Technology Correspondent Sift Media
Share this content

How can accountancy firms limit the risks to confidential data?

2nd Sep 2011
Technology Correspondent Sift Media
Share this content

Accountancy firms of all sizes handle sensitive client data and should look to employ a security strategy that protects this information at all costs, without being a burden on IT resources.

All confidential client information needs to be protected from malware, viruses and a whole host of external cyber threats, as well as remaining secure and confidential. However, it is also vital to consider the types of threats that can be posed by internal forces, not just external.

IT security is not something that comes as part of the job description for an accountant, but many firms have no designated IT specialist. To ensure firms remain protected, a few basic rules suffice in gaining IT protection:

Keep out malware

No accountancy firm can function without computers, and only in rare cases are their networks purely internal. Instead, communication with customers often requires an Internet connection, meaning that fewer firms can manage without one. It is therefore important that all computer systems are equipped with basic protection, i.e. an up-to-date virus scanner and a personal firewall. Rather than implementing multiple solutions which have the potential to be confusing and time-intensive to manage, all-encompassing protection packages can provide modules which work seamlessly together.

Before investing in security technology, accountancy firms should assess the historical and current malware detection capabilities of various anti-malware products on the market. Security software for all sizes of firms has in the past been expensive and confusing; however it is a vital aspect of business that cannot be overlooked in today’s troublesome cyber environment.

Encrypt records

Accountants handle extremely sensitive customer data on a daily basis. All this information, which is not intended for third-party viewing, should be encrypted. Encryption translates data to a secret code and is the most effective way to achieve data security. To read an encrypted file, a key or password is needed to unlock the translated information.

Worryingly, the nature of the accountancy industry means that any financial data that is breached can be used for malicious, even criminal purposes. This means that there is a risk that employees who have access to a large quantity of this data also pose a risk to the firm and its clients. Although access is required for employees to do their jobs, it is possible to restrict access to data that is not directly relevant/necessary for them to carry out their role. By encrypting this data, it lowers the risk of an internal threat where someone takes liberties with their clearance.

Ensure data is backed up

Not only is this confidential data at risk from malware and the inside threat from employees, but it can be corrupted, lost or stolen. Therefore it is vital that accountancy firms back-up all   forms of records safely and securely. Suffering a loss of client data could not only mean a loss in custom and sever reputational damage, but could ensue in a law suit.

Establish Rules

Management in accountancy firms know which areas of their company need protecting, but what about their employees? In most cases, staff won’t be IT experts either. Two strategies are recommended here; firstly, clear rules should be established for using IT systems, these should specify prohibited activities such as sharing passwords; and guidelines for the use of, for example, USB flash drives. Secondly, rules should be backed up with appropriate security settings.

The accountancy sector is entirely built on trust. Just one instance of compromised information could really damage an accountant’s reputation and relationship with its clients. Most businesses have sensitive client data on file and confidential records, but the financial implications of a breach are far-reaching in this sector.  By following these steps, firms can ensure that they are doing everything in their power to protect themselves and their clients.        

David Emm is senior security researcher at Kaspersky Lab.


Replies (2)

Please login or register to join the discussion.

By ClintonW
09th Sep 2011 17:22

How can accountancy firms limit the risks to confidential data?

Following on the previous thread David Emm at Kaspersky Lab made...

The following are two other important elements of security which limits the risk to confidentiality of data.  Of course there are a whole raft of other areas that could be covered but I will focus on these two: Security Awareness Training and Business Continuity.

Security Awareness Training

One of the most important aspects of security that enhances the safeguarding of such confidential data is AWARENESS.  If employees are not aware of their responsibilities and educated about security in a holistic manner; there will be inevitable casualties with data breach!  There are plenty research material to support this point whereby a lot of accidental loss and theft of data is due to employee's lack of awareness.   Providing awareness to employees can take many forms. i.e. workshop, e-Learning and culture changing through various mediums such as posters and key messages throughout the company form senior management.

Along with all the fancy tools and gadgets used to process transactions and fulfil the client's requirements, the employee will need to know of the risks associated with these tools.  I work with accountants and other clients regularly and in some cases these people know what to do but their view of it is that, 'It will not happen to us'!  Well, think again. Who is immune?  There is no silver bullet and there is no absolute security.  All that needs to be done is to be proactive and conduct regular reviews on your infrastructure.

Business Continuity

Another area of concern is business continuity.  When I speak to clients one of the questions I ask is... How would you cope if you turn up to work and the whole building is flooded or burnt to the ground?  Sometimes the answer is...We will let the insurance company look after it.  That answer is not the best answer!  A lot of companies do not have a business continuity plan in place let alone a disaster recovery plan.  This in itself is also a key part in the chain of data security and compliance.  Accountancy firms and other businesses need to ensure that they take all the necessary precautions there are to limit the likelihood of a breach of confidentiality and privacy.




Thanks (0)