Technology and Taxes: The Accountant’s Responsibility
In the world we live in today, the only way to avoid becoming a victim to malware and/or identity theft is to disconnect yourself and your workstation from the internet. Unfortunately, in today’s business environment, that is not an option.
Accounting firms maintain a significant amount of personal data on behalf of their clients, ranging from financial records to personally identifiable information. Keeping this data safe is a real concern for every single organization that houses it; the question is, are you following best practices to minimize your risk of a breach?
There is no way to be completely sure that a system is impenetrable and safe from a cybersecurity threat; however, exercising best practices can turn the difficult task into a manageable event. Threats will continue to emerge and impact those that do not establish a strategy with best practices. First and foremost, the highest risk is posed by the human end-user. Even a firm with the most well-planned and well-funded technology investment, including safeguarding your perimeter, hardening hardening the endpoints with application whitelisting policies and subscribing to advanced threat protection services, is still at risk through the human end-user. People are the first line of defense against cybersecurity attacks. Hackers are smart; they will start where the path to success does not require penetrating through layers of security. Instead, they rely on an attachment or a hyperlink that will grant them the level of access they need without breaking a sweat.
One way hackers accomplish their goals is by engaging their target in a phishing expedition. Phishing scams are a popular way for hackers to try to get your personal information, and, if successful, hackers don’t have to do anything to get into your account other than send you an email.
Email is another means of information transfer where one needs to be vigilant. Did you know that if you or a member of your organization receive emails that contain sensitive information and ignore the email, neither deleting nor reporting the incident, the entire company is held liable for irresponsible data handling?
While we’re on the subject of emails, note that the IRS does not initiate contact with taxpayers by social media channels to request personal or financial information. During tax season, there will be numerous attempts to scam both the accountants and taxpayers, so it’s important to not open any attachments or click on any links contained in the emails. Instead, forward the email to email@example.com.
The Rise of Mobile
The workforce of today has become increasingly mobile, and with mobility comes challenges with securing devices that fall outside of your domain. For example, let’s look at smart phones. Most firms do not issue firm-owned devices to all employees, opting instead for a “bring your own device” policy. These personal devices store corporate data, including emails, contacts and documents which reside locally. This leaves personal devices open to increased security risks — it only takes one breached or malware-infected mobile application to comb through your personal device and read/move any data on your device without your knowledge. If your corporate applications are not secured using Mobile Device Management solutions, you’re introducing a huge risk to your clients’ personal data. To mitigate some of the risks, all smart phones should have a screen lock and password protection for corporate data applications. It is also important to remember that you should never connect to public WiFi networks. Why? Because the moment your mobile device sends data to a website or service over these public networks, it can be intercepted and will no longer remain private.
What About Flash Drives
Flash drives are another way that hackers can trick you into giving access to personal information. While it may not be the easiest solution, putting an end to flash drives, unless they’re encrypted, will mitigate some of that risk. Encryption is one of the most effective methods to protect your data because without the key, any data stored on the device will not be decrypted.
Laws around data protection are rapidly changing, and compliance with these laws will continue to impact modern society. For example, the California Consumer Privacy Act (CCPA) was recently introduced to enhance privacy rights and consumer protection for residents of California. CCPA is the beginning of “America’s General Data Protection Regulation (GDPR).” Similar to GDPR, CCPA will require organizations to focus on user data and provide transparency in how they are collecting, sharing and using such data.
GDPR is also very much in favor of encryption as a security measure. Article 34, Section 3(a), frees data controllers from having to notify affected individuals about a personal data breach if the controller has implemented protection measures, “in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”
The Role of the Accountant as Security Advisor
The need for robust security changes the responsibility of every individual both inside and outside of an organization. This means that as an accountant, you must carry out your usual duties: preparing tax returns, payments, necessary paperwork and reporting, while also becoming a security advisor to your clients. For example, there is a good chance that your clients are not running the most sophisticated security solutions and yet insist on using their current tools to send you sensitive data. It is imperative that you stress firm policies and procedures around the transfer of information as often as possible to continue creating awareness for your clients. In addition, firms must adopt policies for receiving data through portals, which are essentially a gateway for clients to share information securely via the internet. Many portals offer virus scans and usually block attachments before they’re eligible for download.
Clients trust their accountants with their most prized possession: data. But as long as there are Internet-enabled devices, there will be those who exploit them to harm the uninformed. With education around best practices relating to security, you’re taking monumental steps to reduce these threats and keep your data from being compromised.
Gurjit Singh is the chief information officer at Prager Metis CPAS LLC.
This article appeared in the January/February 2020 issue of New Jersey CPA magazine. Read the full issue.