What Cybersecurity Protections Do CPAs and Accountants Need?

Massachusetts has one of the strictest data protection laws in the country. Is your business compliant? A CPA is one of the few professionals who have access to the most desired information a cybercriminal is looking for: financial records. This makes your firm a prime candidate for cyberattacks, so our next question is: is your data secure? Here are five security steps your CPA firm should take to protect your client's data.

1. Install a Centralized Antivirus and Anti-malware Protection

As a CPA, the first step your firm can do to protect their client’s information is to install antivirus software. While there are a variety of antivirus solutions available, at a minimum it should:

• Be centralized, managed from the server, and dished out to all workstations. 
• Be kept updated, ensuring it can protect against the newest security threats.
• Be able to scan a variety of media and sources (websites, email, and downloads) for infection.
• Be able to remove pre-existing infections from your system.

Free or consumer-grade antivirus typically isn’t a fit for most businesses, as it doesn’t give you the protection that you need.

2. Utilize Password Best Practices

While popular media often displays cybercriminals brute-forcing their way into a network, the reality is, more often than not, they gain access due to compromised credentials. Compromised passwords are usually due to a successful phishing attack or a third-party data breach. Once a password is compromised a malicious actor could use it to access your client’s sensitive information, and even hold your data hostage until you pay them with ransomware.

Some best practices of managing your passwords are:

• Educate and enforce users to use strong passwords 
• Never use the same password twice.
• Enact multi-factor authentication, because two factors are better than one.
• Install password management software, as opposed to having your team remember passwords.

3. Configure Firewalls

A firewall is a mandatory step to ensure your firm’s data security. A firewall can be either a physical piece of hardware such as a UTM (Unified Threat Management) or software-based, but again, consumer-grade solutions aren’t going to cut it. A firewall operates as a ‘gate’ between your computers and the Internet to block hackers from gaining access to your network from the outside. A firewall can also prevent your team from surfing to time-wasting sites like Facebook, Netflix, or other inappropriate websites.

4. Data Backup and Business Continuity Planning

If you’re also a tax preparer, the IRS mandates your CPA firm to retain a client’s tax documents for a minimum of three years. This legal requirement makes it critical you are able to always have access to your data. If something happened to your technology, say you suffer a hardware failure or you’re a victim of a ransomware attack, would you be able to retrieve your data? Forget about your clients for a moment, what would you tell the IRS if you can’t provide the documents they are requesting because they are either lost or stolen? Only a solid backup solution and business continuity plan can provide you with peace of mind.

The reality is, as a CPA, your firm will be under additional scrutiny in regard to data retention. This makes developing a backup and recovery plan essential to your firm’s long-term survival. Data backup and recovery is a service designed to allow your business to retain its data in case of an unexpected event. 

Unexpected events can include natural disasters such as floods, or thunderstorms, equipment failure or human error, and finally deliberate damage from malware. If your firm is affected due to a loss of data and you are unable to retrieve it, it is unlikely you will be able to remain in business.

Develop a backup strategy

• Develop a disaster recovery plan. This should include the who, what, where, and why in regard to how your data is managed.
• Ensure a copy of your data is stored both onsite and securely offsite.
• Consider migrating from physical storage (CDs, DVDs, tapes) to cloud computing.
• Regularly test that your backups are working and that you can recover your data.

5. Staff Training

The final and arguably most important step to data security is training your staff. Security awareness is critical to ensuring your clients’ sensitive information remains secure. The truth is, all your efforts securing your network can be undone due to simple human error. For example, a team member using an unsecured public Wi-Fi to connect to your network. Training and educating your staff is an essential component to securing your data and should include:

• Updates on company-wide policies and security best practices.
• Training to recognize potential cyberattacks, especially social engineering.
• Encourage IT and non-tech staff to communicate with each other.

CPAs and accountants are held to a higher standard when it comes to security than most businesses. The Sarbanes-Oxley Act and the IRS have requirements regarding recordkeeping which directly affects CPAs. As we noted in the beginning, Massachusetts has one of the strictest data protection laws in the country in regard to data protection and how business reports a data breach.

If you’re not certain if your accounting business is compliant with the data protection laws, Datalyst can perform an assessment and verify your position in regard to the regulations. Our team of experts will be able to tell you what steps you need to become compliant. For more information about our comprehensive IT services; or, how we can help your business leverage IT, call (774) 213-9701 today.