Is Your Data Secure? A Cybersecurity Checklist for Accounting Firms

By Zachary Rimlinger on June 20, 2018 

As data moves from client to firm and vice versa, it needs to be protected in transit and on the devices being used to access it, whether it’s your employee’s laptop or smartphone. In addition, your firm’s employees may need to receive and access that data digitally. While sharing documents via the cloud can make it easier and faster for everyone involved, it does add an additional layer of risk in exposing client data.  Also, a frequently forgotten channel of communication that needs to be protected is mail. As a conduit for important documents, it also requires a unique set of security practices.

Protecting client data is an ongoing challenge especially due to the varied ways your clients wish to provide documentation and access to their data. Considering all of this, here’s a checklist to get you started on ensuring client data is safe and secure, no matter how it’s being shared or accessed.

  1. Conduct an annual cybersecurity audit and assessment.  Preferably, this should be done by an outside firm and done annually. Expect the firm to review things such as password policy, privacy policy, agreements with vendors and contractors, data backup, and disaster recovery plans and network security. 
  2. Review every phase of your business processes, whether it’s client onboarding or a standard service such as filing taxes on behalf of your clients.  Review which employees are involved in the various stages and ensure that you have security guidelines in place at every step. You’ll want to ask:
    • Has each employee been required to review and agree to your company’s policies for accessing and sharing company data?
    • If employees are aware of your BYOD (Bring Your Own Device) policy? (And if your BYOD policy is comprehensive.)
    • Does your IT require that passwords are changed regularly? 
  3. Review the security policies of any cloud-based apps or premise-based solutions your firm is using to ensure that:
    • Vendors and providers are PCI compliant
    • Each cloud-based provider you are using ensures business continuity whether there is an outage or disaster
  4. Protect data on premise. A network firewall should be installed, updated and tested annually. Firewalls prevent unauthorized users from accessing your network by filtering incoming and outgoing traffic and data based on a set of rules. They also provide an additional layer of security that can make it more challenging for hackers to make a malicious attack on your network.
  5. Mail can be at risk of a physical breach of your mailbox or run the risk of getting misplaced or damaged in your office. Once you’ve set up cloud security, consider moving your mail and important documents into the cloud as quickly as possible. When choosing document management providers, be sure to dig into their security policies. 

A final tip: if you’re still unsure of where to start, or want additional information, search for a reputable cybersecurity auditing firm in your local area. Ask for a list of customer references you can call to find out what their experience was with that firm or look for customer reviews or ratings on their Facebook page. This allows you to get more familiar with the different approaches that you can take to protect your business and client data. Three things to ask for are quotes and approaches around: cybersecurity audit, updated plan, and annual support. 

GDPR and Earth Class Mail

By Vladimir Laypa

Here in the US, the subject of data protection and privacy remains a highly debated topic, most recently as a result of the Facebook and Cambridge Analytica scandal as well as enterprise-level data breaches, such as the Equifax breach, that have impacted many of us.

In Europe, data protection and privacy have been at the forefront of discussions amongst tech leaders and politicians for some time now. In April 2016, the EU passed regulation on how companies can collect data from EU residents known as General Data Protection Regulation (GDPR).

What is the GDPR?

The GDPR is a standard covering data protection and privacy that covers all citizens living in the European Union. The regulation applies to any company marketing to EU citizens, no matter the company’s location or the laws in the US.

A prime example of how the GDPR affects us relates to our web browsing and the use of cookies, which are used to track your web activity across other websites in order to serve you relevant digital advertisements. In order for companies to be compliant with the GDPR, they have to abandon the practice of using cookies or give people the option to opt out.

Companies with an online presence also will need to be transparent about what they do with data such as, your IP address, contact information, banking or medical information or even personal or professional photos.

As a consequence of the number of data breaches that have occurred and have not been reported, if companies do experience a breach after May 25th, they are required to report it within 72 hours to the affected parties or be penalized a portion of its global revenue.

Due to the impact of the GDPR and our desire to handle your private data with the utmost transparency and respect, we’d like to go over how we’re handling it here at Earth Class Mail. The deadline to comply with GDPR is May 25th, and we are on track to be 100% compliant by that deadline.

What does this mean for Earth Class Mail Customers? 

