Ten (Strike That) Eleven Tips for Accountants to Secure Data and Why

We’ve given you 11 tips for the price of 10!

Accountants work for firms that serve clients, have solo practices that serve individuals, work for corporations that serve management, etc. To simplify the discussion, I will use the term “client” to refer to those you serve.

#1. Know your data

You already know handling and being responsible for sensitive and confidential financial data requires additional security and diligence, but what about the things you don’t know. Many accountants provide services to clients in the healthcare industry; this could be a single practice doctor’s office, hospital, or even a company that provides medical billing services. In most cases, you will likely have some ePHI (electronic personally identifiable information) as defined by HIPAA and as such you, as the accountant, must also be HIPAA compliant. Even if it is just one of the 18 identifiers (see details after all the tips) such as a name or account number, you must be compliant with HIPAA and you must have a Business Associate agreement with the client. A similar case could be made for a client processing credit cards and the requirement to be PCI compliant.

Knowing your data is more than just knowing the financials, it’s knowing what type of data you have for each and every client and taking the necessary steps to protect it. Ignorance is bliss and also very dangerous. Conduct an assessment and risk analysis on your data to close the gap and know what data you have, then take the necessary steps required to protect it.

#2. When in Doubt, Encrypt

Many people inherently know that sensitive financial data should never be shared without protecting it from the bad guys. This often means ensuring the data is encrypted any time it is moved. This is not just encrypting the data to and from your office, it includes ensuring it is encrypted throughout the journey the data travels. Many accountants have clients that use QuickBooks in the cloud where the client accesses the data from their office and the accountant accesses from their office. The data is often also transferred between the client and the accountant directly. Their also may be software integration with a third-party solution for payroll processing, etc. The data must be encrypted between all parties when it is transferred to and from each location – cloud, client, third-party, and accountant. Furthermore, if the accountant uses help from a temporary employee or contractor who works from home, there is now another path that must be encrypted.

I am surprised I still have to say this in 2017 – email is not encrypted and many accountants still use email to send financial data, spreadsheets, PDF’s, etc. This is not safe or secure. Rather than sending the data in email, use other encrypted file sharing solutions such as Microsoft OneDrive, Dropbox for Business, or Digital Pigeon (visit the website here). If you must email, ensure you encrypt the email, which is often as easy as putting “[encrypt]” in the subject line of the email. That is only if your email solution has encryption, which is often an add-on feature with a cost. If you don’t know, ask your email provider.

Lastly, encrypting data when it is being transferred from one place to another is just covering it when it travels. What about when the data is sitting at rest on your systems. Accountants often used cloud based accounting systems and store financial data in the cloud and on the end users computer, even if just temporarily. Encrypting the data ‘at rest’ on any system holding the data adds an additional layer of protection and can be required, as is the case with HIPAA.

#3. Backup, Backup, Backup

Everyone has accidentally deleted a file and needed to pull a copy from backups. Again, having data backups of critical data is very intuitive requirement, but often the person responsible for the data does not know how the data is being backed up and for how long (the retention period) or if the data itself is actually valid. If you have every tried to restore a file only to find it corrupted, you have felt the pain. Regular periodic restore of random files to verify they are usable is a good practice.

With the increase in malicious viruses and ransomware, it is more important than ever to ensure you not only have good backups in multiple places, but backup retention long enough to meet business requirements. Accountants should always have two backup locations – onsite and offsite. Onsite backups offer the most expedient option to restore data, but they may not always be usable. In this case offsite backups come into play as the last resort to retrieving the information. In the case of ransomware, the hacker has locked the data files and demanding money, which increases each hour or day, to obtain the keys to unlock the files. Having good backups can literally save your business. This is where a good retention policy comes into play. Financial data becomes very stale even after one day, so data backups may only be kept for a week or two. Viruses and ransomware can infect a system and remain in place and idle for a week or even months. When the ransomware hits, you must restore backups from before the files were locked and infected. Having a well thought out retention period that allows you the option to go back farther if needed is a great practice. Restoring financial data a month old seems ludicrous in the accounting world, but if it is your ONLY good data it may be better than having no data. Backups cost money, so the retention period should be well thought out based on your data and your business needs. One example of a retention period specifically defined to meet a business need - one day of hourly backups, 13 days of daily backups, one month of weekly backups, and 4 months of monthly backups. If data must be restored, the process is to work from the most recent back – newest to oldest, until you can retrieve what you need. In most cases, one of the hourly backups in the first 24 hours will suffice, but if you have to go further back you know you have two weeks of daily backups and so on.

