A quick story…imagine walking into your office on a Saturday morning during tax season to find a staff member waiting for you with sweaty palms and a look of terror on her face. She takes a while to get the words out, but you soon discover that she backed up some client files to an unencrypted flash drive and dropped it in her purse before going to “happy hour” the night before.
Upon returning to her table from the restroom, she notices her purse is gone. She had been preparing payroll tax returns for several clients with multistate locations, and the flash drive that she dropped inside contained payroll data such as names, Social Security numbers, addresses, salaries, and salary history.
At this point, you’re probably starting to sweat from the stress and you undoubtedly have tons of questions.
- What other data was on this flash drive?
- Which records were exposed?
- What information should be shared with your staff?
- How should they respond to related inquiries?
- How and when should the firm break the news to affected clients?
- Is the clock ticking on state law requirements to notify affected businesses and individuals?
- Does state law require you to offer credit monitoring services to affected individuals?
Accountant and CPA firms and other regulated industries have made great strides in embracing technology. Electronic data management systems, client portals, and cloud-computing has helped the ease of doing business. However, there has been tons of discussion recently around the importance of data and information security.
For CPA firms, as an example, it’s because tax professionals are prime targets for identity thieves that want to steal your client data, and it’s happening at an alarming rate.
Cybercriminals don’t give up. They are crafty in using advanced techniques to gain access to your systems, steal sensitive data, even file fraudulent tax returns, and create financial havoc for you and your clients. Securing this data is a necessity for every business, including regulated ones.
The Federal Trade Commission requires all accounting and CPA firms to have a data security plan. Your plan should be designed to protect sensitive data entrusted to you and while a technology security plan does not guarantee that your business will not be targeted, it WILL help you identify what aspects of your business may be vulnerable and how to improve your security related to those vulnerabilities.
So here are three questions CPA firms should consider to avoid compromising client identities:
How are you blocking phishing attempts? Phishing is an attempt by hackers to obtain confidential information from internet users, typically through a web page or an email that masquerades as a trusted source. Believing the request to be legitimate, people can be tricked into freely divulging their details. Training your staff to be alert to phishing attempts can significantly reduce the risks from your staff clicking on the wrong emails.
Do you have adequate protection against malware? Malware is malicious software that’s typically delivered to a computer through email attachments and automatically installed on the machine to extract sensitive data, including computer viruses, worms and spyware. Having a quality, properly installed and monitoring malware solution for your environment is critical to help defend against malware attacks.
How would you recover from a ransomware attack? Ransomware is malware that encrypts and locks people’s keyboards or computers to prevent them from accessing their data and leaves instructions — usually for a fee — to regain access. Having a security program to help defend from a ransomware attack and a backup and disaster recovery plan to help recover from a ransomware attack are both important considerations for accounting and CPA firms.
Creating and maintaining a technology and security plan should top the list of things to do to fight technology and cyber-crime issues.
Are you struggling to find the right balance of security and usability in your firm? As always, we’re here to help.
