The Accountant’s Ultimate Guide to Cybersecurity

Accounting and finance professionals face high risks of cyberattacks. This is because you handle a tremendous amount of sensitive data that cybercriminals are eager to access. You must take cybersecurity seriously and implement best practices to keep your data safe and your business successful. But it’s not just about following best practices – tax and accounting professionals are legally obligated to safeguard data.

Continue reading to learn about cybersecurity for accounting firms and how to build a cybersecurity program that will protect your firm’s data and meet compliance.

Why Should Accountants Prioritize Cybersecurity?
What Makes Your Accounting Firm Vulnerable to Cyberattacks?
What Should be in a Cybersecurity Program for Accounting Firms?
What’s Next After Implementing a Cybersecurity Plan?
How Can a Document Management System Increase Cybersecurity?

1. Why Should Accountants Prioritize Cybersecurity?

Accounting and tax professionals are at high risk of cyberattacks simply because of what they do, the data they handle, and the clients they serve. And, if you’re a small to medium-sized firm, you’re at an even greater risk because criminals assume you don’t have the cybersecurity knowledge and safeguards larger businesses have.

Accountants' Risks of Data Breaches Are Increasing

Cyberattacks, tax fraud, and scams are rampant, and criminals only get bolder and cleverer each year. Reports have shown that tax and accounting-related scams are rising: there were eight million reports of tax scams and fraud in 2022. This number is four times greater than the number of reports in 2021, and it’s not expected to drop anytime soon.

And there’s more. Reports show that over 95% of data breaches are caused by human error and that a company is a victim of a ransomware attack every 11 seconds. The cost of a data breach is astronomical: The average cost of a data breach in the United States in 2022 was over $9.4 million, and over $5 million in the UK, according to IBM.

Accounting Clients Expect Data Security

When you take proactive steps to protect data, it shows potential and current clients that you take data security seriously. This builds trust and credibility, increasing referrals, higher loyalty and retention, and positive reviews. It’s also something more taxpayers expect. According to Intuit’s 2022 Taxpayer Insights & Intelligence Brief,

73% want a secure place to upload documentation to their tax professional throughout the year
86% expect their tax documents and information to be stored with industry-standard security
74% expect to send their personal, sensitive data via a secure transfer

Batch Print And Distribute Documents Img

Firms Must Comply with Data Security Laws

UK tax and accounting professionals are legally obligated to comply with GDPR, or the General Data Protection Regulation, that became effective on May 25, 2018. Simply put, EU citizens have much say over what, how, why, where, and when their personal data is used, processed, or disposed of.

Penalties for non-compliance can be steep with fines, class action lawsuits, disruption to your business, brand damage, and more.

Find out more about GDPR compliance in section 3.

How can you meet the high demands of cybersecurity?

Your accounting tech stack should include a secure document management system and client portal.

Features Watch Overview Video

2. What Makes Your Accounting Firm Vulnerable to Cyberattacks?

The most effective way to safeguard data is to understand how criminals access it and how vulnerable your firm is. To ensure you notice when someone is trying to hack into your system, be aware of the common methods. Here are just 4 of the common methods used in cyberattacks:

Malware

Viruses, spyware, and ransomware designed to steal your data and destroy and/or damage your computers and systems. Infections typically happen from clicking on a link or opening an infected email attachment.

Ransomware

Ransomware keeps you from accessing your data by encrypting your files, making them unreadable. The criminals give you an ultimatum: Pay up or lose the data indefinitely.

Phishing

This type of attack lures people into disclosing their personal information and is usually performed via email or text message. They appear to come from known, trusted sources, like your partner, client, bank, or even places like big-box stores.

Man-in-the-Middle (MitM)

Scams Specific to Tax and Accounting Professionals

Here are 3 common ways criminals scam tax firms and their clients:

Sending texts and emails claiming to be from the government and demanding immediate action.
Stealing taxpayers’ identities and applying for fraudulent unemployment benefits (called “Claim Hijacking” or “Claim Account Takeover”).
Stealing identities and tax refunds.

