Cyber Security

Protect Your Practice Against Cyber Threats.

Social security numbers, bank accounts, and other sensitive data can be easy pickings for a hacker if your security is lax. Protect yourself and your clients.


Accounting and bookkeeping firms face security challenges other small businesses don’t because of the sensitive data they retain for client tax preparation and payroll. Social security numbers, bank account information, and other types of highly sensitive financial data can be easy pickings for a hacker if your security is lax.

“You can‘t hide by being small, because the [cyber] attacks are so automated,” David Cieslak, principal at accounting technology firm Arxis Technology Inc., said in a recent Accounting Today article. “Some of the least protected systems are in small businesses. You can’t let your size trick you into thinking you are safe.”

The first step in your cyber security plan is to understand the coverage provided by your professional liability insurance. Check your policy to see if you have adequate coverage.

Then to limit your exposure to cyber security breaches, follow these best practices recommended by accounting security professionals for firms that aren’t large enough to have internal IT departments.

1. Do the obvious. If you are still running Windows XP, upgrade to Windows 8.1. Set all computers to automatically install security patches from Microsoft. Keep the server firewall in place and anti-virus program up to date. Set the anti-virus program to sweep the entire network on a regular basis. Back up all data at least daily, if it’s necessary to retain data on the premises. Ensure passwords are used on all computers, and are changed on a regular basis. Don’t use the same password for the network and external Web sites.

2. Physically secure the network. Keep the office server in a locked cage with appropriate backup power and ventilation. Set access controls so that only those with a need for it have access. Use software locks for all mobile devices, and additional physical locks on all laptops. Control access to the office through key system management, use an alarm system, and install security cameras in critical areas.

3. Set a security policy and enforce it rigidly. Users of the network are its weakest link. A single careless moment can bring the business to its knees through data theft or ransomware. The policy should address the purpose of the policy; internal access control to computers and servers; a ban on use of personal software on office computers; a ban on temporary storage devices such as thumb drives; a ban on opening attachments to any e-mail; limited access to Web sites; termination and retirement procedures; and procurement policies for computer equipment and mobile devices.

4. Use a secure portal for all client communications. Portals allow for secure communications between the accounting firm and the client, as well as secure storage of documents in transit. Every major accounting and tax software vendor now offers a client portal service specifically designed for the needs of the industry. Not using a portal is to risk a violation of the law, with fines and penalties.

5. Move to the cloud. That said, consumer cloud services are not appropriate for accounting files. Perform due diligence on cloud providers, even those that are known vendors to the industry. For example, look for cloud storage providers that are PCSI- (payment card) and/or HIPAA-certified. In addition, look for providers that have a Service Organization Control 2 or SOC 3 attestation report.

6. Adopt end-point security. Defensive systems built around protecting the server with a firewall and anti-virus program alone are over. End-point security aims to protect the data by managing remote access to the network. It requires each computing device on a corporate network (“end-points”) to comply with certain standards before network access is granted. Endpoints can include PCs, laptops, smart phones, tablets and specialized equipment such as bar code readers or point-of-sale terminals. The precise services offered as “end-point security” may differ from one vendor to another, but generally combine legacy firewall and anti-virus programs with anti-spyware and intrusion detection systems.

7. Lock down the e-mail system. E-mail is one of the weakest links in the network, and one of the two major ways malware gets in. All e-mail communications should be encrypted, even though encryption is not foolproof. In addition, the firm should enforce a policy of never opening attachments for any e-mails — if a document needs to be transmitted, the client portal or cloud storage system should be used for this purpose. This may be one of the more difficult policies to enforce, but also the most important.

8. Clean up local data storage. Retain only the data that is actually needed and move it to the cloud for secure storage. The rest should be archived in longer-term storage where it is still accessible but is kept safe.

About the Author, Pat Friesen
Pat Friesen is a contributing writer to the NSA blog with 30 years of direct response copywriting experience selling insurance and other financial services to consumers and owners of small to mid-size businesses. She’s also a columnist for several direct marketing trade publications.
E-mail;  View all posts by Pat Friesen

If you have the NSA Accountants Professional Liability Plan, it includes network and information security offense protection covering: (1) claims for the transmission of computer viruses; (2) claims for failure to control access to the insured’s computer or network; and (3) failure to prevent unauthorized access to, or use of, data containing confidential information of others. For details on the NSA-endorsed 
NSA Accountants Professional Liability Plan visit or contact plan administrator Forrest T. Jones & Company at 800-821-7303. Flexible limits, premium installment options, and deductibles let you customize coverage to fit your practice.

Say something about this...
Share on Facebook
Tweet about this on Twitter
Share on LinkedIn
Email this to someone
Print this page