Protect Your Data: Complete a Risk Assessment for Your Accounting Firm
What is a risk assessment for accounting firms? Simply put, it’s an appraisal of your practice’s ability to keep itself from falling prey to cybercrime. The risk assessment will help you identify, evaluate, and prioritize areas where your cybersecurity measures are leaving you vulnerable to an attack.
Know What Data You Have
The first step is knowing what you need to protect. Even though everyone is aware that they need to protect themselves against cyberthieves, Luke Kiely, Chief Information Security Officer at SmartVault, says firm leaders’ biggest problem is that they’re not always aware that their biggest asset is data. “You need to know what you’re protecting,” he cautions.
Make a list of the data you handle. The IRS recommends this categorization:
- Personally Identifiable Information
- Social Security #
- State-issued ID #
- Driver’s license #
- Passport #
- Mother’s Maiden Name
- Credit history
- Criminal history
- Name & Contact Information
- Telephone number
- E-mail address
- Mobile number
- Date of birth
- EFINs / PTINs / CAF#
- Personal Characteristics & Health/Insurance Information
- Marital status
- Insurance account #
- Medicare and Medicaid information
- Financial Data & Employment Information
- Credit, ATM, debit card #
- Bank Accounts
- Service fees
- Compensation info
- Background check info
Map Where Your Data Is and Where It Goes
Now that you know what information your firm has, you need to pay attention to how you’re handling it. That means looking at the software and hardware you use and evaluating your current operations. Think about your in-house and virtual teams and the contractors or vendors who have access.
Review the flow of information you receive about and from your clients. Document how it is cared for, stored, and accessed as much as possible. Is it online, offline, locally, or in the cloud? Identify all potential points of failure in your workflow, systems, and personnel. For example, if your business stores all vital information in only one place, what would happen if the method you use to access it failed or was destroyed?
Let’s say you have everything saved on an encrypted hard drive, but suddenly, that computer is infected with ransomware and everything is lost. Could you recover the data from another secure backup? What would happen if you couldn’t?
This also applies to people. Perhaps your bookkeeper is the only one who knows vital or sensitive information about a client. If that person leaves your company, how would you recover those details — or would they just be lost?
Complete This Risk Assessment for Accountants Worksheet
We’ve designed this worksheet to help you assess what you need to address within your firm. Once you have identified any weaknesses, it will help you create an action plan to strengthen your cybersecurity approach.Download your copy of the worksheet today.