Information privacy is one of the most critical factors of creating and maintaining a successful accounting firm. To be successful in this area, data loss prevention needs to be emphasized with employees from the top on a regular basis.
Data security policy manuals are often read the first week a new employee is hired and then filed away and forgotten. The problem is, they need to be evolving, engaging content and top of mind for a Los Angeles CPA.
Here are three ways you can get your team to improve their awareness and execution of data security for electronic files, email correspondence, and structured data.
1. Establish a Data Privacy and Security Committee
For some people, getting involved in a leadership role on a mandate such as information security can help employees become more engaged. Delegating responsibilities to both senior and junior staff from departments such as HR, Legal, IT, and management can ensure the message gets out to a variety of employees and isn’t restricted to a specific “clique” of senior members. Have the committee provide regular updates on the performance of the firm on Key Performance Indicators such as:
- Results of spot audits for policy compliance
- Achievement of milestones like adherence to password requirements, mobile device security and use of endpoint security technology
- Implement a Network Vulnerability Management system and celebrate months when there are not exposures
- Congratulate your team on extended periods of virus prevention
If you have the proper balance of reward and discipline for security policies, you will likely find people more invested than if the committee is viewed as a policing system instead of a risk containment or reputation mandate.
Have a little fun with it and talk about the “CIA Triad” (Confidentiality, Integrity, and Availability) or other fun acronyms for motivational posters for the office. Have the committee research industry resources for best practices and recent events which can bring data privacy front of mind for everyone at the firm.
2. Make the Policy a Living Document
With ever-changing topics such as mobile device security, Bring Your Own Device, “Zero Day” viruses, and malware, a security policy book has minimal value if it is only updated once in a blue moon. Have employees certify their understanding of your policy once a year.
Make sure employees recognize that the policy is not a vehicle to punish people who make mistakes, but a document to educate, inform, and empower the firm to mitigate risk and protect its information assets and those of its employees. It also defines:
- The behaviors and responsibilities of compliance to set an example to clients in their own data privacy stewardship.
- To set standards of risk management and data loss prevention which can scale as the accounting firm grows
- To keep the firm’s senior executives, employees, clients, and business partners affairs private and out of the headlines
- To set a “high watermark” for continuous improvement for the firm and to retain the trust of clients
3. Write the Policy for Readability, Not Legality
Nothing makes a document less effective than one which no one cares to read or one that reads like a contract. If you want your firm’s colleagues and employees to adhere to the standards of security you set, you want to make sure the policy is written clearly.
Don’t be afraid of leveraging one of the many security policy templates which exist, however make sure you edit it to ensure it applies to your company and doesn’t read like a template. Post your policy on a shared drive everyone has access to and make an element of the data security policy a highlight every month. Just remember to reward good data protection practices as well as punishing for failure to comply and poor practices, or your policy will fall flat.
If your firm is struggling for ways to improve adherence to IT security practices, establish a data security policy which is current, clear, compelling, and ensures the confidential retention and management of your clients’ data. We can help you create practices and adopt solutions which will protect your firm’s reputation and your client data from leakage or theft.
Does your LA CPA firm have a data security policy? And if so, do you routinely review it? Tell us about it in the Comments section below.
And to follow-through on the tips introduced in this short article, be sure to download your free guide, 12 Ways for CPA Firms in LA to Utilize Technology More Efficiently.