Securing Client Data: A Fundamental Priority

Practice Management

Information security is a daunting part of today's information technology (IT) infrastructure. Globally, cybercrime financial losses and resultant costs of time lost are estimated to run in the hundreds of billions of dollars annually. With costly data breaches making front-page news, data security is now fundamental even for the smallest firms. This item describes accounting firms' data asset vulnerabilities and how to secure those assets.

Step 1: Identify the Assets to Be Protected

In this step, an accounting firm identifies the assets to protect and the statutes and regulations protecting those assets, and reviews the way the firm handles them. An accounting firm should protect anything that contains personally identifiable information. Tax returns, signed legal documents, nonpublic corporate documents, etc., are considered personally identifiable information. A firm should also identify how those assets are being transmitted and where that information is being stored or accessed—whether it is on a server, a desktop, a laptop, or even a smartphone. Then, firm personnel should seek legal advice on any state or federal laws mandating procedures to protect those assets.

Step 2: Develop a Protection Plan

The first part of the protection plan is to physically secure the sensitive assets. Servers should never be accessible by the general staff and should be protected by a tamper-resistant door and lock.

Access control is the second issue. Only the people who need to have access to sensitive information should have access.

Example: S, a client, has his yearly tax return completed by a CPA firm. T, a CPA, handles all the preparation, and W, a partner at the firm, reviews the work before it is returned to the client and submitted to the IRS.

In this example, only T and W should have access to S's tax return. Authorized users should have strong passwords that expire automatically and have an attempt lockout threshold. Computers should also be locked when idle to protect data in unattended environments. Access control is one of the best ways to mitigate internal data theft.

The next issue is transmission of data to and from the CPA firm. Secure file portals have replaced email attachments as a way to move data. A secure portal is more secure than a firm's email inbox. People accidentally forward emails, lose phones, or leave computers unlocked with email open. These lapses present an opportunity for sensitive assets to be stolen. For those reasons, firms are switching to an IT-managed, secure file portal for client interactions.

Next, storage must be secure. Storage requirements vary by jurisdiction; practitioners should consult counsel for legal requirements. As an example, assume a firm has a traditional Windows server environment with in-house desktops, remote laptops, and corporate-owned smartphones. Access control addresses how information is accessed on the servers. Only authenticated users should be able to look at a specific client asset. To protect assets from physical theft, data-at-rest (DAR) local hard drive encryption is recommended. This solution should encrypt both the physical hard disk and any USB drive attached to a protected system. Thieves are increasingly targeting company hard drives and USB drives. DAR encryption renders the data on a stolen drive unreadable.

If sensitive data are stored on smartphones, mobile data management allows a user to remotely lock and wipe a phone if it is lost.

Finally, there should be a plan for disaster recovery. Catastrophic losses do occur that render data irretrievably lost. The result is lost time and money for the firm and loss of client confidence and possibly of information that sometimes can't be obtained a second time. Using an image-based backup will allow data assurance and recovery in the case of hardware failure, accidental or intentional deletion, or even catastrophic events such as an office fire. Additionally, encrypted backups should be stored off-site at a secure location to further protect the firm's assets.

Step 3: Execute

With a plan in hand, firm ­managers can confer with their IT provider to set goals, timelines, and checkpoints for completion. It takes time to purchase, configure, and deploy solutions such as DAR, while putting a new door on the server closet can take a day. All elements of the plan are important, so it does not make sense to wait for one action to be completed while another could be executed.

Step 4: Manage Security

The plan should be viewed as a flexible, continual improvement process rather than a one-time project. Too many times, companies deploy a state-of-the-art security posture and then never touch it again. A firm's IT provider should continually check systems, update plans, check for new trends in cybercrime, and keep up to date on privacy-protection statutes and regulations. Security stops only the day after the firm closes for good.