Online Security for Accountants - What can you do?Back
Just about all accounting systems contain sensitive information that should be kept secure. Clearly in days past, a good lock and key with a decent security alarm kept all but the most determined at bay and clients' data was safe in a locked filing cabinet. Theft of data was a threat, but copies could be made and kept off-site if necessary.
Since the introduction of cloud computing in accountancy, data storage and security has been an issue many accountants have simply avoided. Whether your company uses a spreadsheet for accounts or a cloud accounting solutions such as Xero or Kashflow, data security is now a major issue as the number of threats grows daily.
WHAT ARE THE THREATS?
In essence there are three main types of threats; the 'sledgehammer', where an attack on your website or computer disables it for a time, or the 'subversive' attack, of which the victim can be unaware for sometimes many months.
'Sledgehammer' type attacks include "Denial of Service (DoS)" attacks, in which your server is 'flooded' with information requests causing it to shut down in a bid to protect itself. "Distributed Denial of Service (DDoS)" attacks occur when multiple DoS attacks occur from multiple locations at the same time in a coordinated effort to restrict access to your server (and website) for a prolonged period, often days.
Subversive attacks can be where malicious files are stored on PCs, servers and even smartphones. This malware or trojan can often do one or more of many things; they can record key-presses (useful for the attacker to steal passwords and logins), they can 'grab' sensitive data stored in databases' and even as a ticking time-bomb or 'ransomware', as seen in the recent attack on the UK's NHS (and other organisations across the world).
Corporate 'phishing' is a technique used by hackers to gain data from their targets which mainly involves an email enticement - they often send out email purporting to be from a recognised institution (such as Lloyds Bank, HMRC or Netflix) and ask you to click a button to reset your password. Instantly they gain your username and password and the hackers add your details to databases they sell on the dark web.
There are other types of threats, but those are the main ones that affect many people and organisations.
WHAT IS AT RISK?
As an accountant you've probably already made the move to an online solution such as Kashflow or Xero, in which case, your data at the storage end will be secure. These providers have invested heavily in security, protection and contingency planning: they often have significant redundancy and secure off-site backup servers, meaning that your data is about as secure as it can ever be.
Your clients' data is at risk. Personal data, accounting & financial data, HMRC data … we store so much data online today that
YOUR SECURITY PROCEDURES
Where the threat lies for you is in your procedures;
- Do you leave your computer logged in?
- Do you write down your usernames/passwords?
- Are your passwords complex enough (random letters, numbers & characters)?
- Do you have good anti-virus protection?
- Do you have a firewall installed on your PCs?
- What's your backup plan (maybe your cloud solution provides this)?
This may have already prompted you into thinking about a cyber-security review, but please read on to the end before you wander too far!
WHAT CAN YOU DO?
Not too long ago, we'd have advocated;
- Stronger passwords
- Don't write your passwords down
- Change passwords regularly
- Don't leave your computer logged on
… and much more, but the last few years have brought a number of innovative solutions to help you. Many of these solutions are cross platform, meaning there are apps for Windows and MacOS, Android and iOS, even Blackberry and WindowsPhone (although the latter two will have less support).
Physical Security Solutions
Two Factor Authentication (2FA) - this type of login generally requires a code to be generated by an app on the user's phone, or by text message. You will still need your username and password (the first factor), but the second factor will be a pseudo random 4-6 digit code, valid only for 5 minutes. The chance of anyone cracking this system is negligible.
Yubico - https://www.yubico.com/. Yubico produce a physical security key that replaces password logins. Simply insert the key into the USB port when prompted and you're instantly logged in. No complicated passwords to remember, just keep the key on your keyring and you're always ready to log into your accounts. Bear in mind that this key does only protect a few types of accounts, but Gmail and Dropbox are supported.
LastPass - https://www.lastpass.com/. This app installs on your computer and as an extension to your web browser and it 'learns' your logins. Once stored, all you have to do is remember your one master account login and LastPass fills in the rest each time you visit a website. There's even a great feature in which LastPass will generate a very complex password for you, remember it and then insert your login details at the right time.
Intel TrueKey - https://www.truekey.com/. This solution is much like LastPass, but with one major difference: TrueKey can log in using multiple biometric tests. It can access your webcam and 'learn' your facial features, analysing the relationship between a number of points on your face, around the eyes and cheekbones. Fingerprint recognitions is also supported, something popular with a number of major smartphones.
There are many other password and security solutions out there, we've selected just a few to demonstrate how you can help yourself when it comes to the security of your data.
The first step towards greater security is to recognise the risk, assess the vulnerabilities and formulate a plan. Today is the best time to start being more secure - it's too late after a hack.