The COVID-19 pandemic has fundamentally changed the way people work. Millions of employees have been able to stay productive while working from home during bottlenecks thanks to remote collaboration technologies like Zoom, WebEx and Teams. Very quickly, virtual meetings became ubiquitous and people could connect with their managers and clients or make presentations from any location with internet access, including in other countries. Even though much of the country is going back to business (mostly) as usual, companies instituting flexible or work-from-home policies may need to review their telecommuting policies and practices to help protect data.
While working from home has been critical to business continuity over the past 15 months, it has also opened up potentially major security concerns for businesses. In an office, there are many ways to secure data, including firewalls and physical security measures such as badges, doors, locks, and keys. However, remote employees could work from their home, car, or a local cafe. They have laptops, cell phones, tablets and smartwatches, all of which communicate with each other and can use several different services (Wi-Fi, Bluetooth, cellular data, RFID).
Being outside a secure office makes these employees and their data – your data and that of your customers – vulnerable to data breaches and hackers. Even something like a chat or text message can contain confidential information, such as a social security number, date of birth, tax information, or even medical information.
That’s why robust data security is vital for any business. Data breaches that compromise customer or employee data are notoriously expensive, averaging over $ 3.9 million in 2020. They not only damage a company’s reputation and bottom line, but can also lead to the theft of customer information, proprietary information, or intellectual property. Think about all the due diligence-related information your business has about clients who might be preparing for an IPO or merger with another company.
These are the risks that prompted the American Institute of CPA to add to its code of professional conduct. Policy relating to confidential customer information 1.700.001, which deals with the disclosure of confidential customer information without the specific consent of the customer. This rule goes hand in hand with Tax Code Sec. 7216, where non-compliance can result in fines and other consequences.
It is in this context that all companies must make a concerted effort to be vigilant in protecting their data and that of their customers. Executives of accounting firms need to recognize the issues affecting their firm and take steps to educate their professionals. With that in mind, here are some practical ways to secure data access, stay compliant, and mitigate damage in the event of a breach.
Encryption is your friend
Perhaps you have equipped all your employees with laptops and a secure virtual private network. While a VPN can be enough protection when employees use their devices on a secure home network, what if they travel or decide to work in a coffee shop? Many hotels, airports and cafes offer free Wi-Fi, but these unsecured networks can allow hackers to access data that is supposed to be secure. A VPN can protect outgoing data, but it still leaves the laptop or tablet itself vulnerable through other potentially active services such as Bluetooth, hotspots, or RFID. Encrypting the device itself will make it much more difficult for criminals to access data.
Encryption can also help protect a device if it is physically stolen. Unattended computers, tablets or mobile phones are tempting targets for thieves. With the device in his possession, the thief might have a treasure trove of confidential information that he can sell or use to scam your customers. If a device is encrypted, the data is safe and you only lose the device. This could mean the difference between $ 1,000 or $ 1,000,000.
Mobile devices are designed to facilitate communication. However, this is a double-edged sword, unless safety guards are in place. For example, virtually all mobile devices are equipped with Bluetooth, and a growing number can be used as an Internet access point or incorporate radio frequency identification (RFID) technology. If these services are enabled, a hacker could potentially compromise the device. While these services can be beneficial, they don’t need to be active 24/7. All employees should be instructed to turn them off until needed, especially when traveling.
Make sure to back up your data
With millions of Americans telecommuting, tens of millions of laptops and other devices float filled with potentially sensitive data. This increases the risk of data loss if a device is lost, stolen, or damaged. Employees should back up their devices daily, or at least once a week, so that information remains accessible in the event of a catastrophic failure. Additionally, it is critical that employees limit backups only to company approved destinations (eg, cloud storage, on-premise servers, encrypted hard drives). If they back up to another location, it exposes their organizations to a potential data breach over which they have no control.
As a business leader, you need to work with your IT team to ensure that mobile devices with access to business information are using properly “containerized” applications so that your business data is automatically backed up, even if the rest of the device data is not. Note that even everyday emails and collaboration tools are loaded with sensitive documents and data that could easily be leaked. To reiterate, always (1) encrypt devices and (2) save important information.
A few decades ago, it was virtually unthinkable that employees would have access to a secure server from their homes, or be a potential target for hackers. Executives of accounting firms need to adapt their security practices to the times and, perhaps more importantly, educate employees about cybersecurity. Even with these three relatively simple steps, businesses can significantly reduce the chances of being the subject of a costly data breach or cybercrime incident.