5 Security Tips for Small and Multi-location Tax and Accounting Firms: Tax Season and Beyond
April 12, 2017
Tax season is a busy time of year for hackers, given the ample opportunities to steal personal and financial information through phishing, hacking into computer networks, or other underhanded methods.
Small and multi-location tax and accounting firms in the cross hairs
Hackers are targeting these businesses – whether a small CPA firm or tax-preparation franchise -- during this period because of the high volume of tax returns and other documents that they handle in preparing people’s taxes. These documents – often transmitted through cyberspace and stored on PCs or in the cloud -- contain copious amounts of personally identifiable information (PII), which can be used to conduct identity theft or fraud and sold on the black market.
And don’t think that being small or in a remote office makes you an uninteresting target. In fact, it’s just the opposite. Hackers see small businesses as more vulnerable, having committed cyberattacks against 42 percent of them in 2015, according to the National Small Business Association.
What these businesses can do to protect themselves – and their clients
Here are five tips that go beyond the basics you probably already know, like watching out for phishing and malware, keeping your anti-virus software up-to-date and using different hard-to-guess passwords for different services.
1. Use secure remote access to your office PCs so that they are less vulnerable to cyberattacks.
Remotely accessing your office PCs through a laptop or tablet may let you keep your business going while you’re on the road or at home, but it also creates opportunities for hackers to attack your network and steal vital information.
That’s why it’s critically important to make sure you have secure remote access, and here are two ways to do just that:
Make sure your target web address starts with HTTPS and is next to a “padlock”:
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol, or code, over which data is sent between your browser and the website you are viewing. The “S” stands for “Secure,” meaning all communications between your browser and the website are encrypted, so make sure your target web address begins with HTTPS and not just HTTP.
You should also make sure your browser bar contains a “padlock” symbol, usually to the left in the target address bar. This means your browser has an SSL Certificate, which, when installed on a web server, activates the padlock and the HTTPS protocol, thus allowing a secure connection from the website to the browser.
Lock down your login with two-factor authentication:
If you can, you should secure your username for remote login to your PCs by using two-factor authentication, where two pieces of information known only to you are needed to log in successfully.
Authentication information typically falls under the categories of knowledge (something you know), possession (something you have) or inherence (something you are). Two-factor authentication is becoming increasingly available for common web tools like GoToMyPC, PayPal, Facebook and Google.
2. Learn how to stay safe in a public hotspot.
It is often difficult to know for sure whether the Wi-Fi hotspot you’re using while sitting on a park bench or in the corner coffee shop is safe, so you should take a few precautions while on public Wi-Fi. Never enter a password for any web service or credit-card information on public Wi-Fi, unless you double-checked that you have an HTTPS connection and clicked on the padlock to confirm you are at the site that you think you are.
Even with that, be very wary of accessing your bank information or paying with a credit card. Also, if you see a pop-up message that indicates something is wrong with the “certificate” of the location you are trying to access, then you should immediately stop using that connection altogether. Certificate errors are the most common sign that someone is trying to trick you into revealing your data.
You may want to avoid the issue altogether by using your smartphone as a tethered internet device. Many carriers, such as AT&T, Verizon and Yahoo, and Sprint, have a way to let you set up your phone as a secure Wi-Fi hotspot that can be accessed by other devices such as your laptop or tablet. This way, your data is unavailable to a nearby hacker since the connection is through a cellular network.
3. Encrypt files with password protection and send password separately through other channels.
You should encrypt files on your computer with passwords to deter hackers from getting access to information stored in those files, in the event you are breached. If a file is sent to someone through email, the password should be sent to the recipient in segments through different channels, such as text, IM or over the phone. This will prevent hackers from obtaining the password to the encrypted file, if they have compromised your PC, for example.
4. Lock down your network with a firewall.
Most businesses have several firewalls in their PCs, cable modems and servers, and maybe even a dedicated firewall device. An improperly configured firewall, however, offers no defense at all, and proper management is a highly specialized skill that even a highly trained IT specialist may not have.
Your firm should hire a managed security service provider, or MSSP, to make sure it has the firewall protection it needs. Your business should also create strong passwords for firewalls, servers, and network devices instead of using default codes – and change them often – to limit remote access to the appropriate people such as managers or vendors who perform routine system maintenance.
5. Get big-company security for cheap.
Large firms employ an advanced security technology called security information and event management (SIEM) to help monitor their network and device alerts, and breach detection to detect and block threats. These technologies, however, are really complicated to operate and manage, which has put them out of reach for small businesses.
SIEM and breach detection are available as a managed service from certain providers. As a result, this protection is in reach of any size company or remote office, so firms will be able to focus on providing the best service to their clients with the peace of mind of having enterprise-class security to protect them.
Whatever the size of your financial services firm, you should ensure that you have the proper cybersecurity measures and follow best practices to prevent your business from falling victim to the next cyberattack. Hackers are continually coming up with newer, more sophisticated ways to steal valuable information through breaches, so it is imperative that you remain ever vigilant against the next attack to protect the security of your business and your clients - not only during tax time but throughout the entire year.