The way businesses treat their customer’s data is almost always huge news. Mishandling customer information can seriously tar the reputation of a businesses and in some cases, lead to legal issues.
Crunching the numbers of cyber security
According to the Cyber Security Breaches Survey 2020, almost half of businesses (46%) reported cyber security breaches in the past 12 months.
There are also signs that cyber attacks are on the increase. 32% of businesses say they experience cyber security issues as frequently as once a week. That’s a 10% jump from those reported in 2017.
In the financial services industry we deal with some of the most sensitive information about a business. Keeping clients’ data safe is a top priority.
What are an accountant’s responsibilities?
Financial data in the wrong hands can quickly become a tool that cyber thieves exploit. As such, there’s a huge amount of responsibility to store sensitive client data securely.
Accountancy firms dealing with confidential information must be careful to minimise the risk of client data being misplaced or lost. There’s also a strong emphasis on data corruption.
Not only should the data be as accurate as possible, it must be safe with those who look after it. That means safeguarding against deliberate data breaches, as much as accidental lapses. It’s a key part of protecting trust in client-accountant relationship.
Legislation around data protection varies around the world, though most countries do have some sort of legal protection in place.
GDPR and accountants
GDPR is a series of legal regulations designed to safeguard personal data. Working out what the legislation meant in actual working practice was big news in the industry.
Don’t worry, we won’t go through the entire GDPR for accountants document here. But, it is important to have a quick refresh of some of the main points.
In broad terms
The GDPR applies to two types of people:
- Controllers – the person who determines the purpose of the personal data.
- Processors – the person who is responsible for processing the data on behalf of the controller.
No matter which one of these categories you fall into, you’ll need to follow the legal obligations of the GDPR.
The data an accountant collects
The client data that your firm holds can take many forms. Names, addresses, dates of birth, and even IP addresses, location data and cookie identifiers. Some of the key principles to keep in mind when processing personal information are as follows:
You must:
- Process data in a transparent manner.
- Collect data for a legitimate purpose.
- Keep all of the data you hold accurate, and up to date.
- Retain data only as long as it’s necessary to do so.
- Process data in a way that minimises unlawful processing, accidental loss, or damage. We’ll go through some of the ways to achieve this further on.
Data processes
There are also rules about how you acquire and manage data, including:
- Obtaining consent from clients to process their data.
- Ensuring the methods for obtaining and storing data are secure and confidential.
- Providing clients with access to whatever personal data you keep on them.
This means it’s the accountancy’s responsibility to manage any potential vulnerabilities in data storage.
Businesses who fail to protect their customer data can face large penalties of up to €10 million, or 2% of annual turnover – whichever is higher. A data leak can end up costing you a lot more than your reputation.
Top practices for keeping client data secure
But how exactly do you protect customer data? There’s no single solution which can solve your data protection concerns by itself, but there are relatively simple steps to take.
Protect against cyber attacks
One of the main ways that client data can be compromised is through a cyber attack.
So, cover the basics, such as making sure all of your software is up-to-date. These updates often contain security updates which help protect against the latest malware and criminal technology.
Cyber-criminals will also try to gain access customer or business data through phishing attacks. It’s important to prepare staff for this, such as providing training sessions to help them recognise phishing scams.
While it may be tough to fully protect your company against the more dedicated hackers, having safeguards will deter most threats and lessen the likelihood of a data breach.
Have a strict email policy
Make sure you put a strict email policy in place. Taking the time to train staff on email etiquette can be a great tool in helping to keep data secure.
While it may seem obvious, remind everyone not to email data such as passwords, or to include a complete set of data in one email.
- For instance, if you need to send payment card details, consider sending the card number and expiry by one method, and the CSV by another.
This way the integrity of your data is protected if emails are compromised.
The same goes for any other methods of communication you use, such as instant messaging or social media.
Promote a strong password policy
One of the easiest ways into any system is through a weak password, so a strong password policy is crucial in any modern business.
Hopefully, the days of passwords written on post-it notes under the keyboard have made way for password managers such as LastPass and Dashlane.
Criminals generally sidestep passwords either by simply guessing them, or they’re cracked through brute force or dictionary attacks. Creating a strong password is a good way to mitigate any chance of this, especially when you include a few numbers and symbols.
- Remember, a password such as ‘Accountancy01’ will be a lot easier to guess or crack than a password such as ‘0H7k0UmkJiUk’. And yes, using your postcode or business name are also obvious choices to avoid.
Thankfully password managers mean you don’t have to worry about trying to remember these obscure passwords either. All you need to do is remember one very strong password, and you’re all set.
Don’t allow remote work to cause vulnerabilities
With the current global pandemic looking like it might be around a while yet, many people are still working from home. This can present some problems when it comes to data protection.
- If your company isn’t well-versed in remote work, you may need to set up some procedures to make sure it’s done safely.
Employees logging into the office computer remotely means you should be using software that’s safe and secure . Software such as TeamViewer and LogMeIn Pro are good places to start.
It’s also important to make sure that each employee takes care of their personal computer. This includes keeping their operating system, virus software and firewall all up to date. It will greatly lessen the chances of a successful attack.
Don’t forget about physical data
If your company hasn’t fully transitioned to a digital working environment just yet, you might have customer data in files and folders, or even backed up on portable hard drives.
Making sure these are locked safely away is a good practice to abide by. Not every data breach is a digital one. Sometimes files and folders can go missing or are stolen which can, in turn, lead to just as much trouble.
In some cases, it’s actually easier to physically break into an office than a secure network.
Ensure your office is well protected, and consider installing CCTV, securing entrances and controlling access. This also means making sure site visitors don’t see any confidential files that are in use during their visit.
How modern fintech companies are approaching client data security
With updated legislation such as GDPR, and greater awareness of data breaches, fintech companies are leading the way with data security.
Data encryption is now commonplace and any sensitive data is kept safe using complex algorithms, such as Advanced Encryption Standard (AES) or the Rivest-Shamir-Adleman (RSA).
Choosing secure accounting software
The good news is that most modern accounting software takes data security very seriously and uses these secure encryption methods.
If you are logging into multiple clients’ accounts to store transaction records, financial statements and reports, this all needs to be handled securely. Ideally, you will want to choose a piece of accounting software which provides multi-factor authentication and secure encryption for client data.
- For example, Pandle uses a secure HTTPS connection (128-bit SSL) which is the same technology used by banks to encrypt data on their websites.
This secure HTTPS connection allows for data to be transferred over a secure connection, which reduces the chance of ‘digital eavesdropping’ or ‘man-in-the-middle’ attacks.
Another area to look at is whether the bookkeeping software connects to bank accounts and other third-party apps. For example, with Pandle’s Bank Feeds feature, you may have to refresh your bank feed every so often due to multi-factor authentication rules from banks such as Barclays or HSBC. It helps maintain a secure connection.
Beyond the software features themselves, it’s also important to apply good password practice to your software accounts.
Generally, you will get a login or authentication code, and so will the client to link both users to the software. These passwords and codes should be protected securely and not shared over email to avoid vulnerabilities.
In conclusion
Although it can seem like a lot to remember at first, in most cases, safeguarding client data in your accountancy firm will only require some simple changes.
To help protect client data, it may be worth revisiting staff training on good password practice – particularly if you have had a few new hires or company policy has changed.
Some other key areas to look at include your choice of accounting software. It’s worth remembering that cloud-based software automatically updates with security upgrades and other changes.
Learn more about using Pandle cloud-based bookkeeping software with your clients.
