No practitioner wants to discover that their client’s data has been compromised. Besides caring about the well-being of your client, you may also be found at fault and liable for the breach, which would put you and your reputation in a pretty bad position. Unfortunately, ensuring cybersecurity is a difficult task, and it only gets more difficult if you have staff members who also handle client data. The risk of a data breach is everywhere, so you always have to be on your A game. Here’s a list of actions you can start taking now to improve cybersecurity within your practice.
1. Be diligent about how you use email
Email can pose one of the highest security risks you face as a practitioner if you’re not being diligent about how you use it. In fact,
To avoid becoming a victim of a cyberattack, be sure to encrypt sensitive emails between you and your clients, especially if your clients are sending documents over email. Encryption makes it so that only the intended recipient is able to view your email. There are a lot of articles out there that will walk you through email encryption. Setting it up shouldn’t require a hired expert, but it will require a bit of tech savviness.
Second, be wary of unsolicited emails from potential clients. While it may seem good for business to receive an email from a potential client, you need to have your guard up—especially if the email includes files to download. Hackers may pretend to be potential clients who were “referred” to your practice. In the email they’ll attach files they claim are tax documents, but the files actually contain malware. To combat this kind of phishing, approach these emails with caution. If someone claims to be a referral, check with your client who supposedly referred them before clicking on anything within the email. If something seems off about the email sender, delete the email.
2. Invest in the cloud
While some practitioners have reservations about the security of the cloud, the cloud is actually more secure (if you’re using a reliable cloud provider) than storing files directly on your computer. This is because reliable cloud providers require strict regulatory standards for their data centers, and IT experts who work for cloud providers know more about how to protect information than the average practitioner.
Additionally, the best cloud providers use encryption and digest access authentication.
• Encryption is the process of using an algorithm to transform plain text information into a non-readable form called ciphertext. An algorithm and an encryption key are required to decrypt the information and return it to its original plain text format.
• Digest access authentication is a method of exchanging credentials, such as username and password, that is more difficult for cyber criminals to reverse and crack.
It’s important to keep in mind that cyber criminals are not the only threat to client data. Data can also be vulnerable to physical threats. If you keep your clients’ records on your computer or in a filing cabinet, they can easily be destroyed by a power surge, fire, natural disaster, flood, theft or leak in your roof. With the cloud, that’s not an issue. Reliable cloud providers go to great lengths to ensure their data centers are physically secure and spread out geographically.
3. Physically secure your office
On the topic of physical security, even if you use the cloud you should physically secure your office in other ways. For example, you may consider implementing a clean desk policy with your staff. Having a “clean desk” means that no sensitive information is left out for easy access. This includes passwords, clients’ tax documents, etc.
Other physical security measures you can take include putting locks on all cabinets and rooms where you keep sensitive documents and locking your computer while you’re away from your desk.
Keep in mind with all of these actions, you’ll need to make sure everyone on your staff follows them. Just one staff member being lax about security can bring your practice and clients a lot of problems. You may consider holding a quarterly security training to keep your team up to date.
