It’s a question that not many accountants are asking, but if neglected, it’s something that can have disastrous consequences.
It’s not enough anymore to sit there and say “hackers only target hard cash, like banks and credit cards” because whilst they may still be true to some extent, let’s look at all the data accountants tend to have: The financial data of your clients’ businesses.
That’s your clients’ livelihood and hackers have caught on this. They’ve realised that they can monetise all kinds of data, especially sensitive data belonging to your clients’, which means we have some catching up to do to make sure this is all protected!
We’ve already covered ways to stop using email to send sensitive information, and now it’s time to look at how you can continue to improve your firm’s internal security.
Look at who has access, and to what
When you’re sending sensitive documents to someone, be it through Dropbox, Google Drive or a client portal, you of course need to give your client access to then view that information.
That’s great, but how do you continually manage this? If access management is left unchecked, you could find that clients have access to areas they no longer need access to, or worse, they’re not entitled to have access to, but because it was left unchecked, they still do.
The problem here is that you need to consistently make sure that your clients only have access to the things they need access to, so that they don’t have the wrong privileges when they don’t (or no longer) need them. Better yet, if someone needs a higher level of access, it’s always a great idea to communicate any special or higher risks associated with that, so that they are educated on the policies and procedures you have in place to protect their accounts and their data.
Check your passwords
When talking about security, one of the most popular questions I’ve seen is “how often do you change your password?” But a more pertinent question would be “how many accounts do you have that re-use the same password?” The answer always surprises me.
Often, password re-use is one of the biggest security issues people have. Do you remember the LinkedIn hack of 2012? Hundreds of millions of users had their account passwords breached, but it presented a bigger problem for those who were using that password for other systems like Dropbox, Facebook and Outlook. Worse, a lot of the times, the hacker succeeded because of this.
Because of the beauty of password managers like LastPass, you don’t necessarily need to remember all your passwords, which gives you the opportunity to make them more complex without the pressure of potentially forgetting which letter was capitalised, or which letter was substituted for a number. A trusted system to manage all of your passwords gives you far more security that before.
Also, with two-factor authentication, you can add an extra layer of security to your password. This has become much more prominent with companies like Google and even Xero. Because banks have been using it for a long time, we’ve become much more accustomed to using two-factor authentication on a daily basis.
Another thing to be particularly careful of is usernames and passwords of past employees. It’s highly recommended that you delete these and change passwords so that any past employees, disgruntled or otherwise, aren’t tempted to log in again remotely.
Bringing your own device to work
Ever since the iPhone first launched, the way we work has been transformed. Instead of bringing your own laptop to work, people are now bringing what is practically a computer in their pocket!
The problem with this is if your personal device has got malware on it (which you may not be aware of in the first instance), as soon as you connect to the company wi-fi, you’re at risk of transferring that malware to everyone else. That’s the servers, the files, the emails, everything.
Now I’m not saying you need to implement a rule where people have to leave their phones at home, but it’s worth having the conversation with your employees so that they’re aware of the risks and the steps they can take to make sure their own devices are protected.
Give everyone training
Everything I’ve said so far ties back to training, and make sure you have firm-wide policies and training on security. That way you’re making sure your entire team is on the same page when it comes to how to handle data, how to keep data secure and what steps to take if things go wrong.
Why risk the vulnerability of data, when there are tools and support out there to keep your firm secure?