Protect Your Data: Complete a Risk Assessment

So, how can you keep your firm safe from these threats? Start by completing a risk assessment to identify, evaluate, and prioritize areas where your cybersecurity measures leave you vulnerable.

First, make a list of all the data you handle and how. That means looking at the software and hardware you use and evaluating your current operations. Think about your teams, both in-house and virtual, and the contractors or vendors who have access. Review the flow of information you receive about and from your clients. Document as much as possible about how it is cared for, stored, and accessed. Is it online, offline, locally, or in the cloud?

Identify all potential points of failure in your workflow, systems, and personnel. For example, if your business stores all vital information in only one place, what would happen if the method you use to access it failed or was destroyed?

How You're Putting Data at Risk

Here are four common ways firms (unknowingly) put their data at risk of attack:

Avoiding System Updates

Too many people increase their vulnerability by ignoring or postponing software updates.

Not Training Staff

Patrick Schreiner, a business cybersecurity risk advisor, says untrained staff are a big source of mistakes and warns that cyberattacks frequently start when someone clicks a malicious link in an email or downloads an attachment.

Not Following Simple Best Practices

Make good security hygiene a regular part of your routine, like using complex passwords, multi-factor authentication (MFA), and antivirus software.

Hear real-life examples and learn actionable tips to secure your data in this on-demand webinar with experts Randy Johnston and Luke Kiely.

Using Email to Share Sensitive Data

Email is one of the riskiest tools used in businesses today because anyone with know-how can intercept and read your emails. If a hacker gains access to a Form W-2, for example, in your email, they’ll receive the victim’s name, Social Security number, address, income, and more. This gives criminals exactly what they need to steal identities.

3. What Should be in a Cybersecurity Program for Accounting Firms?

There isn’t a one-size-fits-all approach to cybersecurity, but there are best practices that everyone should follow. Here are the top 5 Cybersecurity Practices for Accounting and Finance Professionals:

Use strong, unique passwords with at least 12 characters

The strongest passwords have letters, symbols, and numbers. It’s also important not to use the same password across multiple devices or accounts.

Keep all hardware and software updated

If you fail to update your devices, browsers, software, and so on, you’re vulnerable to malware and ransomware infections.

Recognize and report phishing attempts

The most common way hackers get your information is by sending you malicious links that look real but are hiding something malicious. If something looks odd or is even slightly suspicious, you and your team should promptly report it, delete it, and block the sender.

Be aware of social engineering

This attack tricks the victim into completing a request or providing personal information. The attacker pretends to be someone they’re not, like your manager, team member, or even a friend or family member. They may contact you online (email, social media, etc.) or through phone calls.

Be wary of public Wi-Fi

Using public Wi-Fi can lead to serious consequences, like man-in-the-middle cyberattacks. Using a personal hotspot or a virtual private network (VPN) is the most secure way to work in public areas like your library, café, or coffee shop.

Understand GDPR Compliance

Here are some items GDPR requires:

Right to be Forgotten: Individuals can request you delete or remove their personal data when there’s no compelling reason for you to keep it.
Right of Access: Individuals have the right to obtain access to their data, and you must give it to them within 30 days of the request (free of charge, too).
Right to Data Portability: Individuals can move, copy or transfer personal data easily and securely from one IT environment to another.
Data Integrity & Secure Transmission of Data: Data must be confidentially and securely processed, and only authorized individuals should have access.
Full Document & Workflow Audit: You must document how (and why) data is processed and transferred, including who has access to the data at each stage.

Simplify GDPR Compliance with Tech

See how a document management system and client portal can help you with GDPR compliance and more.

Learn more.

Don’t Forget a Disaster Recovery Plan

While the word “disaster” might make you think of once-in-a-generation weather events and other freak scenarios only the most cautious worry about, it could be caused by something much more ubiquitous: a power outage, for example.

