Gosh. Seems a month doesn’t go by without a new story about hackers breaching some computer system.
These stories, paradoxically, can numb people—including small CPA firms—to cybersecurity risks. But that’s unfortunate for a couple reasons. First, security risks continue to grow. Second, and maybe more actionable, you can take concrete steps to dial down your cybersecurity risks.
Consider, for example, the following actions:
Use a Secure Portal
You can use a standard, secure portal for moving digital data into and out of your firm’s company network and this should massively dial down the danger.
A standard secure portal—our firm uses Citrix ShareFile—largely eliminates the risks of using insecure data transfer methods like email and unencrypted attachments.
Just so there’s not a misunderstanding here: With a secure portal, clients use an Internet connection and standard “drag, drop and click” interfaces to upload and download digital items like pdfs of tax documents, backup copies of QuickBooks data files, and accounting work papers which might be for example Microsoft Excel workbooks.
A side note: Our firm works with clients all over the world. And we’re pretty confident we’ve had at least one hacked international client. He regularly works out of Africa and appears to have suffered a sophisticated attack and scheme which targeted his foreign bank accounts and, get this, employed Americans impersonating Secret Service agents. The relevant part of all this is that it now seems likely the attempt was at least in part enabled by the client’s decision to not use our portal and then his penchant for sending us “encrypted” pdf attachments.
Standardize Safety Practices
Another key cybersecurity component: You want to make sure employees get trained in how to use the technologies you’re employing. And you want to make sure that a firm’s operating practices reflect safe smart practices.
Simple tactics such as a good training program in the technology you’ll use make a big difference—and minimize learning curve mistakes.
Further, formal procedures should dial down human errors and risky behaviors. You might, for example, create policies such as, “Our firm doesn’t email attachments …” and “We don’t use other data transfer methods …”
By the way, predictably clients tend to want us to use the approach (file sharing utilities like DropBox, Internet tools like FTP, or ad hoc approaches like virtual private networks) that they’re already accustomed to and comfortable with. But as both a practical matter and a security issue, we find we don’t really have the ability to learn, professionally assess, and then safely use every data transfer method a client, somewhere, wants to use.
And that nicely connects to another topic.
Train Your Clients Well
We’ve found training clients perhaps the biggest challenge but also a powerful way to dial down the danger.
Clients need to “learn” how to use the tools (like a secure portal) and then also buy in to the procedures required to keep their data safe.
Accordingly, you do want to incent, coax, cajole and just generally push clients to think about data safety. (In our office, we’re very active and spirited in our pushing of this point of view. I mean, we’re polite. But we’re firm.)
Further, you want to make sure the technologies you use are really easy, so that a steep learning curve doesn’t turn people off.
We’ve tried a handful of portal solutions, for example—including one I won’t name but which was vertical market solution supplied with a platinum brand of professional tax software.
While probably all of the products we tried were very good technically, we found our first attempts didn’t work very well for clients. Here’s why: The products were often too complicated. And that’s ironic—really. Most of our clients are digital economy firms with very tech-savvy owners and managers.
Most of our clients, by the way, use our current portal’s simplest option, preferring to work with clickable links supplied via email messages to upload and download files.
Cybersecurity Enhances Onsite Data Security
One other data security issue merits mention. We think good cybersecurity enhances onsite data security too.
The connection here is pretty simple: Using a portal pushes a firm down the path of going paperless. (Once you’re getting lots of stuff in a digital form, for example, you’ll find it’s easy to keep it in a digital format as you move through the workflow.)
This business of going paperless has its own economic benefits. But in addition to those economic benefits, you may also enjoy security benefits. Compare the two following scenarios…
One small professional services firm accepts, passes around, and then stores paper personal and business financial documenst including tax returns. In this scenario, the data can’t be electronically hacked, of course. But all those paper documents are vulnerable to physical theft and then even things like natural and manmade disasters: fires, floods, and so on.