Tech Tip: Make sure backups are disconnected once they are finished. Backups that are connected to your network continuously can be infected by the same ransomware that infect the initial machine and network.

#4. Manage Your Data

Managing data is a very tedious and laborious task, which means it often is not done. Data is like a weed, growing relentlessly if left unchecked. It also lowers productivity for you and your staff having to sift through all the irrelevant data files. Reviewing all your data on a regular basis and ‘cleaning’ it by deleted unneeded files and those irritating duplicate files will help keep your data in check while also giving you the peace of mind that you are not overspending for storage and keeping only important data. This can be tricky for accountants because financial data may have requirements to be saved for 5, 7, 10 years, or even in perpetuity. However, that does not mean you need to keep all the non-restricted data, duplicates, old versions, or personal photos.

Conducting an annual data cleansing will do wonders for your sanity. It’s not fun, but it is rewarding. Again, you must know your data (#1) to know what to clean.

#5. When Using an External Data Device, use Caution

Using external data sources, even temporarily is very common. Whether an external hard drive or a USB “thumb” drive, connecting external data to your computer can be a very dangerous proposition. External drives are often used maliciously to spread viruses and ransomware. Just plugging it in without ‘opening’ a file can get you infected. Prevention goes a long way to avoid any problems. Know who you are getting the external drive from and ensure your anti-virus software will scan the device before loading it. Even if you know and trust the person providing it, there can be a virus they are unaware of. When in doubt, don’t plug it in.

#6. Automatic Logoff

It’s just good business practice, but especially when handling financial data, to have a system policy to automatically logoff users from systems after a period of inactivity. It may be frustrating from a productivity standpoint, but it is not worth the risk for a few added keystrokes. The amount of inactivity time should be defined based on the data being accessed (#1). If it is financial data with HIPAA information, you are required to have an automatic logoff process and 2-3 minutes of inactivity may be warranted. For other systems 5-10 minutes may be sufficient. To be clear, this is any system you access that has sensitive data. For example, you arrive in the morning and log into your computer and immediately open QuickBooks, Dropbox, and Outlook, each one containing sensitive information. All three systems should be set to automatically logoff after some period of inactivity.

#7. Lock Your Computer

This one is easy, but often overlooked and undervalued. How many times have you left your desk to fill up the coffee cup and left your computer on with all the windows open and visible? After all, what harm could it be to be away for only 2-5 minutes? Then when getting coffee a coworker comes in and you end up having a 10 minute conversation. Now your computer has been open and accessible to anyone that wanders by for 15 minutes, which is eons for someone wanting to do serious damage. Get in the habit of locking your computer every time you leave it unattended; whether 2 minutes or 2 hours, lock the machine. It’s quick and easy to do and should become common practice for all employees. If you use Windows 10, you can press and hold the key with the windows icon while pressing the L key. For older versions of Windows you can press Ctrl-Alt-Del and choose Lock. You will be required to log back in when you return, which may cause some brief irritation, but well worth the effort.

#8. Access Authorization & Controls

If you have access to multiple systems with financial data and/or you have multiple people that have access to the data, having access controls is an important part of data security. Access authorization begins with creating a policy to define the company’s initial right to access sensitive information and further define the access rights of individuals to access sensitive information based on the job’s role or function. The parameters of the policy should consider providing the minimum access required to perform a job function, along with separation of duties. In a large accounting organization you may have a person or team responsible for invoicing, a team for accounts receivable, and a team for closing month-end. Each group should be given access to only the data they require to do their job. You would not give the accounts receivable team full access to all financial data when they do not need it to perform their duties.

