Tools of the Trade: 6 Ways CPAs Can Protect Client Data

Accounting firms manage and maintain large amounts of confidential financial data for multiple clients, often in a single location. Hackers and cyberthieves are very much aware of this, which makes accounting firms prime targets for cyberattackers. Accordingly, accountants and CPA firms need to enhance their cybersecurity infrastructure to better protect their clients’ data. They can accomplish this in at least six ways.

1. Encrypt data on all fixed and mobile devices. Encryption policies should cover all email communications into and out of the CPA firm as well as all mobile devices that a CPA’s personnel use to communicate with the firm’s network servers. Limit use of personal mobile devices and laptop computers that do not have the same level of protection as the firm’s own hardware and devices. Use full disk encryption (FDE) on laptops to eliminate the risks of data that is not properly encrypted.

2. Prohibit public Wi-Fi Even with all other protections in place, public Wi-Fi hotspots can be an open door for hackers to surreptitiously enter an accounting firm’s information systems network. If an accountant needs to connect to a firm’s network while in the field, the better option is to use a 4G connection with a wireless service provider. If there is no option but to use a public Wi-Fi hotspot, connecting through a virtual private network (VPN) will at least confirm that communications are encrypted.

3. Implement strong information technology controls. Installing a commercially-available firewall is not sufficient. A firewall only establishes perimeter security around a CPA firm’s network. The firm should also implement endpoint security for all devices on the network, network monitoring systems to analyze traffic and to flag unusual network traffic patterns, dual-factor authentication and administrative controls to limit access to a network only to those personnel who have proper authority, password policies that require strong passwords that are changed regularly, and incident response plans and procedures to manage responses to cyberattacks in as orderly a manner as is possible. Software systems should be updated regularly with patches and bug-fixes that close down vulnerabilities as vendors become aware of them. To the extent possible, a CPA firm’s information technology controls should also be an integral part of its business plan and structure and not just an afterthought to that structure.

4. Conduct regular penetration tests for vulnerabilities. CPA firms can contract with white hat hackers who specialize in trying to break into an organization’s network using the same tools that cyberattackers would use. Regular testing can alert the firm to newly-discovered holes in operating systems and other bugs that provide a path for malicious hackers to breach the CPA firm’s systems.

5. Adopt a robust data backup and recovery No amount of cybersecurity will help a CPA firm if its client data is deleted or access to that data has been frozen by ransomware. At a minimum, CPA firms should have a data backup and recovery that stores data on standalone devices that are not connected to the network, or in an encrypted cloud-based environment. The system should be set to record backups automatically and regularly.

6. Procure a cyberinsurance policy from a trusted CPA insurance company. Clients are more likely to direct their accounting business to CPA firms that carry cyberinsurance, as that insurance provides assurances to the client that losses and liabilities will be covered in the event of a successful cyberattack on the CPA firm’s systems. Also in the case of a successful cyberattack, the CPA insurance company can also devote more resources to stopping the attack and recovering any lost data if it knows that a ready source of funds is available to compensate for those losses and liabilities.