Cybercriminals are more sophisticated than ever—continuing to find new and more sophisticated ways to get your employees to click malicious email links and hand over sensitive data. The rise in cyberattacks and data breaches is mind-boggling. And the accounting profession is a prime target, housing a treasure trove of personal client data.
Understanding that firms are a main target, it’s critical that you have a sound security strategy in place. Whether that means creating in-house security protocols or outsourcing security completely, it must be a priority. All it takes is one employee clicking one malicious link to bring your firm to a screeching halt. Also, consider that the average “small breach” costs a firm about $130k, while larger breaches can reach well over a million dollars.
Our expert, Liz Scott, QuickBooks Accountant trainer and writer at Accounting Lifeline, understands the importance of adopting a sound security approach. And not only to safeguard against cybercriminals but also to stay in compliance with the Written Information Security Program (WISP) enforced by the IRS and Federal Trade Commission. Today, Scott shares 10 best practices to help you stay compliant with WISP and avoid falling victim to hackers.
Best practice 1: Ensure secure data collection and retention
Data collection and retention are at the center of a sound security approach. This includes how you’re storing data and how access is granted. As part of your approach, you should consider adopting highly secure cloud apps to protect stored and shared data. Leading apps allow you to set permissions to restrict data access to specific team members as well as set rules for data retention.
“How you’re securing information and ensuring others can gain access to it in a secure way is what we're talking about here,” explained Scott. “And this refers not only to data in our firms but also client data.”
To ensure secure data collection and retention, Scott offers the following suggestions:
Use highly secure cloud-based apps.
Clearly define which staff members can see what client data.
Define a protocol for accessing and retaining data (e.g., how long you maintain data after a client leaves).
Map your drive to your online secure portal.
“As part of your plan, you should define who has access to that personal information, where it’s stored, how you’re going to be accessing it, and the protocol for when a client leaves,” said Scott.
Best practice 2: Make password management a priority
This supports the security of data across devices. Your password policy can include rules on the number of login attempts before being locked out, maintaining unique passwords, and the frequency of required password updates.
“In my firm, in order to access apps and data, staff have to either enter their password or their pin. We also have a time-out rule applied,” Scott stated.
The best approach is to document your firm’s password policy. This can include:
General password guidelines: For example, restricting sharing passwords via email, writing down passwords on sticky notes, or autofilling.
Requirement password updates: According to Scott, updating passwords every three months should be standard.
Use of a secure cloud-based password management system: Scott provided a few recommendations such as Keeper, Practice Protect, LastPass, OneLogin, and OKTA.
Best practice 3: Adopt single sign on (SSO)
Network protection should be core to your WISP. The goal is to ensure the security of your full network across applications and devices. Adopting an SSO approach is the best way to protect your network.
“This means you are going to one place to deploy everything,” explained Scott. “And the best solutions have multi-factor authentication built into them.”
This becomes even more important when you consider offboarding employees. With SSO, you can restrict access across apps far more quickly.
Best practice 4: Implement multi-factor authentication (MFA)
As mentioned above, MFA is a proven and tested way to secure your network. MFA requires staff to authenticate who they are before being granted access—beyond just a password. This includes requiring a thumbprint (e.g., via an authenticator app) or entering a code that’s delivered to another device like their phone.
“With so many firms working virtually these days, MFA is critical.”
Here are a few apps Scott recommends: Microsoft Authenticator, Authy, Duo Mobile, LastPass Authenticator, and Google Authenticator.
Best practice 5: Take home laptop security seriously
As part of your WISP, you have to consider all connected devices. With so many employees working from home, it’s important to maintain proper device security by putting clear, written protocols in place.
The goal here is to ensure you are aware of all devices within your network and the software on each. Consider each tip:
Keep an inventory of all devices used by staff, complete with serial numbers.
Manage the apps on each device: Have a policy in place for what apps/subscriptions can and cannot be activated on work laptops.
