Is Your Data Secure? A Cybersecurity Checklist for Accounting Firms

By Zachary Rimlinger on June 20, 2018 

As data moves from client to firm and vice versa, it needs to be protected in transit and on the devices being used to access it, whether it’s your employee’s laptop or smartphone. In addition, your firm’s employees may need to receive and access that data digitally. While sharing documents via the cloud can make it easier and faster for everyone involved, it does add an additional layer of risk in exposing client data.  Also, a frequently forgotten channel of communication that needs to be protected is mail. As a conduit for important documents, it also requires a unique set of security practices.

Protecting client data is an ongoing challenge especially due to the varied ways your clients wish to provide documentation and access to their data. Considering all of this, here’s a checklist to get you started on ensuring client data is safe and secure, no matter how it’s being shared or accessed.

  1. Conduct an annual cybersecurity audit and assessment.  Preferably, this should be done by an outside firm and done annually. Expect the firm to review things such as password policy, privacy policy, agreements with vendors and contractors, data backup, and disaster recovery plans and network security. 
  2. Review every phase of your business processes, whether it’s client onboarding or a standard service such as filing taxes on behalf of your clients.  Review which employees are involved in the various stages and ensure that you have security guidelines in place at every step. You’ll want to ask:
    • Has each employee been required to review and agree to your company’s policies for accessing and sharing company data?
    • If employees are aware of your BYOD (Bring Your Own Device) policy? (And if your BYOD policy is comprehensive.)
    • Does your IT require that passwords are changed regularly? 
  3. Review the security policies of any cloud-based apps or premise-based solutions your firm is using to ensure that:
    • Vendors and providers are PCI compliant
    • Each cloud-based provider you are using ensures business continuity whether there is an outage or disaster
  4. Protect data on premise. A network firewall should be installed, updated and tested annually. Firewalls prevent unauthorized users from accessing your network by filtering incoming and outgoing traffic and data based on a set of rules. They also provide an additional layer of security that can make it more challenging for hackers to make a malicious attack on your network.
  5. Mail can be at risk of a physical breach of your mailbox or run the risk of getting misplaced or damaged in your office. Once you’ve set up cloud security, consider moving your mail and important documents into the cloud as quickly as possible. When choosing document management providers, be sure to dig into their security policies. 

A final tip: if you’re still unsure of where to start, or want additional information, search for a reputable cybersecurity auditing firm in your local area. Ask for a list of customer references you can call to find out what their experience was with that firm or look for customer reviews or ratings on their Facebook page. This allows you to get more familiar with the different approaches that you can take to protect your business and client data. Three things to ask for are quotes and approaches around: cybersecurity audit, updated plan, and annual support. 

GDPR and Earth Class Mail

By Vladimir Laypa

Here in the US, the subject of data protection and privacy remains a highly debated topic, most recently as a result of the Facebook and Cambridge Analytica scandal as well as enterprise-level data breaches, such as the Equifax breach, that have impacted many of us.

In Europe, data protection and privacy have been at the forefront of discussions amongst tech leaders and politicians for some time now. In April 2016, the EU passed regulation on how companies can collect data from EU residents known as General Data Protection Regulation (GDPR).

What is the GDPR?

The GDPR is a standard covering data protection and privacy that covers all citizens living in the European Union. The regulation applies to any company marketing to EU citizens, no matter the company’s location or the laws in the US.

A prime example of how the GDPR affects us relates to our web browsing and the use of cookies, which are used to track your web activity across other websites in order to serve you relevant digital advertisements. In order for companies to be compliant with the GDPR, they have to abandon the practice of using cookies or give people the option to opt out.

Companies with an online presence also will need to be transparent about what they do with data such as, your IP address, contact information, banking or medical information or even personal or professional photos.

As a consequence of the number of data breaches that have occurred and have not been reported, if companies do experience a breach after May 25th, they are required to report it within 72 hours to the affected parties or be penalized a portion of its global revenue.

Due to the impact of the GDPR and our desire to handle your private data with the utmost transparency and respect, we’d like to go over how we’re handling it here at Earth Class Mail. The deadline to comply with GDPR is May 25th, and we are on track to be 100% compliant by that deadline.

What does this mean for Earth Class Mail Customers? 

We’re committed to improving our customers’ experience by making it easier for you to understand where your personal data is used and how. On May 25th, you can view our updated Privacy Policy outlines our data collection practices in greater detail. There, you’ll be able to understand how Earth Class Mail’s data policies apply to our website visitors and customers.

In compliance with GDPR, we provide you with the right to request that we “forget” or delete your data within 30 days. You can make this request by contacting our customer support at [email protected].  

For new customers, we’ll be making the onboarding process smoother and easier by allowing you to effectively sign and agree to our Privacy Policy before you begin using our service. Should you change your mind once you sign up, we’ll make it simple and easy for you to reverse your decision and will release your data accordingly. We prioritize security and data transparency for our customers and strive to make it easy for you always know how we are handling your data. For any questions, please reach out to our support team at [email protected].

