Accounting firms deal with sensitive data pertaining to the financial and other personal information of the clients. It is necessary that they employ sound data and cybersecurity controls. Furthermore, the EU General Data Protection Regulation (GDPR) has sharpened the awareness of companies and businesses on the issues related to data breaches.
1. Use of Cloud Servers.
Moving to cloud technology is a productivity boosting move that enables a business to enjoy the various benefits of the cloud, one of them being data safety as your clients’ data is not stored on your computer, where it could be stolen, lost or accidentally deleted. Instead, it is stored remotely on secure servers and all application functions are performed off-site. It not only reduces your business’s IT cost but also ensures that your business will always have access to the most secure version of the software. Accounting firms can use cloud accounting across various functions viz. ERP, Accounting, Expense reporting etc. The cloud provider completes the backup, ensures data security, updates occur automatically, and nothing needs to be downloaded or installed on a firm’s computer. Some useful cloud-based applications that are more commonly used are Google Docs, Dropbox and Paypal.
2. Paperless office using various data software tools.
Storing documents digitally is simpler, easier to store and easier to access compared to paper and is also more secure compared to storing physical files. Though paper cannot be completely dispensed with, making the office paperless to the extent possible reduces clutter, improves collaboration, speeds up access to information and provides better data security. Use of software tools is fast becoming a norm for accounting outsourcing and payroll outsourcing. Also, with Making Tax Digital (MTD) requirements in the UK, it has become crucial for choosing accounting software that is compliant with it. Accountants can use a range of software tools across the organization for ERP (Sage Intacct, NetSuite etc.), Payroll (Xero, Sage Business Cloud Payroll etc.), Accounting software (QB online, Xero etc.), expense reporting (Receipt Bank, auto entry etc.) and bill paying (Xero, Intuit QuickBooks online, GoCardless etc.) among others.
3. Data Encryption and Password Policy.
Data Encryption. Sensitive data should be always protected whether in transit or at rest. Strong encryption ensures that the data is protected from outside eyes. For data in transit, nothing should be accepted over non-HTTPS connections. For data in storage, it is ideal to reduce the exposure in case of sensitive data by not storing what is not required anymore. Where sensitive data is required to be stored, the data should be encrypted, and the passwords should be hashed.
Password policy. Passwords are the first line of defense against illegal access to data. A strong password policy enables this line of defence. There needs to be strict requirements for employee passwords in terms of length, complexity, and lack of predictability. Also, there should be a mandate that requires changing passwords at regular intervals.
4. No storage of data on local computer or personal computer.
Storing critical data on a local network comes with its fair share of risks including data loss through theft or accident, unauthorized physical access, and unauthorized virtual access. Some of the procedures to protect data from these risks include backing up your data to the cloud such as Dropbox or Google drive which are cost-effective solutions to automate data backup. Also, the data may be backed up to an alternative physical location regularly. The crucial aspect in both cases should be to test the ability to restore the data regularly. While you may protect the data stored on your local or personal computer using passwords, unfortunately, you may not be able to protect it against someone with physical access to the hard drive of the computer. Imagine the damage it can do to your reputation as an accountant if you are not able to safeguard a client’s sensitive financial data. A case in point is when Brighton hospital was fined GBP 325000 over data theft that happened when highly sensitive personal data belonging to tens of thousands of people was discovered in the hard drives sold on eBay. One way to safeguard against this is to keep only as much information as required on the physical device because what is not available cannot be stolen. Also, implementing a Whole Disk Encryption (WDE) (viz. Bitlocker for Windows and Filevault for MacOS or Symantec for enterprise-wide solution) offers the requisite data protection, should the device fall into wrong hands. Good antivirus and anti-malware are important to safeguard against malware and virus attacks.
5. Certification- Cyber Essentials or ISO 27001.
Cyber essentials. Cyber Essentials certification helps the business to achieve a baseline of cyber-security by identifying 5 fundamental technical security controls that organizations should implement. This should be implemented by all businesses or organizations as it helps defend against most internet-borne threats. It covers data, programs, computer servers and other elements in the IT infrastructure. The Cyber Essentials scheme focuses on 5 controls: secure configuration, boundary firewalls and Internet gateways, access control, patch management and malware protection.
ISO 27001. This is an international standard that provides specifications for the Information Security Management System (ISMS) which provides 114 security controls that encompass people, processes, and technology. These standards help keep the information assets secure, particularly assets such as financial information, intellectual property, employee details and information entrusted to the organisation by third parties. A certification assures the clients that the standards recommendations have been followed.
Both Cyber essentials and ISO 27001 are complementary to the effect that Cyber Essentials identifies that the basic controls are in place whereas ISO 27001 helps stress the fact that there is finesse and maturity to the controls across the business.
6. Shredding of Data on a Regular basis.
Data disposal is an area that should not be overlooked because when it comes to data the adage “Out of sight, out of mind” does not apply. Data discarded in a bin is effectively open to anyone. Hence, it’s imperative that certain protocols should be followed while disposing of data. Primarily, data disposal should be done on a regular basis, data not required anymore need not be stored anymore. Data on paper formats should be shredded using a paper shredder. Data stored in electronic format should be destroyed or erased.
7. No Pen Drive etc.
Storing data on a pen drive brings with it the convenience of carrying your work and being able to dive into it at a moment’s notice. For the most part, we assume that as long as the pen drive/ USB stick is with us, it’s a great plug and play option. However, one can completely overlook the cross contamination of malicious code that can spread when you plug the pen drive into an outside device that is infected with malware and then use the same pen drive on your device. The pen drive may get stolen or misplaced. Right off the bat, storing sensitive client data on pen drives must be avoided to the extent possible and if at all one has to use a flash drive, the data should be encrypted. Even then, storing sensitive data on movable storage devices comes with a very high risk.
8. Use of Citrix, RDP for employee’s login.
The use of Citrix and RDP provides secure access to applications deployed on-premises, in the cloud, or delivered as SaaS. COVID-19 has also forced businesses to view virtualisation and working from home as a deep-seated reality. Citrix gives the users the same look and feel as that of a traditional desktop where users can remotely access the applications they need from wherever they are. It allows for the consolidation of traditional security products like VPN, single sign-on and browser isolation technologies with one solution. Similarly, Remote Desktop Protocol (RDP) allows users to communicate directly with the application remotely.