The IRS is warning about new cyber security risks and fraud scams on a weekly basis. There is no doubt that accountants are at high risk for data theft given the amount of personal data available in our databases.
Data security for an accounting firm must go way beyond just having good antivirus software in place. The level of personal information carried in tax software alone, from social security numbers to bank account information, puts tax preparers in the category of carrying HIPPA-protected information and thus subject to HIPPA level security.
Below are three key things your firm should do right now to protect yourself and your clients:
1. 24/7 Monitoring
This may sound expensive, but plans can start as low as only a couple hundred dollars a month. You should be working with an IT provider that provides 24/7 monitoring of the system you have so that concerns are noticed and addressed quickly. This goes beyond just your firewall and anti-virus software.
This could be as simple as equipment that’s not updating. Many of us do not specialize in tech, so we may not realize that even a computer not regularly installing windows updates could be at a higher risk for security breaches.
You want to be working with someone who can tell you there is a sign of trouble and help you fix it before you even know what is wrong. Minimizing the risk is critical.
2. Develop a cyber-security plan
Your team should be signing off on cyber-security protocols as part of their onboarding process. Everyone should know that things like their work laptops and cell phones that receive email communications or have work-related apps on them are required to have a password.
Set expectations of how often passwords should be changed, how secure they should be etc. Also, make sure your team knows what to do if there’s an issue. If they accidentally click on something in an email they weren’t supposed to, quick triage is hypercritical. Make sure they know how to self-report security breaches to the IT team as quickly as possible.
Training your team to understand what the internal controls are will help to minimize risk and a written policy might even help to reduce your insurance costs.
3. Get a cybersecurity insurance policy
Small businesses generally cannot afford large lawsuits and still survive. Your general liability or professional liability policies may not cover cybersecurity breaches. It is critical to know what you’re insured against and where the gaps may be.
Also, check with your insurance broker to understand what you are required to have for internal policies and protocols in order to be compliant with the policy.
More damaging than anything in the instance of cybersecurity issues is the reputation of your firm. The level of trust that is placed in accountants with personal information is extremely high and critical for your clients to have with you for them to feel secure working with you. Cybersecurity should always be front and center for you and your team.