5 Ways To Secure Your Small Business From Hackers & Identity Thieves

Guest post by Jennie Lyon, Founder @ jennielyon.com

Russian hackers, Anonymous, internet trolls with a grudge, independent criminals looking for a quick payday – the world is full of not-so-benign threats to your business.

When you get hacked, it hurts. Maybe not $5 Billion hurts, but it hurts nonetheless. It’s a distraction, it’s usually not free to fix, and it keeps you from focusing on your business.

There are a few free or cost-effective ways to mitigate your business’ exposure.

Preventing Fraud & Identity Theft

Not every scam is as obvious as receiving an email from a mysterious “Nigerian Prince”. More and more sophisticated phishing strategies and identity theft scams are being used every day.

Just ask the dozens of call center employees recently arrested for defrauding more than 1,500 people in an IRS scam. 

Be careful about following links from your email. Just check the URL to see if it matches the official website for any given company, it’s a simple step that could save you.

Never give your credit card information to anyone who phones you, and always phone the official bank or company telephone number yourself.

NEVER give your password to anyone, ever!

Password Management

Using weak or default passwords is one of the single biggest security holes in business today.

Trivia: In the 1995 cult-classic Hackers, what is claimed to be the most common administrator password? (answer at the end of the post)

Unfortunately, people choose passwords they can remember. These tend to be shorter, made up of dictionary words, and use only the letters of the alphabet.

They also re-use the same couple of passwords for every account they have, with services that have varying levels of security – and risk of being hacked.

Ideally, you should be using a password manager to generate a unique password for every website you use.

The longer the password, the harder it is to crack using brute force programs. Even harder when you include special characters and numbers in randomized order, avoiding patterns at all costs.

Services like LastPass and Dashlane will keep all your passwords in one place, secured by a master key that only you know.

Password managers add value by generating unique passwords for each service you store credentials for. Many also enable you to share your account access with team members, without revealing the password.

Encryption

Encryption dates back to ancient civilization. Put simply, encryption is the practice of obscuring information behind a method and/or key that will help the recipient make sense of it.

In modern terminology, you can basically think of encryption as a method of protecting electronic communications and data using complex algorithms.

Encryption is built into a lot of the processes and devices we use every day. Everytime you send an iMessage from your iPhone, it’s encrypted and completely indecipherable to hackers, unless they have your pin, password, or thumbprint.

Emails are encrypted when we send them, assuming you’re using a secure email service. You can encrypt and password protect documents such as PDFs or files in a ZIP archive too.

Encryption is a broad and immersive topic, and you should definitely read up on it some more.

The main lesson here is, do your best to use services that encrypt your information. Most of the time it’s just a simple decision to use iMessage instead of an alternate platform, sometimes you might have to pay for it.

A short list of encrypted communication services:

  • Signal (Free)
  • iMessage (Free, iPhone only)
  • WhatsApp (Free)
  • ProtonMail (Freemium)
  • SendInc (Freemium)

Document Destruction

If a document has personal or business contact information, contains signatures, proprietary information, or other sensitive material, you can’t just throw it in the recycling bin.

Unfortunately unscrupulous employees, trash pickers, and identity thieves often go through improperly disposed of documents for anything they can exploit.

This is another reason why digitizing documents is so useful, digital copies can be password protected and encrypted, while the originals can be destroyed.

This cuts down on the number of important documents which need to be stored in hardcopy, and limits exposure to unauthorized copying or outright theft.

It’s important to oversee destruction of documents yourself, or have it taken care of by a trustworthy company. HIPAA compliance is a strong signal that the service you’re using is up to the highest standards.

Multi-way shredding prevents simple piecing together of destroyed documents, and appropriate disposal or destruction measures should always be taken.

The Old-Fashioned Approach

For those documents which you need to keep hard copies of, there are always secure office storage and secure off-site storage. A good locking file cabinet would do the trick with contracts and other slightly less sensitive material that you might have in large quantities.

However, those are obviously not thief-proof. If there’s something really valuable inside it’s not hard to get past these limited security measures.

A modern, high security safe is a good step up in protecting your most important documents, like: personal identification, fundamental business records, intellectual property, and the like. Make sure whichever safe you invest in is fireproof and waterproof if possible, and installed correctly.

Whenever you’re looking at partnering with any kind of business services, it’s within your rights to investigate their security measures.

Many business-class services will have a page dedicated to their focus on security. Don’t be afraid to inquire for more information.

If you’re shopping for enterprise solutions, then a security questionnaire is par for the course. Your due diligence can end up saving you a lot of trouble in the end.

Trivia Answer: There were actually four – “God”, “Love”, “Sex”, and “Secret”.