Data Security: Three Pillars of Protecting Your Accounting Firm
IMGCAP(1)]Accounting firms are among the most vulnerable to Internet threats such as viruses, hacking and malware.
Since theft is often the goal of these attacks, accounting firms are particularly susceptible to legal action resulting from fraudulent bank activity directly related to malicious external exploits.
Given the extreme sensitivity of the data being stored and processed each day, it is critically important for firms in the accounting sector to protect internal information systems, including electronic communication between and among staff and customers. The security of your confidential data is equally important whether your firm comprises 10 or 10,000 employees.
A sound data-security strategy should include the following three components:
Data security starts at your front door. An alarm system, including surveillance cameras, will protect your facility in general. Your server room will require systems to monitor humidity, temperature and water on the ground.
Physical access to all data-storage areas (such as filing cabinets, desk drawers, workstations and servers) should be strictly controlled at all times.
Deploying an effective security strategy will be influenced by a host of factors: budget, IT staff experience and unique firm requirements. You may choose to locate the mission-critical elements of your infrastructure on-site, in a secure off-site data center or “in the cloud.” Management might be tasked to your in-house IT staff or outsourced to a managed service provider.
As with physical security, protecting your network starts at the edge: A network firewall is your first line of defense in blocking unauthorized access to your systems and data.
Many firewalls today provide URL and application filtering, intrusion prevention, anti-virus scanning and remote access via virtual private networks and SSL encryption. Many firewall systems also enable secure wireless connectivity within your office.
Moving inward from your firewall are several additional layers of security you should address. File and folder permissions should be diligently audited on all server resources. Your staff should have access only to documents and applications necessary to perform their jobs. Also, since email has become the standard method of document delivery in the accounting industry, all e-mails (inbound or outbound) containing confidential or otherwise sensitive information should be encrypted.
Additional security measures include data loss prevention, voice system security, two-factor authentication, endpoint security, full-disk encryption, port protection and client anti-virus and anti-malware.
All of these security measures are for naught if you suffer a server failure or other catastrophic loss of data. A well-executed backup plan is essential; and while there are several different approaches to disaster-recovery planning, most adhere to some permutation of the old 3-2-1 rule. In short: Keep three copies of any important file (primary and two backups); the file should be on two different media (for example, DVD and external hard drive); and one backup copy should be stored offsite.
Last, your security systems should be tested rigorously for any weaknesses or missing elements. This is usually done by a third party, and typically involves four tests: PCI scanning, internal/external vulnerability assessment, risk assessment and Web application penetration testing.
Policy and Staff Communication
Technology alone is insufficient. The most comprehensive security plan will fail if it isn’t clearly documented, and if employees are not adequately trained on it.
Start with a basic documented security policy. A first step might be a policy document governing appropriate usage of company assets, including computer and e-mail usage, personal storage, laptop and phone usage, etc. This policy document can grow as your security policy expands.
Give your staff adequate training. Again, a security policy is useless if your employees don’t fully understand and agree to abide by it. Schedule training sessions where your staff is given an overview of the nature and breadth of today’s threat landscape and how to identify the more prevalent threats: physical, social engineering, social media, spyware, phishing, fraud, etc.
At a time when so much of your business is conducted online and so much of your critical data is stored electronically, your continued success is more dependent than ever on the success of your internet security plan.
Hillel Sackstein is president and CEO of Virtual Graffiti, an IT solutions provider specializing in business, government and education.