Cybercriminals are targeting tax firms at increasing rates – and it isn’t just the big firms that are targets of these attacks. In 2017, the professional services sector experienced 130 confirmed data breaches — an 18 percent increase from the previous year. And in 2018, the IRS reported a 60 percent increase in emails designed to steal a victim’s financial or tax information.
Your IT team’s top priority is to keep all systems running effectively so your tax, audit, and advisory teams can do their work – especially during busy season. But with ever-growing cybersecurity threats, you can’t afford to put data and password security on the back burner. As we approach a new year, reviewing your existing policies and making any necessary updates to maintain security can help you start on a secure footing.
Here are three best practices you should incorporate into your firm’s data security and password policies.
Have unique passwords for every website
Creating a unique, strong password for every website makes it much harder for cyberhackers to access information. For example, a password with only eight characters with numbers, upper and lowercase letters will take a hacker only one hour to crack, whereas a similar password with 12 characters will take a hacker nearly 2,000 years to crack.
If, for some reason, your password is compromised in a widespread data breach, having a unique, strong password for each website ensures that the hacker doesn’t immediately gain access to all of your information.
Check to ensure that your passwords haven’t been compromised through a website like haveibeenpwned.com, and make any necessary updates to passwords if you find they’ve been compromised. Your firm should also have a policy that requires everyone to change their password quarterly to prevent cyberhacking.
To make creating and storing unique, strong passwords for each website easier, employ a password manager like LastPass, 1Password or Dashlane. These password managers securely store your passwords, so your team members don’t have to remember each one. They also suggest strong passwords when creating a new account and let you know if a password has been included in a data breach.
When onboarding a new employee, consider setting up their password manager first so when they sign into other systems, the password manager will generate and store a strong password.
Two-factor authentication for sensitive accounts
Two-factor authentication is becoming increasingly common and even required by a variety of websites. It’s an extra layer of security to ensure that the person logging in to an online account is who they say they are. Once you’ve entered your account information, you’ll be asked to answer questions, accept authentication through your smartphone or text message, or take another action to ensure that you’re the correct person to access the account.
To ensure a high level of security, set up two-factor authentication by default for your password manager and all other highly sensitive accounts. The definition of highly sensitive accounts will depend on each person’s role, but generally, they’ll include email, anything with client and employee data and company financial information.
While there are several different methods for two-factor authentication, the best method involves a smartphone application rather than text, email or secret questions. Text and email can be spoofed or compromised, creating a higher likelihood of security risk even with two-factor authentication.
Secret questions, such as your mother’s maiden name or where you went to high school, can accidentally be shared with others. With a smartphone app, someone would have to physically have your phone to access the account, making it much less likely that cyber hackers will access your accounts.
Education and compliance testing for your staff
You can make all the security changes in the world, but they won’t make a difference if you don’t educate employees about why they’re in place and how to stay in compliance. Teach your team about password security and sensitivity and how to use the password manager to generate and store strong passwords.
You can, and should, leverage external security testing resources to run phishing and penetration tests. These tests will help ensure that your employees aren’t clicking on suspicious links, opening unknown attachments, or giving out sensitive information over email.
While these best practices aren’t new, the new year is always a good time to review and make sure your security systems are up to date. Deploying these three best practices as soon as possible can help you prevent data theft in your firm as we head into 2022.
Could your firm benefit from getting firm management and IT leaders in alignment?
The Boomer Technology Circles are a peer group of firm and technology leaders in the accounting profession who benefit from aligning IT and firm strategy and building valuable long-term relationships with solution providers and peers. Apply now to start building confidence in your firm’s technology decisions.
As a Technology and Business Analyst for Boomer Consulting, Inc., Chris Rochford leverages a diverse background in web development and technology consulting. His role involves managing Boomer Consulting, Inc.’s internal technology, as well as researching how new and emerging technologies can be leveraged internally and for our external clients.
Before joining Boomer Consulting, Inc., Chris spent 15 years in tech, doing web development for state and local government agencies and commercial clients.