According to the IRS, 52% of small- to mid-sized businesses (SMBs) experienced a ransomware attack in 2017, up 2% from the previous year. As accountants and tax professionals, you handle a tremendous amount of sensitive personal data. Therefore, cybersecurity is more critical to your practice than almost every other industry.
How to Protect Your Data
Protecting your data requires many components. This article and the subsequent articles are intended to provide you with direction as you develop effective cybersecurity protocols and procedures to protect your clients and your business.
High-risk data, that critical information that could be under attack, include name and contact information, personally identifiable data (SSN, ID numbers, mother’s maiden name, credit history), demographic information (age, gender, marital status, nationality), financial and employment data, and passwords.
The IRS defines three steps in developing your security plan to protect this important information: Minimize the risks of attack, Monitor continuously for dangers, and Manage the damage if an attack occurs.
Minimize the Risks
The IRS and the Security Summit partners have outlined six crucial cyber-safety steps for tax preparers, called the Security Six. These steps are:
- Antivirus software that automatically scans and regularly updates itself automatically.
- Firewalls, both hardware and software versions. Many vendors integrate firewalls into routers, which protect multiple computers at the same time. Software firewalls are often built into operating systems and can also be purchased separately.
- Two-factor authentication: This requires a person to enter an existing password plus an additional piece of newly-generated information, such as a code texted to your phone. This dramatically decreases the possibility of thieves breaking into your company accounts.
- Backup software or services that maintain either hardcopy or digital versions of important customer data. Back up frequently, set for automatic backup, if possible.
- Drive encryption: Drive (or disk) encryption translates data into an unreadable form for unauthorized persons.
- Data security plan: The FDA requires all tax preparers to have a written data security plan.
Besides these six steps, you also need to establish protocols that avoid behavior or habits that can allow access to private information. Employees should be trained in proper behavior to limit risk, such as:
- Ensuring all devices that are used for sensitive data – including phones – have strong passwords
- Not putting sensitive data on USB drives, or keeping them locked up and limiting access
- Not clicking on pop-ups or links in pop-ups
- Not opening emails from suspicious sources or clicking on links in emails from unconfirmed sources
- Not opening attachments unless you are confident of the sender. Remember, sometimes people’s emails are hijacked, so consider if the person is really the one sending the email
- Not sending personal data via email – Gmail, for instance, mines all data sent through its services
These are just a few of the important steps you should take to protect your clients’ data. In our next article, we will discuss steps to monitor your cybersecurity on an ongoing basis.