Security is a popular topic in the industry at the moment, and it’s come to be expected that updating your security protocols, implementing new systems and reviewing processes can be a massive time sink-hole for accountants. With everything you’re looking at, it ultimately ties back to the biggest question of all: How secure is your firm?

We’ve already talked about how you can improve security internally, by looking at everything from checking passwords, bringing phones to work, training and more. But what about external security?

This is an even bigger question to be asking when you’re looking at the security of your firm, because it’s become common practice for accountants to offload some of their work and outsource. Doesn’t that beg the question “How secure are they?” because depending on what you’re outsourcing, you might be sharing everything from passwords to your various marketing engines to databases of contact information, and if your outsourcers don’t look after this data properly, it still could be you and your firm at risk!

To conclude our mini blog series on security, let’s look at some of the top things accountants outsource and how that can impact your security.

1. Marketing

This is one of the top functions of an accountancy firm to outsource. Providers like The Profitable Firm have become a staple component in firms promoting themselves through blogs, website pages, social media and more. But with this relationship comes a caveat: sharing information.

It’s often overlooked when thinking about the “greater good” that is marketing, but when you are working with a marketing company, it becomes common practice to share access to everything, from your website, to marketing engines like MailChimp and even social media accounts.

By doing so, you’re effectively giving a third-party access to a hefty amount of data. Your website could store submissions from your various enquiry forms. Your MailChimp account could contain lists of client email addresses. And it all starts with handing over the passwords to those accounts. In a case like this, it’s important to double check what security protocols these third parties have in place so that your sensitive data is protected on their end too.

2. Website maintenance

It’s a well-known fact that your website is one of the biggest marketing components for any business, let alone accountants. It’s your marketing hub, which means it’s important to keep maintaining it on a regular basis.

One of the lesser known facts, however, is the importance of an SSL certificate for your site. These have become more popular in the past couple of years and have become the norm for any website to have. An SSL (or Secure Sockets Layer) certificate, is an extra layer of security that effectively encrypts your website and therefore safeguards any sensitive data that is being sent through the website. This means any data submitted, whether it be through a contact or payment form, isn’t at risk of being stolen by hackers.

You can tell when a site has an SSL certificate installed by looking at their URL; if it starts with “https” as opposed to “http”, the “s” signifies it’s a secure site. This is becoming more and more important as it has recently been announced that any sites that do not have an SSL certificate will automatically be flagged as unsecure by Google and also de-ranked in Google searches!

Think about your user experience: Would you want to visit your site and be met with a screen that says “This site might be trying to steal your information”? That wouldn’t fill you with confidence in your accountant, let alone how they handle the security of any of your data. But the solution isn’t too difficult. All that you have to do is purchase an SSL certificate, which is readily available through domain and hosting companies, and have that installed on your site. Once that’s done, you can rest easy knowing your site is much more secure than those without an SSL certificate in place.

3. Accounts production

One of the final avenues that is popular to outsource is the production of accounts and tax returns. As you know, that’s what we do here at AdvanceTrack, and we like to think we take security pretty seriously with our online system and protocols in place.

If you don’t use AdvanceTrack, but have been considering outsourcing compliance work, it’s an important question to ask any provider. After all, you’ll regularly be sending financial data belonging to your clients and their businesses, so you want to make sure that this is handled well and protected on their end so that the data isn’t at risk of being stolen.

Security is important, act now.

Security is something that shouldn’t be overlooked, whether it’s internal or external. You need to look at everything from your internal systems, to the processes your outsourcers use, to the training needed for your staff.

When all that is done, your firm will undoubtedly be in a much safer position, as you won’t be leaving the security of your clients’ data to chance!

It’s a question that not many accountants are asking, but if neglected, it’s something that can have disastrous consequences.

It’s not enough anymore to sit there and say “hackers only target hard cash, like banks and credit cards” because whilst they may still be true to some extent, let’s look at all the data accountants tend to have: The financial data of your clients’ businesses.

That’s your clients’ livelihood and hackers have caught on this. They’ve realised that they can monetise all kinds of data, especially sensitive data belonging to your clients’, which means we have some catching up to do to make sure this is all protected!

We’ve already covered ways to stop using email to send sensitive information, and now it’s time to look at how you can continue to improve your firm’s internal security.

Look at who has access, and to what

When you’re sending sensitive documents to someone, be it through Dropbox, Google Drive or a client portal, you of course need to give your client access to then view that information.

