards.
- Implementing standards on passwords, Anti-Virus, Anti-Malware and firewalls on any device with network access to client data.
4. Recurring Security Audits
To ensure consistency with your company’s security policies and practices and to mitigate any potential risk, a recurring security audit should be performed. The frequency of the audit depends on the transactional nature of the business. Typical small to medium sized accounting firms will do them quarterly or bi-annual. A quality security audit will have a designated security review board that will meet, complete and review tasks like penetration testing, network / systems assessment, vulnerability scans, and add to the historical audit log. Additionally a project plan should be created to track these tasks in addition to tasks specific to your company. The security audit should look at all aspects of business systems, processes and staff to ensure all are preforming in a secure manner.
In today’s climate with the high uptick in ransomware, hacker intrusions and identity theft, we all need to be serious about protecting the data that our clients have entrusted us with. These 4 steps will go a long way to make a reasonable effort to protect your client’s data.
Special note for CPAs: CPAs have an ethical and legal responsibility to safeguard all information obtained or used in a tax returns preparation. Sec. 7216 imposes criminal and monetary penalties on tax preparers who knowingly or recklessly disclose return-related information. The Gramm-Leach-Bliley Act and Federal Trade Commission (FTC) financial privacy and safeguards rules impose additional requirements. The state of California has security breach notification laws (S.B. 1386) that impose security and privacy standards across a wide variety of industries including accounting firms. Data protection encompasses all aspects of tax preparation: physical security, storage and transmission of data, and staff behavior and responsibilities.
Remember, “Security is everyone’s responsibility.”