All too often people prioritize the wrong things when it comes to data security. Everyone goes to great lengths to protect their physical laptops, for example. They don’t leave them lying around just anywhere. They keep them hidden away when traveling. And eccentric passwords are used to protect them.
Yet, when it comes to the things laptops are actually used for, data protection is considered by few. Usually it’s only the most tech-savvy—the ones who know the risks.
Most people don’t have multi-factor authentication on their email. And an even larger number use the exact same password for hundreds of sites and accounts. It’s these types of “digital habits” that become the standards for which accounting firms, small business, and even major multinational corporations, handle client information.
We’ve seen this happen at scale with the Yahoo data breaches in 2013 and 2014 (affecting over 3.5 billion users), the Marriott/Starwood breaches, Equifax, and when 100 million Capital One customers had their data compromised.
Unfortunately, these data breaches happen all the time. And they never happen because someone left the front door open. It’s because someone forgot to close the side door or the back door.
So, what do we do? And especially if you’re running an accounting firm, how can you ensure your most sensitive data doesn’t fall into the wrong hands?
At a high-level, there are 5 main categories of data security:
System/Data Tampering: Access to your systems or your data by an unauthorized third party.
Exploitation: Misusing resources that were left open and shouldn’t be available to people.
Unauthorized access: Accessing sensitive information people shouldn’t have access to.
Disruption: Disrupting the normal function(s) of business or business processes.
Ransomware: Attacking and either encrypting data or encrypting systems so that the original operators no longer have access.
Your basic data security must cover the above at a minimum.
It’s imperative that every staff member in your accounting firm does what must be done to protect the data they’re responsible for.Share on TwitterShare on Facebook
For example, here at Karbon, we make security education part of the onboarding process when a new employee starts. The basics are covered, like using the Okta platform to access protected passwords and apps (rather than writing passwords down anywhere or using the same password many times). And we also cover the obvious (yet unfortunately not-so-obvious) like not using outside removable USB sticks, safe internet habits, and all the other scenarios you’d be surprised how many people forget (or worse, don’t deem important).
Netflix’s The Great Hack acted as a bit of a wake-up call for people and businesses, showing how easily your data can be accessed from the world’s largest social media networks like Facebook. Ensuring you and your team are using multifactor authentication in nearly all of your mainstream apps (email, Google, Office 365, etc.) has now become a basic requirement of responsible business practices.
How often does your team talk about security and privacy? Where does it play a role in your business? Does it get brought up at all?
As much as anything else, prioritizing data security and best practices is a cultural decision.
It horrifies me how many accounting practices around the world are still run on Windows servers that act, more or less, as an open invitation to the outside world.
They have virtually no security precautions. They aren’t operating with modern-day technologies. And their clients are left in the dark about the protection (or lack thereof) of their personal information.
One of the many justifications for moving to the cloud is having someone, or some entity, be responsible for making sure that company servers are secure, locked down and inaccessible.Share on TwitterShare on Facebook
In fact, I view security as one of the most interesting industries in the world right now. It’s already massive, it’s still growing, and it has virtually unlimited potential. For proof, look no further than the 2019 IPO of CrowdStrike. This is a company looking to be the Salesforce of security, and they’re absolutely on that path. It highlights the heightened need and global interest in data privacy and protection happening across every profession, including accounting.
Now more than ever, security and privacy need to be embedded deeply into the culture of your accounting practice. Otherwise, a vulnerability or breach is inevitable.
Stuart started his first business 13 years ago and has had many successful ventures, including Paycycle, founded in 2009, which he sold to Xero in 2011. He then built the global Xero Payroll team that delivers payroll software across the US, AU, UK and NZ markets. In 2015, Stuart co-founded Karbon, and served as CEO until 2023. He remains an advisor, board member, and investor.