Best Data Security Practices for Your Firm

Blog the Accountant Strikes Back
By Kyla Bobola | 09/29/2022 | 3 min read

Data breaches and cyberattacks have unfortunately become an all too common and increasingly challenging problem for businesses – the recent joint warning from US and UK security officials around foreign security threats furthers this position. High-profile cyberattacks have impacted many well-established companies and governments in the last few years, allowing hackers to acquire sensitive data. 

Statistics show that data compromises in the second quarter of 2022 were 2% higher than in the first quarter, proving that cybercriminals continue to evolve and succeed in their attacks. While this is concerning for any business, it's particularly worrisome for financial services businesses like accounting firms who manage highly sensitive personal and corporate information on a daily basis.

The size of your firm does not matter; hackers will exploit low-hanging fruit such as out-of-date or unpatched software systems for easy monetary gain. While accounting firms are not immune to these attacks, they can strengthen their data security by taking proactive steps now. To start, consider these three best practices:

1. Understand the evolving threat vectors and their impact

It takes time for accounting firms to build a trusted relationship with clients. Business clients will only provide their accountant firms with complete visibility into corporate financials, plans, and structure after they establish trust. Any breach that compromises this sensitive data can be ruinous for clients and significantly damage a firm's reputation – and its client relationships.

Ransomware, where cybercriminals hold firm data hostage until the victim pays the posted ransom, is one particular form of cyberattack that poses a threat to accounting firms. And there are no data recovery guarantees even if you pay the ransom. Remember – cybercriminals execute attacks for their own personal gain. You can be stuck in a situation where you paid ransom totaling millions and still cannot recover data. To gain a better understanding of the threat landscape firms can use publicly available threat intelligence such as the Cybersecurity Intelligence Agency’s (CISA) Top Routinely Exploited Vulnerabilities.

2. Educate your staff

A recent study shows 95% of cyber breaches result from human error. Threat actors often send emails with malicious links or 'phish' for employee login credentials. This means one single employee can unknowingly leak sensitive firm data by unwittingly clicking on a malicious link. 

It is critical to prioritize employee cybersecurity training to safeguard your firm. Staff members are your first line of defense in preventing a data breach. Everyone in the firm – from partners to interns – must implement good cyber hygiene practices. Employee education can take many forms and it is essential to determine what works best for your company and its culture. Some firms prefer full-firm quarterly cybersecurity training; others prefer small team-specific seminars. Adequate employee training can help your firm create a culture of good cyber hygiene. 

3. Evaluate your vendors

With the rise in hybrid working, firms increasingly rely on various vendors for their daily business operations. Firms may turn to vendors for products and services offering heightened productivity or efficiency. But it is critical the importance of cybersecurity is not underestimated. Firms must establish best cyber practices and metrics to evaluate current and potential software providers. It is vital to understand your vendor's cyber risk posture. Ask questions about cybersecurity protocols and data protection measures to ensure the safety of your data and your client's information.

Some potential questions include:

  • Have you achieved any recognized data protection certifications including System and Organization Controls (SOC)?
  • What are your disaster recovery procedures and when are customers notified?
  • How often does your organization reevaluate proactive and reactive data security policies?

Strengthen your cybersecurity posture

Firms must acknowledge their cyber risk and take the necessary proactive steps to strengthen their defenses. Prioritizing employee training and evaluating your firm's vendor relationships is a good starting point to bolster cyber preparedness. With adequate protections in place, your firm can focus on what truly matters, building client relationships and expanding service offerings. It is too late if you wait until your firm suffers a breach. The time to act is now.