We’re committed to improving our customers’ experience by making it easier for you to understand where your personal data is used and how. On May 25th, you can view our updated Privacy Policy outlines our data collection practices in greater detail. There, you’ll be able to understand how Earth Class Mail’s data policies apply to our website visitors and customers.

In compliance with GDPR, we provide you with the right to request that we “forget” or delete your data within 30 days. You can make this request by contacting our customer support at [email protected].  

For new customers, we’ll be making the onboarding process smoother and easier by allowing you to effectively sign and agree to our Privacy Policy before you begin using our service. Should you change your mind once you sign up, we’ll make it simple and easy for you to reverse your decision and will release your data accordingly. We prioritize security and data transparency for our customers and strive to make it easy for you always know how we are handling your data. For any questions, please reach out to our support team at [email protected].

5 Ways To Secure Your Small Business From Hackers & Identity Thieves

Guest post by Jennie Lyon, Founder @ jennielyon.com

Russian hackers, Anonymous, internet trolls with a grudge, independent criminals looking for a quick payday – the world is full of not-so-benign threats to your business.

When you get hacked, it hurts. Maybe not $5 Billion hurts, but it hurts nonetheless. It’s a distraction, it’s usually not free to fix, and it keeps you from focusing on your business.

There are a few free or cost-effective ways to mitigate your business’ exposure.

Preventing Fraud & Identity Theft

Not every scam is as obvious as receiving an email from a mysterious “Nigerian Prince”. More and more sophisticated phishing strategies and identity theft scams are being used every day.

Just ask the dozens of call center employees recently arrested for defrauding more than 1,500 people in an IRS scam. 

Be careful about following links from your email. Just check the URL to see if it matches the official website for any given company, it’s a simple step that could save you.

Never give your credit card information to anyone who phones you, and always phone the official bank or company telephone number yourself.

NEVER give your password to anyone, ever!

Password Management

Using weak or default passwords is one of the single biggest security holes in business today.

Trivia: In the 1995 cult-classic Hackers, what is claimed to be the most common administrator password? (answer at the end of the post)

Unfortunately, people choose passwords they can remember. These tend to be shorter, made up of dictionary words, and use only the letters of the alphabet.

They also re-use the same couple of passwords for every account they have, with services that have varying levels of security – and risk of being hacked.

Ideally, you should be using a password manager to generate a unique password for every website you use.

The longer the password, the harder it is to crack using brute force programs. Even harder when you include special characters and numbers in randomized order, avoiding patterns at all costs.

Services like LastPass and Dashlane will keep all your passwords in one place, secured by a master key that only you know.

Password managers add value by generating unique passwords for each service you store credentials for. Many also enable you to share your account access with team members, without revealing the password.

Encryption

Encryption dates back to ancient civilization. Put simply, encryption is the practice of obscuring information behind a method and/or key that will help the recipient make sense of it.

In modern terminology, you can basically think of encryption as a method of protecting electronic communications and data using complex algorithms.

Encryption is built into a lot of the processes and devices we use every day. Everytime you send an iMessage from your iPhone, it’s encrypted and completely indecipherable to hackers, unless they have your pin, password, or thumbprint.

Emails are encrypted when we send them, assuming you’re using a secure email service. You can encrypt and password protect documents such as PDFs or files in a ZIP archive too.

Encryption is a broad and immersive topic, and you should definitely read up on it some more.

The main lesson here is, do your best to use services that encrypt your information. Most of the time it’s just a simple decision to use iMessage instead of an alternate platform, sometimes you might have to pay for it.

A short list of encrypted communication services:

  • Signal (Free)
  • iMessage (Free, iPhone only)
  • WhatsApp (Free)
  • ProtonMail (Freemium)
  • SendInc (Freemium)

Document Destruction

If a document has personal or business contact information, contains signatures, proprietary information, or other sensitive material, you can’t just throw it in the recycling bin.

Unfortunately unscrupulous employees, trash pickers, and identity thieves often go through improperly disposed of documents for anything they can exploit.

This is another reason why digitizing documents is so useful, digital copies can be password protected and encrypted, while the originals can be destroyed.

This cuts down on the number of important documents which need to be stored in hardcopy, and limits exposure to unauthorized copying or outright theft.

It’s important to oversee destruction of documents yourself, or have it taken care of by a trustworthy company. HIPAA compliance is a strong signal that the service you’re using is up to the highest standards.