Regardless of the cause, a disaster is a significant interruption and often means lost data and extensive money and time spent restoring everything. And you’re likely to experience at least one disaster during the life of your business. While exact estimates vary, most experts agree that the majority of companies – between 70% and 96% – were affected by an event that resulted in data loss in the last three years.

Automatic Data Backup Tip: You won’t lose anything to natural disasters, power failures, or human errors using a document management system (DMS) with automatic data backup. Learn more.

That’s why every firm needs a disaster recovery plan (DRP). A DRP is your blueprint for responding to unplanned events. Accounting practices without DRPs waste time trying to figure out the best path forward. They also must make quick decisions because they typically don’t have time to thoroughly think through each option when they’re facing an emergency.

Featured Guide: The Accountant’s Ultimate Guide to Cybersecurity

Clever cyber thieves have cost Americans millions of dollars, and while some traps might be easier to spot than others, it’s best to stay on your guard – anyone, even the most vigilant person, can be fooled. Regardless of your firm size or who your clients are, this comprehensive guide will teach you about cybersecurity and actions you can implement to proactively protect your data.

Download the Guide

4. What’s Next After Implementing a Cybersecurity Plan?

Once you’ve implemented your new cybersecurity program and trained your staff, it’s time to bring your clients in. Additionally, you’ll need to make sure you stay updated as new cybersecurity threats emerge.

Share Your Security Plan with Clients

Feel free to use this flyer as inspiration to get started on your external plan for clients. Note it was written for firms who use a document management system and client portal.

Plan for Today and Tomorrow

It’s not enough to plan for risks you’re aware of right now: Technology changes quickly, and if you don’t stay current, cyberthieves will remain one step ahead of you. Keeping your data secure means planning for the threats of today and tomorrow.

But you’re not an IT professional. Your tech knowledge is limited to certain things, and you don’t have time to be sitting there trolling the Internet, looking for cybercrime news that won’t necessarily translate to a non-tech person. So, how can you stay updated?

Stay Updated on Cybersecurity Threats

Here are three simple ways to ensure you don’t miss information that’s vital to updating your cybersecurity program:

1. Follow experts on Twitter and LinkedIn

Experts in the field post to LinkedIn and Twitter all the time and are the first to know when it comes to new threats. You can find experts through a simple Google search, but here are a few you should check out:

Brian Krebs, investigative journalist and author of cybersecurity blog krebsonsecurity.com, which is updated daily
Andy Greenberg, writer for WIRED, whose pieces frequently focus on cybersecurity and who is a recognized expert
Graham Cluley, a researcher, host of the Smashing Security podcast, and writer whose daily blog, grahamcluley.com, offers cybersecurity tips for readers

2. Talk to your fellow accountants

When it comes to getting information that’s particularly relevant to your profession, there’s nobody better to talk to than another accountant. As you develop your cybersecurity program, reach out to your network to find out what others have been dealing with and how they decided to tackle the problem. People who frequently talk about their tech stack, like Dawn Brolin and Randy Johnston, will also have information on fraud, scams, and cyber threats that are targeted at accountants and their clients.

3. Speak to your tech vendors

In addition to communicating with other accountants, don’t forget to speak with your tech vendors about cybersecurity. Remember: Since it’s their products you’re using to keep your data safe and since their reputations are incumbent on their solutions being as secure as possible, they’ll be up to date on the latest risks and will be able to help you maximize their solution to ensure you’re not vulnerable.

5. How Can a Document Management System Increase Cybersecurity?

Accounting practices will continue to face stronger security and compliance scrutiny by clients and regulators in the future. A document management system (DMS) that’s built with security and compliance in mind will ensure your firm retains client trust, keeps data safe, and adheres to IRS regulations. A surefire way to increase your cybersecurity is to implement a DMS and client portal at your firm. A document management system will solve many security issues by taking the following measures:

Encrypting data during transit and while at rest

When sensitive data is at rest or being exchanged over the internet, it’s crucial that your data is encrypted every step of the way so no one can hijack your information and use it for malicious purposes. By using advanced encryption methods such as SSL and AES-256, a cloud DMS could provide stronger protection for your data.

