While it’s understood that your catalog of priorities is already extensive, security is one that must take a top position on your list this year…and for good reason. The world is full of nefarious characters—those who make up international organized crime businesses and work around the clock to gain access to your clients’ data. The long-time “your-making-something-out-of-nothing” mindset within the profession has got to change. The time has come to extinguish common perceptions such as: “No one would be interested in my clients’ data” and “This won’t happen to my firm.” The fact is that data theft is happening on a daily basis to small accounting firms across the United States. Hackers are specifically targeting small accounting firms via social media channels such as Facebook, LinkedIn, and Twitter, and that means no one is exempt from a data breach.
Hackers continue to get smarter, using social media to get to know your clients very well. They are also privy to your staff’s information, reviewing profiles on LinkedIn. With this information in hand, the bad guys deploy social phishing schemes that prompt your employees to click fraudulent emails—granting them access to your internal data. In fact, according to phisme.com, more than 90% of data breaches begin with a simple email. Combine the threat of phishing schemes with other weaknesses such as insufficient passwords and password policies, the absence of two-factor authentication, and wide-open networks, and you can see how quickly your firm becomes a sitting data-breach duck.
A proper security strategy begins with your IT professional, and this means moving beyond simply having an “IT guy” as a form of defense against hackers. Traditionally, an IT professional sets up and maintains your network or fixes something when it breaks. So, when firm owners answer the what’s-your-security-strategy question with “I have an IT guy,” that’s the same mentality as a client who says, “I have a tax person for my return, so nothing negative can happen to me from a tax perspective.” As you are well aware, this mindset is not realistic. Firms are not engaged with tax-only clients year-round…just like a basic IT person is not thinking of you (and the security of your data) throughout the year.
While high-profile data breaches are all we read about, just know that there are countless breaches happening daily that don’t make the news—attacks on small businesses just like yours. This is why firms need to move beyond just an occasional IT person and employ an Information Security professional. This is someone who is dedicated to planning and maintaining your network year-round, ensuring data security and consistently educating you and your staff on safety measures. So, as we start 2018, security should be a main concern…even before tax reform, staffing and new technology implementation. There is nothing more important than protecting your clients’ data and ultimately your own livelihood.
Identifying an Information Security Professional
So, how do you know whether your IT professional is also adept at information security? To help, below are 10 key questions (with sub-questions within) to ask your current IT person. Based on their answers, you should have enough information to move forward.
1. In terms of security, what are our weakest areas and what can be done to remedy? (If the answer to this question is that you don’t have any weaknesses, it’s time to find a new IT professional.)
2. Are we conducting internal phishing exercises? And if so, what have we learned? If not, is this a service you provide?
3. How do devices that touch our network (tablets, smartphones, laptops, desktops, etc.) receive security patches? Who has that responsibility, and is it getting done?
4. Are we positioned to immediately apply critical patches to all devices owned by our firm as well as devices owned by staff that connect to our network? Have we identified systems that can’t be patched immediately, and do we have alternate safeguards in place for them?
5. What information security training do you have available for our staff?
6. On which internal firm systems are critical data stored or processed? Are the safeguards on these systems, including physical access, commensurate with the type of data they store or process?
7. Do we regularly review and act on network traffic log scanning for all of our servers and web applications?
8. Do we regularly review and update our local incident response plan? Do we train our staff on this plan?
9. Do we have complete business continuity and disaster recovery plans in place, and do we test them? How soon would we recover from a complete ransomware lockout of our data?
10. How might we take advantage of solutions in the marketplace to reduce our overall risk?
And there you have it; a framework to start your mandatory discussion with your current IT professional. With the multitude of data breaches occurring daily, this is a conversation you don’t want to put off until post-tax season. Rest assured that all those nefarious characters aren’t postponing their efforts to access your clients’ data and file fraudulent returns this tax season.
Please, don’t procrastinate. Get started today working with an Information Security professional to mitigate security risks in the New Year.
At Right Networks, we believe that the right cloud service provider can act as a critical ally in helping accounting professionals and small businesses secure their own, and their customers’ data. Your QuickBooks Desktop security is an important piece. Cloud-enabling your QuickBooks Desktop is a great potential alternative for those organizations that don’t have the capacity or resources to staff a security expert. Instead of seeking a managed service provider to secure your network, maintain your software infrastructure, manage hardware tools, and plan for data intrusion and corruption contingencies, cloud providers can provide a high level of protection that many organizations can’t achieve on their own. Read a bit more about how Right Networks does that, here.
Think your client, colleague or customer would find this valuable? Share it now…