That’s great, but how do you continually manage this? If access management is left unchecked, you could find that clients have access to areas they no longer need access to, or worse, they’re not entitled to have access to, but because it was left unchecked, they still do.

The problem here is that you need to consistently make sure that your clients only have access to the things they need access to, so that they don’t have the wrong privileges when they don’t (or no longer) need them. Better yet, if someone needs a higher level of access, it’s always a great idea to communicate any special or higher risks associated with that, so that they are educated on the policies and procedures you have in place to protect their accounts and their data.

Check your passwords

When talking about security, one of the most popular questions I’ve seen is “how often do you change your password?” But a more pertinent question would be “how many accounts do you have that re-use the same password?” The answer always surprises me.

Often, password re-use is one of the biggest security issues people have. Do you remember the LinkedIn hack of 2012? Hundreds of millions of users had their account passwords breached, but it presented a bigger problem for those who were using that password for other systems like Dropbox, Facebook and Outlook. Worse, a lot of the times, the hacker succeeded because of this.

Because of the beauty of password managers like LastPass, you don’t necessarily need to remember all your passwords, which gives you the opportunity to make them more complex without the pressure of potentially forgetting which letter was capitalised, or which letter was substituted for a number. A trusted system to manage all of your passwords gives you far more security that before.

Also, with two-factor authentication, you can add an extra layer of security to your password. This has become much more prominent with companies like Google and even Xero. Because banks have been using it for a long time, we’ve become much more accustomed to using two-factor authentication on a daily basis.

Another thing to be particularly careful of is usernames and passwords of past employees. It’s highly recommended that you delete these and change passwords so that any past employees, disgruntled or otherwise, aren’t tempted to log in again remotely.

Bringing your own device to work

Ever since the iPhone first launched, the way we work has been transformed. Instead of bringing your own laptop to work, people are now bringing what is practically a computer in their pocket!

The problem with this is if your personal device has got malware on it (which you may not be aware of in the first instance), as soon as you connect to the company wi-fi, you’re at risk of transferring that malware to everyone else. That’s the servers, the files, the emails, everything.

Now I’m not saying you need to implement a rule where people have to leave their phones at home, but it’s worth having the conversation with your employees so that they’re aware of the risks and the steps they can take to make sure their own devices are protected.

Give everyone training

Everything I’ve said so far ties back to training, and make sure you have firm-wide policies and training on security. That way you’re making sure your entire team is on the same page when it comes to how to handle data, how to keep data secure and what steps to take if things go wrong.

Why risk the vulnerability of data, when there are tools and support out there to keep your firm secure?

Handling sensitive data is evolving. From GDPR to SSL, from cookies to privacy policies, the way in which we invite our clients to share data with us remains ever-changing.

Let’s back-track several years and look at the history of how data was handled: There were floppy disks, a great piece of kit, but ones that couldn’t hold much data. There were CDs, easily breakable and easy to corrupt. Then there were USB drives, which could hold anything from a few documents to gigabytes of confidential information but were still at risk of being corrupted. And let’s not forget the days where we were just hand delivered all the documents we ever needed.

So, what’s the common problem here? Security and privacy. With all the new laws coming in this year and in the past, how you handle sensitive data has never been more important.

It begs the question: “Are you still using email?” It’s now more crucial than ever to look at whether or not you are actually 100% secure when you handle this information. Chances are that isn’t the case if you are simply using email to send confidential and sensitive documents.

But there are alternatives to email, and we’re here to show you the tools you can consider and why they could go a long way in improving the security of your client’s data and information.

Email isn’t always safe

Question to you: Are you aware of the multiple stops an email makes before it reaches its final destination? Truth be told, if you were, you’d probably think twice about sending private information via email.

It doesn’t just go from your inbox to the recipients. In actual fact, there are multiple servers along the superhighway before the email eventually arrives at its destination. The problem here is when the email is on that journey, it’s at the mercy of server administrators, who have the power to delete or even alter a message.

What’s wrong with this picture? Simply put, the security of the email is beyond your control. You’re hoping it’s safe, but what if it’s not? All it takes is one breach in data or one lost email, and your firm’s reputation, and more importantly, the relationship with that client, is at stake.

You’re risking their privacy and your own privacy. Even having a level of encryption only guarantees a level of privacy between you and your email provider. Once the email leaves there, that level of security is no longer there.

What about Dropbox or Google Drive?

More firms now are beginning to proactively address the need for security, and that often leads to trying systems like Dropbox and Google Drive. These systems are great for sharing individual files or entire folders with a specific person, and good news: they’re encrypted and secure!

