Keeping your firm’s data secure is extremely important but increasingly difficult. It’s important to stay informed about security best practices. When you identify threats promptly, your firm can mitigate risks before they turn into problems. However, most accountants are not information security experts. That’s why a good place to start is to take a look at recommendations from professional authorities.
As part of its mission to protect consumers, the FTC has issued a number of security best practices and recommendations to protect against password breaches. The FTC strongly recommends multi-factor authentication as one of the top 3 ways to prevent identity theft.
“Use multi-factor authentication, when it’s available. Multi-factor authentication adds another layer of protection against attacks. What’s multi-factor authentication? To log in, you must combine something you know (like a password), with an additional factor, which is usually something you have (like a code texted to a mobile phone) or something you are (like a fingerprint).”
Since identity theft often results in tax fraud, the IRS has taken a special interest in protecting taxpayer data. The IRS’s “Don’t Take the Bait” campaign is designed to draw attention to information security in tax firms. A recent communication urged firms to make data security an everyday priority. One of the key steps that firms can take is to use strong passwords.
“Good passwords consist of a random sequence of letters (upper case and lower case), numbers, and special characters. The NIST recommends passwords be at least 12 characters long. For systems or applications that have important information, use multiple forms of identification (called “multi-factor” or “dual factor” authentication).”
The AICPA recently published a CPA Firm Security Briefing by Roman Kepczyk, which recommended a number of steps firms can take to minimize the risk of becoming a cyber-victim. One of these recommendations is to secure all equipment used by staff.
“Firm personnel must be taught and reminded how to properly secure any devices that connect to the firm’s network including home computers, tablets, smartphones, and USB flash drives, in addition to their firm laptop. All devices that could contain confidential data locally should have access controls (passwords, screensavers, etc.) and have their drives encrypted with tools such as BitLocker, Intel/McAfee, Sophos, Symantec, etc. Firms also need to remind personnel to never leave equipment unsecured and that it is best to keep it in their possession when in transit.”