The absolute foundations of a firm's customer relations are confidence and trust. This makes information security and confidentiality one of the most significant duties you agree to when you choose to be a CPA. With office productivity becoming more and more dependent on online communications, and with the net becoming progressively more complex and vulnerable to internet crime, this can easily become a problem if your clients perceive you as uncertain about how online security works. Your CPA website is a main constituent of your online security strategy. Many of your clients are not especially internet savvy, and the data they routinely send you is very sensitive. To protect them you're going to want a perfunctory familiarity with your website and it's security features.
Of course, ground security is important. Let's just assume you have that covered. This means your network access is restricted to your own dedicated IP (your IT guy can tell you what that means), your computers require password protected logins, you keep your doors locked at night, and your office is protected by a good alarm system. It's fairly easy to secure your physical location, but once you start transferring data holes in your security become trickier to fill.
The weakest of weak links in any accounting firm is email.
Let me put this plainly. Email is a wonderful medium for routine communications, but it's ease of use has lured many accounting firms up the garden path. Don't allow your clients and staff to email confidential information.
When you send an email you send it "out there". Much of the process occurs on servers over which you have no control, and for which there is little or no accountability. There is a common misconception that when you send an email it goes straight to the recipient, but nothing could be further from the truth. Messages are routed through an vast network of mail servers. By the time it reaches it's destination it's likely passed through a dozen or so third party servers. If even one of these servers has been compromised by a hacker's virus or trojan, so has your email. Identity thieves harvest huge amounts of information in this way.
There are ways to make it harder to open the file. Passwords and encryption can slow a hacker down, but it won't necessarily stop one. Given time there's no password that can't be broken and every time computers become faster and more powerful encryption becomes easier and faster to hack.
Design your accounting website to compensate for these risks.
When you design your website include a Secure File Transfer feature. This feature allows your ISP server to connect directly to your web server and transfer the data. There are no third party servers relaying the information. Every client should have his or her own password protected directory on the server, rather like an online safe-deposit box, so that only you and they can access it. Encrypting the transfer adds another layer of protection that will protect your data from an "insider attack". The best of these systems will even let you store the data on the web server in an encrypted format making the system suitable for long-term document storage.
There are a few security standards you should know about.
Passwords
Passwords need to be protected from "brute-force" attacks by forcing a time-out if a login attempt fails more than a few times in a row. This will prevent automated programs from hacking the password by simply trying all the available permutations. The longer your password is the more secure it is. The absolute minimum safe password length is eight characters, and passwords should be alphanumeric (containing a mix of letters and numbers). Human beings are the most common cause of compromised passwords. Hackers call this "social engineering". You'd be shocked how many hackers get people's passwords by simply asking for them. Never tell anyone your password, and avoid leaving them written down anywhere that your staff and clients can find them.
Security Certificates
Security certificates are central to online encryption. They store the keys used to decrypt online data. Make sure you get your security certificate from a trusted source and you keep it up to date or your users will receive warnings from their browsers when they try to use it.
SSL and TSL
These are encryption protocols. SSL, or "Secure Socket Layer" is an older protocol that is still seeing widespread use. The second commonly found encryption protocol is much newer. The adoption of "Transport Layer Security" has been slow because many offices use older equipment or unsupported applications that are incompatible with it. Both work pretty much the same way. TLS has made some technical improvements, but the details are too technical to explain here. There is a third type called PCT, or "Private Communications Transport" that is relatively unused.
SAS 70
This is an accounting industry standard managed by the AICPA. It's a simple auditing statement. It's not just industry self-policing, though. Publicly traded accounting firms must be SAS 70 certified by law. A SAS 70 certification indicates that the security has been accepted by the auditor.
Gramm-Leach-Bliley Act
Also called the "Financial Services Modernization Act", this legislation includes rules that govern the privacy standards of all financial institutions which by definition includes any firm that prepares taxes. This rule has very particular requirements that has to be adhered to by all accounting firms, including in regards to information security. All accounting firms and other financial institutions to produce a written information security scheme, appoint an individual to manage security, scrutinize the security standards of every division working with customer info, establish a continuing program to monitor information protection, and keep these procedures current with changing technology.
Kenny Marshall is an internet marketing consultant and former VP of CPA Site Solutions, an Accounting Website Design firm.