Appoint a champion to ensure devices and apps are managed properly.
Have a sound policy in place for remote employees, including using a secure WiFi network or VPN.
Best practice 6: Purchase cyber insurance
This is a great way to ensure you’re covered in the case of a data breach. The cost of a breach can be crippling to a firm and come in various forms—from a general breach to denial of service or cyber extortion.
As such, do your homework on coverage. Ask such questions as: Are legal costs covered? Are we covered in the event of a full business shutdown (think data recovery time, system updates, client notification). Is ransomware covered?
There are many places to purchase insurance. Among the long list are AIG, Liberty Mutual, and Hiscox.
Best practice 7: Upgrade your client engagement letters
Ensure your client engagement letters include the language required to protect your firm. Scott recommends running engagement letters by an attorney to ensure they comply with applicable laws and present clients with necessary information about security protocols. For example, include language on your firm’s protocol in the event of a data breach.
“Make sure you’re putting some type of verbiage inside your engagement letter that explains how your firm is compliant with state [and federal] laws,” said Scott. “This will serve you well.”
Having your security protocol in black and white gives you something to point back to in the case of a data hack.
Best practice 8: Have a breach checklist in place
In the event of a breach, you have to act fast. This can be tough when you’re overwhelmed with the aftermath of a cybersecurity attack.
To help move you forward, having a sound cybersecurity checklist in place can be helpful. This list should include such information as:
What authorities need to be notified.
How you update and direct staff.
How you notify clients and other stakeholders.
The process for changing passwords.
And any other measures you need to take to secure internal operations.
Best practice 9: Keep your antivirus current
This sounds like a no-brainer, but you’d be surprised how many professionals allow their antivirus software to lapse or go too long without updating.
Antivirus software is critical in detecting and removing potential threats, protecting sensitive data, ensuring breaches are identified in a timely manner, and scanning potentially malicious email attachments.
Scott provides a short list of to-dos for installing and maintaining antivirus software on all your devices:
Research and choose reputable antivirus software.
Download the software of your choice.
Follow the instructions provided during the installation process.
Run an initial scan to ensure that your devices are free of pre-existing viruses.
Set up automatic scans and updates.
Best practice 10: Implement regular employee security training
Employees are your first (and best) line of defense against hackers. A well-trained team can help immensely in limiting your security risk. This is why regular security training is critical.
Employees should know how to spot a malicious link or scam email. They should also know what malware is and stay current on threats.
“I want my employees to be familiar with all the different types of attacks out there,” said Scott. “So we adhere to ongoing security training.”
Scott shared a few good training providers to consider, including Cisa.gov, KnowBe4, Cofense, Proofpoint, and Ninjio.
Get secure. Stay secure.
There are so many reasons to make security a priority, including compliance with WISP and ensuring that a breach does not close your doors.
While some firm owners may feel tech-savvy, a comprehensive security plan is required to safeguard your firm, your clients, and your reputation. Following the tips provided here is a great start to upping your security game and ensuring that your firm doesn’t fall victim to a cybercriminal.
Ready to redefine your value? Follow our Redefining Value series to hear from today’s industry thought leaders who share their expertise on timely, relevant, and helpful topics—all geared to help achieve the life you want.
About Liz Scott
QuickBooks Accountant, Trainer, and Writer at Accounting Lifeline
LizScottQBO | @LizScottQBO
Liz is an Advanced Certified ProAdvisor and a member of the exclusive Intuit Trainer/Writer Network. Along with running 2 accounting firms, she is the owner of Liz Scott Consulting LLC, where she takes up-and-coming apps to new heights. Liz is the co-host of the QB ‘Appy Hour with Liz and Heather, a webinar series devoted to building awareness in the accounting community about the latest technology trends and best practices in a fun, relaxed environment. Liz was also named as the Insightful Accountant Top Educator/ Trainer/ Writer ProAdvisor.
This webinar is part of our Redefining Value webinar series. View the other virtual events and learn more about this series.