Best Practices: Accounting and Cyber Security

​This summer, the IRS began urging tax professionals to increase their security measures amid a storm of increased cyber-attacks. Through the first half of 2021, cyber-attacks against tax professionals had already outpaced the annual numbers for 2020 and 2019. And tax pros are not alone.
​
Cyber security has become a hot topic among all financial professionals over the last year as security attacks against businesses and individuals soared during the pandemic. Michael Cohn explains the recent rise in security threats when he says, 

---

Identity thieves and fraudsters were particularly busy last year and this year taking advantage of the COVID-19 pandemic as many tax pros worked remotely from home and their firms were forced to lower their cyber defenses. The economic downturn also served as fuel for a variety of scams and schemes to steal money and identities.

So, how do you keep your financial data secure? 

Follow these best practices to keep your accounting-related information safe:

Following Security Basics
Security best practices are important in all areas of the business, but are especially vital in areas where accounting automation is considered. The scary truth is that while cyber attacks have risen uncharacteristically over the last year, they are unlikely to fall back to the pre-pandemic “normal” moving forward because criminals have now found new ways to exploit the vulnerabilities of remote work and will continue to do so as long as companies leave the door open for them.

Every company, regardless of size or industry, should be following basic security best practices like:

• Requiring strong passwords
• Changing passwords often
• Requiring multi-factor identification
• Setting access levels for employees
• Maintaining access logs
• Encrypting sensitive information that is being stored
• Installing anti-virus software on all devices
• Working behind a firewall
• Implementing a VPN
• Running regular data backups

These precautions help keep unauthorized people out of the business to keep value in and should be implemented regardless of the current risk level.

Separation of Duties
In accounting, a separation of duties is typically recommended to reduce fraud risk. However, a separation of duties can also improve cyber security because it distributes the company’s financial information across multiple employees, reducing the damage that can occur if someone’s login credentials or device gets compromised.

When one person controls everything from invoices to bank account information to payroll, this poses a huge risk if that person falls victim to a cyber-attack. However, if these roles are spread out, a cyber attacker cannot gain access to as many areas of the business, creating a safeguard against the kinds of widespread attacks that bring down an entire organization.

Ongoing Education
As technology has evolved, cyber-attacks have followed suit, which means that today’s biggest threats were unheard of a decade ago (and in some cases, even a year or two ago). Staying abreast of the latest cyber threats is the best way to protect your company against financial data breaches.

When it comes to cyber security, you are only as strong as your weakest link, which means that if employees are ignorant to the types of threats that could be coming, they are more likely to fall victim to them and the organization will suffer as a result. Ensure someone within the organization is paying attention to the types of risks that your business is facing and communicate these risks with your employees at large.

Depending on the nature of the threat, you may want to try testing your security protocols to discover where weaknesses exist. For instance, many IT departments make it a practice to periodically test a fake phishing scheme to see if they can get employees to click on links in faux malicious emails or provide information that they should not be sharing. These types of tests indicate where there is a greater need for education and preventative measures to keep the company safe.

Implementing Company Policies
It is now widely accepted that remote bookkeeping and accounting (as well as many other positions) are here to stay. Subsequently, the security challenges that remote work poses will need to be managed long-term.

Creating company policies and communicating them with staff and vendors is a key security management strategy to ensure everyone is on the same page. Clearly identify what is and is not allowed when it comes to company data, especially across gray areas like working outside of the office in public or accessing information from personal devices. Ensure employees know where to go with questions and how to report issues they encounter to help prevent security threats from coming to fruition.  

Vendor Management
The measures outlined above are important steps to take in protecting your company and your customers, but they are not the be all end all of security precautions. Remember, you can do everything right internally and still become a victim of a cyber attack because of a vendor’s vulnerability.

Understand who has access to what information, both internally and externally. Pay particular attention to your bookkeeping company or outsourced accountant, software providers, web hosting platform, and other partners that may have access to your most sensitive data. Manage access to information across employees, third party contractors, consultants, vendors, and partners and only provide access to what is absolutely necessary. Additionally, make sure you know what is being done with information that is shared externally – who else has access to it, how it is being stored, and how it is being transmitted.

Looking for more ways to develop your accounting department? Check out one of our most popular articles: How to Improve Your Accounting Department in The Next 3 Months