Risk management insight for accounting firms: data security

Accounting is a highly regarded and respected profession. Being a professional Accountant comes with a responsibility to protect data, provide relevant advice, and be accurate in execution. Beyond this, many Accountants who also operate their firm are tasked with ensuring regular business operation. These operations include maintaining their office and equipment, managing the firm’s reputation, being up-to-date on employee practice laws, and ensuring all the standard functions of running a business (including bookkeeping) are current.

Risk management is the process of identifying, assessing, and controlling threats to a company’s capital and earnings. Risk management planning considers various potential risks or events before they occur. By practicing risk management, an organization can often save money while protecting its future.

Being aware of and planning for risks in the accounting profession is prudent business practice. Today we review some of the most significant risk management concerns facing accounting firms.

There are three main types of severe risks that accounting businesses will face regularly. Accounting firms must practice intelligent risk management to minimize their firms’ exposure to threats to keep their clients and staff safe.

The three primary risk categories for accountants today are:

• Data security
• Accuracy in output and advice
• Protecting facilities from damage

In this article, we will address data security and will address the other two in future newsletters.

Data Security

Starting with Data Security, the fastest-growing risk that accounting firms face in a digital age are issues resulting from security breaches. Data security risks emerge regardless if the data is stored digitally with a third-party software vendor, on a secure hard drive or cloud server, or physically on your premises.

Payment card data and financial records are two of the most valuable and most common pieces of data sold on the dark web today. Of the two, financial records are the more significant concern for accountants. Cyber-criminals leverage financial records to enhance the success of phishing campaigns, money laundering, social engineering, blackmail, and identity theft.

Of course, suffering a data security incident is psychologically damaging and stressful for the company leader and employees. Beyond this, being a victim of data theft can also lead to expensive business interruption costs, a decline in client service, expenses related to data and network restoration, costs associated with IT forensics to find and patch the source of the breach, costs associated with notifying and protecting those that may have had information stolen, and more. The firm’s highest price may be the permanent reputational damage caused as a result of the incident.

The most common data theft channel today is through IT security breaches 

Data breaches can result from falling victim to sophisticated ransomware that encrypts digital files and transfers those files to the cyber-criminal. In this case, the malicious software requests a ransom to decrypt your local files, but there is no certainty the cybercriminals will destroy the stolen financial records.

Risk Management advice: Unfortunately, unless you are processing everything by hand and without a computer, there is no full stop method to eliminate the risk of falling victim to a ransomware attack. 

It is essential to enforce good cyber hygiene practices across the organization (including using strong passwords, having good anti-virus but monitored protection, using robust network fire settings, and using two-factor authentication). It is also essential to educate yourself and your employees. Ransomware is often deployed by downloading malicious attachments or clicking on malicious links. Training staff is your most important defense

The second method for breaching takes more concentrated effort and time. Cybercriminals make efforts to penetrate your email accounts, scrap passwords, and use your login credentials to access storage drives and third-party software. Criminal agents may be inside your digital environment for months before discovering there is something out of sorts.

Risk Management advice: Good cyber hygiene is also most prevalent here.

Dual-factor authentication – meaning not only having a password but having a third-party application also text you a code (for example) – is one of the best ways to keep yourself and your information safe. 

Educating and training staff is also critical here. It is easier to make emails look like they are coming from another sender (spoofing). An employee may receive an email from yourself asking for some piece of information. The employee may naturally respond having no idea they were just sharing something with a bad actor. If an email does come in from an uncertain source, we recommend you or the employee pick up the phone and call the person who sent the email. It is vital NOT to call the number in the email signature (it may be a fake phone number) but instead find the number online or in the client record.

The ultimate goal is to penetrate your data and software, so rotating passwords with strong passwords is an effective method to keep kicking bad agents out and closing the door.

Risk Transfer advice: For cybersecurity, even the best-laid plans are not foolproof. We are happy to talk with you about cyber-related risk transfer strategies. Cyber insurance is not a budget line item for many business owners yet, but it will be. At a minimum, knowing the price of a quality cyber risk transfer solution will help you plan for the future.

Physical data breaches

With the rise of digital criminals, we often forget that physical crime is still a threat. Purchasers of financial records on the dark web do not discriminate on the source of those records. If a criminal can steal confidential data, they can also sell that information.

Physical crime can be a break & enter theft incident resulting from poor document hygiene disposal and employee theft. 

Risk Management advice: We all know methods to deter criminals from breaking into your business. Things like an alarm system, secure doors, protected windows, keeping valuable items out of sight, and more are standard practices. For accountants, it is also vital to keep documents stored in a safe space. We have been in accounting practices, especially during tax season, where many client files are left out day-to-day. If a burglar is aware of this, it provides extra incentive to choose your business over another.

We know it is necessary to keep many physical documents. As possible, it is a good practice to scan and store documents in a safe digital environment. Doing so will provide you back up in the event of a physical fire or damage on the premises. For files you can destroy, we recommend implementing a strict disposal strategy using a high-quality shredding system. Added protection would have you hire a third-party company that will pick up those shredded documents from a locked-bin and disposes of them safely. 

Employee theft is not something any of us like to discuss. We all trust our employees, and the vast majority would never conceive of stealing from your practice. Theft can occur traditionally (similar to break & enter) but can also happen when an employee leaves your firm taking documents with them (either original or scanned) to another competitor. The risk management practice here is to limit access to files (either physical or digital) to those who need access. Too many firms provide everyone complete access to everything. The more doors closed, the safer the practice.

Risk Transfer advice: Reviewing your crime policy wording is essential. It is prudent to ensure your policy protects you from both costs-relating to the crime and potential legal costs that can occur if sensitive client-data leaks. Our team is happy to discuss this in more detail with you.

Reviewing your risk management practices from time to time is an excellent opportunity to not only mitigate risks in your business; it also opens opportunities for new efficiencies and processes to improve how your company operates. 

Should you have any questions, we are happy to discuss them with you in more detail. We will cover the other two primary risk categories in our next piece.