But even so, these systems still have their flaws, particularly how you manage the information that is shared. It’s easy enough to share individual documents or folders, but currently both systems don’t give a way to track what has or hasn’t been shared. There’s no bird’s eye overview to display that information, and without this, it can easily become impossible to track what information is readily available and what access might need revoking.

Also, for some of you, you might have a client base that is not as technically-savvy as you, and they might not be familiar with a system like this. Sharing is a two-way street, but what if they’re the person on the street blocking the road and holding everyone up? They might not understand how to share information back to you, or how to even download and open anything you’ve shared.

The solution? Client portals

Client portals are becoming more and more popular, largely down to ease of use for clients. More importantly, they combine the best of both worlds, incorporating the use of emails. For example, some portals allow you to send an email to your client, but that email will send them a secure link to a document in the client portal which requires a password, rather than attaching the document in the email.

There’s also a whole host of built-in security features: Unique user ID’s, passwords, two-factor authentication, user tracking, data back-ups. There’s a lesson to be learnt in using a client portal, and that’s communicating in a safer way by not sending sensitive information via email.

Staying ahead 

There are a lot of trends and legislation that accountants need to keep up with, and data security and privacy are often at the forefront. The technology is there to help combat any security issues you might be facing, but the responsibility is on you to evaluate and begin implementing them.

If you’re still using email, and email only, ask yourself: “Is it worth the risk?” The security of that client’s information isn’t always in your hands, and that’s a risk that can cause you a lot of problems.

Why take the risk of breaching their privacy when there are solutions out there with all the layers of security and privacy built in? The choice is yours.

We understand that it is difficult to make a decision to outsource. There are many reasons that firms may choose to outsource, but there are usually more reasons not to.

The key reasons accountancy firms outsource are:

  1. Lack of good local staff to carry out work.
  2. Reducing overall cost of delivering services.
  3. Expanding the range of services available to clients e.g. providing a bookkeeping service that may not be cost-effective using
    local personnel.
  4. Obtaining access to best practice.
  5. Moving the firm to a systems-based delivery method.

Key considerations when reviewing your outsourcing provider professional

Consider the professional background of the key personnel in the outsourcing organisation.

Are they professionally qualified accountants?

Is the outsourcing provider subject to external regulation by a professional organisation?

AdvanceTrack® is an ICAEW Member firm run and owned by UK Chartered Accountants.

Quality

Before outsourcing to an external provider, quality is always a major concern, particularly if a firm has either never tried outsourcing before or had a bad experience before.

As a business run by UK Chartered Accountants, Quality has always been at the core of the offering from AdvanceTrack®. The Quality systems employed within AdvanceTrack® manage a more consistent level of quality. These are then subject to external audit by BSI. AdvanceTrack® upgraded to the latest version of the ISO9001:2015 Quality standard in January 2016, within a few months of its release.

Security

Whilst Quality is clearly a concern, the one area that causes greatest anxiety to any professional firm is how the data is safeguarded in the new era of organised cybercrime.

There are a lot of risks of handing confidential data. Responsibility under the Data Protection Act always remains with the client rm. It is therefore extremely important that any outsourcing provider deploys strong protocols in managing confidential information.

We discuss systems later on, but these are critical for external independent review. Having an internationally recognised International Security Standard provides firms with greater confidence that there are strong protocols in place that reduce the possibility of data loss. The certification provides impartial evidence that AdvanceTrack® is following and exceeding industry best practices as part of a corporate governance program and has implemented a robust management framework regarding information security and quality.

AdvanceTrack® are certified to the latest Information Security Standard ISO27001:2013. They are the only major UK Accountancy Outsourcer holding the two latest International Quality and Security Standards.

Systems

We help analyse the process to migrate work, simplifying the process to keep your senior management input to a minimum. Supported by our UK office with ICAEW Chartered Accountants as part of your client management team, we reduce the costs of delivering a scalable outsourcing solution.

Our processes put qualified accountants at the centre of process migration, allied using robust secure technology providing a fully scalable solution to firms of all sizes.

Systems have always been centre stage at AdvanceTrack®, with such systems delivering job tracking as far back as 2006. AdvanceTrack® have constantly enhanced systems throughout. In 2017, AdvanceTrack® introduced enhanced systems fit for 2017 and beyond by rebuilding their platform.

These enhanced systems deliver seamless management of cloud bookkeeping and the full range of accounting and tax compliance services managed from any internet enabled device.

If you want to work with a forward thinking professional outsourcer who leads change, choose AdvanceTrack®.