Providing controlled access to information

How your information is stored and who has access to it are critical to your overall security and compliance framework. With a security and compliance-first cloud-based DMS, you can easily set granular access permissions to folders and documents, and allow access to files via only authenticated logins. These added security and compliance steps help enhance your data and document security measures, which could increase your level of compliance to regulations.

Offering secure data backup

Your documents and metadata are always stored using highly redundant replicated storage. Multiple copies of metadata and documents are stored in multiple geographical locations and backed up regularly to ensure data availability.

Tracking all activity

An activity log is an automatically generated, time-stamped trail of all activities that happened in your document management system. It tracks all events from all users such as document creation, download, and deletion and generates an audit trail of what’s happening in your account. No person, including the engineers of the platform, can make any changes to this trail, making it the authoritative record for auditing purposes. This feature is a requirement from several industry-specific compliance regulations. Depending on your industry, it could very well be the single most important determining factor during your cloud DMS vendor selection process.

Evaluate Tech and Vendors

When researching document management system options, start by looking at comparison/review sites. You should also do an online search and ask your network of peers what they use or recommend. Consider who will use the technology and how. Don’t forget to also consider security requirements and how the DMS will help you comply with certain regulations.

Make a list of the ‘must-have’ features and how they support your business goals. You’ll also need to consider how the DMS will fit into or impact your current tech stack. This includes integration with the other apps you use today. And, of course, you’ll want to consider price and what else the vendor offers. You’ll want a partner who can help you configure the DMS to your needs and set you up for success. Confirm they offer services like:

A dedicated Customer Success Manager
Onboarding and system configurations, including migrating data as applicable
A detailed knowledge base with training resources, webinars, and “How To” guides and articles, as well as an academy
Personalized, live, one-on-one training sessions to get you up and running
System usage reviews that include suggestions for improvement based on your unique needs

Once you’ve chosen the top 2-3 finalists, consider doing a trial of the solutions to see them in action. You can select a few staff (or clients) to use it too and provide their feedback. When the trial periods are over, you should choose the DMS for your practice and move ahead to implementation and training

Achieve The Paperless Workfolow Youve Img

Let SmartVault Manage Document Security For You

A cyberattack can strike when you least suspect it, and as we’ve learned, data breaches can cost a business lots of time, money, and embarrassment. We take the responsibility of protecting your business’s sensitive documents seriously. SmartVault is built with bank-level security and compliance in mind.

Protect all documents and data

SmartVault employs encryption and SSL technology to protect your documents, passwords, and interactions – whether in transit or at rest. Automatic data backup means you won’t lose anything to natural disasters, power failures, or human errors.

Control who has access to what

Manage specific levels of user permissions and access rights so your staff can move forward on their work while client files are protected. SmartVault users can also see exactly what’s happening, like who created, accessed, downloaded, and deleted documents. This audit history is required to prove compliance for some industries and businesses.

Satisfy compliance requirements

SmartVault’s security practices support document workflows that comply with regulations like HIPAA, FINRA, SEC, GDPR, and more.

Access files and collaborate anytime, anywhere

Enjoy the convenience of working in the cloud, without compromising on the security, compliance, and productivity features you need to run your business. Wherever you are and whenever you need to, you can collaborate with employees and clients from any web browser or mobile device by simply logging into your SmartVault portal.

SmartVault is the easiest and most secure way to optimize how you, your staff, and your clients gather, store, share, and eSign documents in the cloud. Learn more today.

Get Started Now

Open a free trial account to get started now.

Start Free Trial

See SmartVault in Action

Book a 15-minute demo to see exactly how SmartVault can work for your business.

See A Demo