Multi-way shredding prevents simple piecing together of destroyed documents, and appropriate disposal or destruction measures should always be taken.

The Old-Fashioned Approach

For those documents which you need to keep hard copies of, there are always secure office storage and secure off-site storage. A good locking file cabinet would do the trick with contracts and other slightly less sensitive material that you might have in large quantities.

However, those are obviously not thief-proof. If there’s something really valuable inside it’s not hard to get past these limited security measures.

A modern, high security safe is a good step up in protecting your most important documents, like: personal identification, fundamental business records, intellectual property, and the like. Make sure whichever safe you invest in is fireproof and waterproof if possible, and installed correctly.

Whenever you’re looking at partnering with any kind of business services, it’s within your rights to investigate their security measures.

Many business-class services will have a page dedicated to their focus on security. Don’t be afraid to inquire for more information.

If you’re shopping for enterprise solutions, then a security questionnaire is par for the course. Your due diligence can end up saving you a lot of trouble in the end.

Trivia Answer: There were actually four – “God”, “Love”, “Sex”, and “Secret”.

Naughty and nice. Our adventure in fraud detection automation.

Here at Earth Class Mail we harbor strong feelings. We love things, and we revile things. Take a gander at a few things we love, and a few things we loathe:

We love:

We loathe:

  • Letting our awesome customers down in any way
  • Making preventable mistakes
  • Spending time on fraudsters and other unsavory characters

Unfortunately our business attracts the occasional bad actor. These undesirables suck our team’s time away from serving our great customers. These undesirables stink and we don’t want them as customers. We’d rather spend time with our great customers vs. dealing with the unsavories and their like.

What to do then? A bit ago we embarked on a journey to weed out these miscreants, so we could spend more time on the customers we love. We wanted to build a system & process that would automatically and reliably:

  • check for potential fraudsters
  • follow up with them to prompt for verification
  • alert our customer support staff, and automate our follow up

To assist in our task, we recruited a few key players to the team. We tapped SiftScience.com for fraud detection, Zapier for workflow automation, Slack for team visibility, and Zendesk automations for automated followup.

WARNING: you may want to caffeinate before proceeding, the weeds get deep on the details.

Ok, so here’s how we did it. First we tackled checking for potential fraudsters and making that visible to the team. To do that, we bolted on an API call to Sift every time someone completes an order. Sift offers a cool fraud prevention service that takes in a bunch of info and gives back a fraud probability score. The score ranges from 0-100, with 0 = no chance of fraud and 100 = certain fraudster. Once Sift returned a fraud score, we wired up a notification into our signups Slack channel. This let our team know when a likely fraudster sauntered through our doors. Here’s an example:

We let that run for a bit until we gained an inkling of what things meant. We followed up manually on every case that seemed suspicious. After a few weeks, we dove into the deep end of the automation pool to see how much time & effort we could save. Enter Zapier and Zendesk.

We wanted to send and automatic note to any potential bad guy. The note should let them know that we harbored suspicions of their sincerity. We also wanted to give them the chance to clear the air if our system screwed up and flagged them by mistake.

Zendesk rocks. We use it for all customer contact. We knew we wanted to craft any solution into it. That’s where Zapier came in.

Using Zapier, we built a Zap (cool name huh?) that created a Zendesk ticket anytime a potential villian signed up. Here’s exactly how we did it:

  • Our ordering app uses Postrgres as a data store
  • Zapier let us sniff whenever a new row appeared in our orders table
  • If an order arrives with a high sift score we created a ticket in Zendesk with the likely fraudster’s name, email, and other info. Here’s what it looks like:
  • Zendesk emails the likely shady character, telling him/her that our system flagged them as potential fraud, and asks them to verify their identity. Here’s what the potential villain sees:
  • To make sure we follow up we use Zendesk’s Automations. We check back in 48 hours to see if the potential shadester rectified the situation and corrected our false assumptions. If not, we fire off an action to re-open the ticket and add an internal note so our customer service team can close the account and refund any money. Take a peek:

We hope this gives us more time to spend with the customers we care about. If we can weed out the troublemakers before they start using our service we’ll get to do more of what we love – making our awesome customers happy.  

Interested in removing the headache of dealing with your physical mail?  Give us a try.