Access control is the ability to provide, revoke, monitor, and manage access given to individuals. The individual requesting access should first be verified as approved based on job function. This would typically be done by the Security Officer or HR using a signed form. Systems management and processes can then be used to provide the access, monitor usage, provide audit logs, and revoke access as necessary. Having this level of control will provide the critical information necessary to know how your data is being accessed, by whom, and when. In the event of a breach, not having this information only introduces additional risk and potential fines.

#9. Know Your Credentials

It is very common, if not ubiquitous, for accountants to rely on a third-party for IT services and support. Whether it’s an internal IT department, an IT services provider, or a software vendor providing a solution, you are reliant upon them to have stable, reliable systems, and support. Unfortunately, many times that reliance includes them having administrative access credentials (ID’s and passwords) to your critical systems. You may not need to know the administrative credentials to all systems, but you should know them for critical systems you are responsible for. This is not so you can play IT guy and make changes, but good business practice in the event your IT vendor/provider is unavailable, terminated, resigns, etc. Trying to track down that last IT guy to get the information can be very time consuming, frustrating, and maybe impossible depending on the circumstances. Make sure you have the administrative credentials at all times stored in a safe place, which is not in your contact list or on a Post-It note. Better a file in a locked file cabinet or password management system (#11). You also need to make sure the IT provider knows to inform you if and when the credentials changes so you can update your information.

#10. Know Your Vendors Security

This one can be a bit challenging, but well worth the time and effort. It is very common today to use software and solutions from many different vendors/providers, many of them cloud providers. If you use Dropbox, QuickBooks Online, Microsoft Office 365, SalesForce, etc. you are in the cloud. Large cloud providers like Microsoft Azure and Amazon Web Services (AWS) come with some basic security, but it may not be enough to meet your requirements, like encryption at rest, which is an added feature you must purposely deploy. Do you know what security each of them have in place to secure your data? Is it encrypted during transit and at rest (#2)? Is extra anti-virus protection in place where needed? If you don’t know, ask them. If they can’t or won’t tell you it’s time to look for another vendor. This is especially true if you have any compliance requirements like HIPAA or PCI.

#11. Securing Your Passwords

We are now in a subscriber economy with software application sprawl, where instead of accessing one or two systems on ‘our server’ we are accessing many applications hosted in multiple locations. Using myself as example, I use different cloud based solutions for email and MS Office, accounting software, customer relationship management software, billing software, practice management software, file sharing; along with tangential accounts for LinkedIn and other sites used in business. There are another 3-5 cloud solutions our operations staff use. As a result, I have a minimum of 8-10 ID’s and passwords to manage, and some of those require password changes every 60 days. Hidden tip: requiring password changes to critical systems every 30, 60 or 90 days is a very good security practice. But I digress. If I add my personal ID’s and passwords the number balloons to over 20. So the real world challenge is how to keep up with all this sensitive information without forgetting it, while also keeping it secure. So how do we secure all those passwords and keep our sanity? For all of you who store your ID’s and passwords in your Outlook Contacts, your Notes or in a Word or Excel document, that is not a good answer because every one of them is not secure. A much better solution is to use a password management solution to help keep it all safe and secure. Yes, the password management software will itself require an ID and password, but it’s only one to remember and the good solutions will automatically ask to save any changes to passwords you make to any of the included systems. It’s human nature to use the same password for multiple systems and rotate the same 3-4 different passwords when you change them. It helps to remember them, but it is a gold mine to hackers. PCCP! Protect, change, complex, passwords!

About the Author

Wade Yeaman, with more than 20 years of experience in business and information technology, Wade founded Fluid IT Services because he passionately believes that small and medium businesses deserve the same technology support services that big companies enjoy. He attended Texas Tech University. When Wade isn’t working with his favorite people (that would be Fluid staff and clients), he can be found fly-fishing or playing his guitar.

HIPAA IDENTIFIERS

1. Names
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:

(a) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and

(b) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000

3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers, including finger and voice prints
17. Full-face photographs and any comparable images
18. Any other unique identifying number, characteristic, or code