Accounting firms routinely collect sensitive information from both clients and employees. This data often includes personally identifiable information (PII) such as social security numbers, national ID numbers, and addresses, but also financial data such as bank account information and credit card numbers. These categories of sensitive data can attract unwanted attention from hackers and malicious insiders, which is why they are protected under data protection regulations the world over.
For cardholder information, the Payment Card Industry Data Security Standard (PCI DSS) governs its protection worldwide, and companies found to be non-compliant with it face fines of up to $100,000/month and increased transaction fees. When it comes to PII, legislation such as the EU’s General Data Protection Regulation (GDPR) can fine companies up to $23 million or 4% of their annual worldwide turnover, whichever is higher, for failures to comply with its core principles of data protection.
As such, the costs of a data breach can be very steep. According to IBM and the Ponemon Institute’s 2021 Cost of a Data Breach report, professional services such as accounting firms can reach an average cost of $4.65 million/data breach, with lost business accounting for 38% of the total data breach cost. Accounting firms in particular, because of the sensitive nature of the data they collect and process, can take a massive reputational hit in the wake of a data breach which can result in a loss of client trust and discouragement of new clients. It is therefore very important for accounting firms to have security measures in place to protect client data.
5 data security tips for accounting firms
Check our top tips about how accounting firms can ensure data security.
1. Physical Security
Start with the basics: access restriction to the physical space where client information is located. Using employee key cards, visitor logs, badges, and security cameras can ensure that no unauthorized individuals can stroll into an accounting office and steal devices or the information stored on them.
With the COVID-19 pandemic opening up remote working possibilities in all industries in its aftermath, accounting firms must ensure that devices employees take home with them are also physically secured. This means instituting remote work policies that limit access of third parties to work devices.
Accounting firms should also implement mandatory hardware encryption for all work devices and the activation of remote wipe features to ensure that in case a device is lost or stolen, the data on it cannot be retrieved without an encryption key.
2. Basic cybersecurity measures
To prevent cyberattacks, accounting firms should protect their network with a firewall and make sure it is updated with the latest patches. The use of antivirus and antimalware software can help prevent malware attacks and the opening of potentially dangerous files or malicious websites.
Implementing a Zero Trust architecture can also help accounting companies prevent cyberattacks from affecting their entire network when they occur. By using least-privilege rules when accessing trusted resources, Zero Trust ensures that all users, devices, and network traffic are verified.
3. Control sensitive data transfers
Companies can use Data Loss Prevention (DLP) solutions to monitor and control the transfer of accounting information. DLP technology uses definitions of sensitive data such as PII and financial information to search for it in hundreds of file types using contextual scanning and content inspection. In this way, accounting firms can identify and monitor the movements of all files containing data defined as sensitive.
They can also apply policies that control the transfer of such files. DLP solutions can block the transfer of sensitive data over the internet, whether by email, popular messaging apps, or file-sharing services. They can prevent sensitive data from being uploaded to cloud storage services or from being copy-pasted into the body of emails. In this way, companies can guard against employee negligence which is one of the biggest root causes of data breaches.
4. Securing removable devices
Another way in which accounting information can be leaked or lost is through removable devices. Employees can copy accounting data onto USB flash drives or removable hard drives and then take them out of the security of the company network. USBs, in particular, are easy to lose and steal and have led to a series of big data breaches in the last decade.
DLP tools can also help with this particular problem. Most offer device control features that allow companies to block the use of peripheral and USB ports as well as Bluetooth connections or limit their use to trusted company-issued devices.
Some solutions, such as Endpoint Protector, go one step further and offer enforced data encryption that ensures that any files copied onto USBs will be automatically encrypted with government-approved 256bit AES CBC-mode encryption. Passwords can be reset in case they have been compromised, and USBs can be wiped remotely by resetting the device. Accounting firms can thus ensure that any USB stolen or lost will not be accessed by third parties.
5. Training employees
Lastly, one of the biggest security threats is phishing attacks that target employees directly. By tricking them into visiting a malicious link or downloading an infected attachment, hackers can steal credentials or deploy malware inside a company network. Ransomware attacks are often executed through phishing.
Zero Trust architecture, Trusted Platform Module (TPM) capabilities, and antimalware solutions can help prevent attacks executed through phishing from doing too much damage, but training employees can have an equally beneficial effect. By educating employees on what to look out for and how they should react in case they are targeted, companies can raise awareness of phishing attacks and teach employees the best security practices to handle them.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.