How Accounting Firms Can Improve Client Data Protection

Author: Craig Pollack Date: Jan 29, 2018 Topics: _CPA and Accountant Blogs

I need not remind you that your clients look to you, as their Los Angeles certified public accountant (CPA), to safeguard their information and financial data. Implementing comprehensive client data protection policies, procedures, and security systems to protect their information truly requires a team effort by your staff.

First and foremost, these efforts require a commitment to funding the necessary financial investment for the task. Additionally, it requires partnering with security experts, like FPA, who can implement the highest quality integrated security systems to protect your client data for years to come.

Data security is a major concern across a number of industries. The Securities Industry and Financial Markets Association (SIFMA) is working to institute four principles as an industry standard in an attempt to make client data safer and more secure. The four principles include:

  1. Access;
  2. Security and responsibility;
  3. Transparency and permission; and
  4. A clear scope of access and use.

While technology plays a major role, it isn’t the be-all and end-all of security initiatives. Strategies that incorporate these principles — and other security considerations — can go a long way in protecting your firm and its clients.

I’ve put together a list of three strategies that your firm can leverage to protect your clients’ business, your organization’s reputation, and mitigate the risk of data loss.

1. Reward Compliance with Client Data Security Policies

Sometimes security policies don’t succeed because they involve too much “stick” and not enough “carrot.” In order to avoid this, set actionable goals for your team such as implementing clean desk policies, ensuring their antivirus apps are maintained, and requiring that they keep their mobile devices protected. You don’t have to get silly with your rewards, as all it might take is a company picnic or another incentive to get everyone on the same page about client data security.

Positive reinforcement through firm-wide emails about the benefits of protecting client data and best practices can have a more positive impact than belittling an employee for leaving their cabinet unlocked by accident.

Placing posters and messages about the importance of client data security in visible places also can drive the message home with employees. An additional benefit is it also makes a good impression with visiting clients as well.

2. Conduct a Proactive Third-Party Security Audit

I’m pretty sure you’ll agree that it’s always better to discover any potential network security vulnerabilities yourself through a pre-arranged security audit than to have a hacker discover and exploit them first. At its most basic level, penetration testing checks on the vulnerabilities of your network perimeter, including:

  • Firewalls and Demilitarized Zone (DMZ);
  • Intrusion Detection or Prevention Systems; and
  • Wi-Fi Intrusion Prevention Systems (WIPS) or, better still, limit the use of Wi-Fi for guest or mobile devices.

A penetration test on your network can help to maintain the confidence of your clients and keep you out of the dog house. The results of a clean audit, even after a round of remediation of exposures, can help you to gain credibility with new clients during the onboarding process. And, in the spirit of transparency, you can share the results online via social media, your website, and other communication channels.

3. TCOB with BYOD Policies

Proceed with caution when it comes to allowing mobile device access to your clients’ sensitive data. The first step to mitigating the risk of this information falling into the wrong hands is to restrict the ability for it to leave your office. Install security applications on “data at rest” devices, such as laptops, tablets, and mobile phones, in the event that the device becomes lost or stolen.

If your firm’s senior leadership insist on using a device of their choosing, then be sure the device meets your organization’s requirements for data protection as well as develop and implement a comprehensive mobile device security policy. Other recommended moves would be to adopt advanced identification verification systems, such as multifactor or two factor authorization (2FA), and to conduct an offsite backup of your data. The former will help to protect your data from being accessed by the wrong people, and the latter will assist in recovery in the event of a natural or man-made disaster.

Require all employees to regularly back up their preferred devices to your cloud backup system. If they aren’t willing to toe the line and abide by your corporate security practices, then require them to only use devices for work that are provided by your company. Making a few employees unhappy is preferable to allowing your important data to become stolen or lost.

Bottom Line

Protecting client data means ensuring your people, processes, and technology are aligned to prioritize privacy and security. In order to maintain the good reputation you’ve established over the years as a Los Angeles accounting firm, be sure to follow these strategies so you can focus on continuing to provide secure, reliable accounting advisory services.

What other strategies would you recommend for protecting client data? What have you or your firm done to mitigate the risk of data loss? Please share your thoughts and experiences in the comments section below or shoot me an email if you’d like to chat about this in more detail.

12 Ways for CPA Firms in LA Use Technology ebook


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.