As accounting firms know, they have the responsibility to protect client data, both ethically and legally under various laws, regulations and professional standards, such as the Gramm-Leach-Bliley Act, which was enacted to protect consumers’ private financial information by restricting the collection and disclosure of nonpublic personal information and imposing certain security requirements on covered organizations. Now, more than ever, accounting firms are vulnerable to increasingly sophisticated cybersecurity threats that can have severe consequences if appropriate protections are not put in place.
Although there are many preventative security measures accounting firms can implement, let’s look at three of the high-priority actions that can be used as a baseline from which to build a broader cybersecurity plan:
1. Heavily guard your credentials.
The credentials you use to access systems that contain sensitive client data must be safeguarded. Under no circumstances should you reuse credentials—or share them.
In this same vein, be aware of phishing and spear-phishing attempts. As the IRS states, “Don’t take the bait.” Once you do and someone else has your credentials, no software or hardware company can assist in protecting you. The “bad actors” may have full access to your systems and data.
2. Properly secure Remote Desktop Protocol.
Remote Desktop Protocol allows for access to office computers for employees that work remotely. RDP was viewed as a workflow game-changer when it was initially released with Windows XP in 2001 and it’s been included in every Windows version since then.
While RDP is clearly a very useful tool, it must be properly secured. Over the years, Microsoft has issued many security patches as vulnerabilities when RDP have been exposed. This includes many patches that have been released just this year.
If your firm uses RDP, make sure that, at a minimum, a) all systems, whether desktop, laptop or network, apply Microsoft patches immediately upon release, and b) you use a VPN in conjunction with the RDP. Without the use of a VPN, RDP may significantly increase your security risk.
3. Implement multi-factor authentication.
Multi-factor authentication is the process by which the provider of access to critical personal and financial information, for example, verifies that a user is in fact the true user by triggering a second, and more secure, form of identity validation.
It is advisable for accounting firms to use MFA across the board in any office that has access to sensitive client data. It’s yet another enhanced security method to help demonstrate that you are doing your best to protect your client’s data.
Remember: these three items should act as a starting point for your firm’s overall cybersecurity plan. To build out further details, regularly partner with an IT professional who is well-versed in current security tools and procedures and seek the latest guidance from your legal advisors on the best data security practices for your firm.
The good news is that many technology companies are working on a variety of solutions to ease the pain of passwords as we know them today. We should start seeing the results of their work in the near future.