Technology is changing faster than ever before. New developments in information security keep everyone on their toes, especially CPA firms that are proactive about their technology and operations. That’s why it’s important to understand how these new developments in technology can affect a CPA firm’s client documents. Document security is critically important to CPA firms, so be on the lookout for these warning signs.
- You aren’t sure exactly who is in the office at any given time.
Many CPA firms have clients and vendors coming in and out throughout the day. Do you have procedures in place to make sure those people aren’t able to access areas they shouldn’t be in? After hours, who is looking after your office? Make sure wherever your data is stored is physically secure. That means protecting physical assets from tampering, theft and destruction using CCTV, site security guards, single entry/no tailgating doors and even RFID technology tracking. Intrusion detection and monitoring systems should be in place to stop threats and alert team members and security staff. A third-party security audit of your processes, standards and security controls is a good idea.
- You haven’t revisited your security measures since your system was set up.
System security is an ongoing concern that must be continuously monitored, evaluated and adjusted. In addition to scanning for malware and viruses every time files are added to the system or sent outside the system, active penetration testing should be performed to scan for and identify vulnerabilities. These tests should simulate actual attacks using industry-standard tools and procedures.
- You don’t have a plan for what to do if your server fails or is compromised.
Servers don’t last forever, and many firms wait until they have no choice to replace their servers. If something goes wrong, you need to make sure you have a back up, as well as a back up of your back up. These back ups should be tested to make sure they would be usable if needed, because a bad back up is just as bad as no back up at all. Redundant systems and high availability systems help reduce any potential downtime in case of an emergencey. In addition, all client/server communication should be encrypted both in transit as well as at rest, so if someone does gain access to your server, the information on it will be encrypted.
- All of your employees have access to all (or most) of your data
You should try to limit users’ access to files and other information to only the minimum data and functionality they need to complete assigned tasks. This might mean restricting access based organizational structure, like office location, job level or job function. Role-based security groups are a good way to quickly assign security permissions. If possible, tie these in to your active directory security groups as well. Some examples of additional access groups are Staff Access Groups to control who is able to view and edit staff information and Client Access Groups to secure high net worth or high profle clients. Of course, you should have a process in place to regularly review permissions and to revoke permissions if an employee leaves.
- Your most sensitive documents are mixed in with your less sensitive documents.
Firm documents should always be stored separately from client documents, and staff documents such as employment documents, annual reviews, performance improvement plans, etc., need to be kept separate as well. Security groups only go part way to securing your client and firm information. Folder-level and file-level security offer the most granular levels of security in a document management system. Securing your documents at this level can be useful for highly confidential documetns such as mergers and acquisition documents, high-profile client documetns and internal documents. These should only be used when other security levels do not provide enough or specific enough security.
- You are sending documents to your clients via email.
Sending PDFs via email has never been a particularly safe way to share documents, and clients are starting to learn this. When sharing files with clients, ensure there is end-to-end encryption and require some sort of password or access cde to access the files. Portals offer the best opportunity to share and collaborate on documents, but more temporary file exchange options can be appropriate if they do not rely on emailing a document back and forth.
Securing your client and firm documents
Keeping your firm’s data secure requires attention to a number of factors, from high-level physical security to granular security at the individual file level. When choosing a document management system, make sure you consider the unique security issues at each of these levels.
For more tips on keeping your client documents safe, download the whitepaper, Document Management Strategies: New and Upcoming Trends