Protecting client data makes good business sense. And in case you forgot, it?s your legal responsibility.
Under the FTC?s Safeguard Rule, ?financial institutions? must protect the information they collect. Organizations we might not associate as a financial institution, such as CPAs, accountants and tax preparers, are also required to comply with the law. Since these organizations manage data and information for their clients, cyberattacks are a genuine threat regardless of if you are a sole proprietor or sizable national firm. Simply stated, if you accept sensitive data, you will be a target and should have a security program in place to secure your client?s data.?
As business leaders, there are steps you can take to make your clients? data and business safer from cyberattacks.
Start with a Plan?
A formal information security plan implies a level of commitment and identifies how your organization will protect the security, confidentiality, and integrity of your clients? information and comply with the law. The information security plan should be viewed as part of your businesses? strategy and standard processes. In our digital world, managing cyber risk is an essential part of operating a business. Whether you are a small or large business, you should implement an information security plan that balances your businesses? security risk with the needs and capabilities (resource constraints) of your business. If you don?t have an in-house information security expert, I would suggest a Virtual Chief Information Officer (vCISO) you can partner with who can educate and provide recommendations on how to best secure client?s information.
Implement and Test
Verify the security controls your business has defined in the information security plan are working as designed. Security controls are the technologies, policies, and procedures put in place to protect information. Many of the security controls are based on regulatory and/or state requirements. Other security controls include best ?cyber hygiene? practices that reduce vulnerabilities. Most of security controls focus on the most vulnerable areas of business operations, including:
Employee Education and Training
Employees are now the human firewall since much of the workforce is mobile and connected 24/7. Empower your employees to recognize common cyber threats to keep information secure. Employees should sign off on policies to ensure they are aware, in compliance, and understand the impact of not abiding by the policy.
Identity and Access Management
Businesses need to define and manage the roles and access privileges of users. These include policies around:
- Use of strong passwords with a minimum of 8 characters, use of special and alphanumeric characters, use of different passwords for each account (consider a password manager)
- Use of Multi-factor Authentication (hardware solution preferred, do not use SMS)
- Implementing Need-to-Know access controls, limiting access to sensitive data, providing access on a need to know basis
- Securing Wireless Network, password, or certificate protect wireless network?(provide a ?guest? network for visitors)
Endpoint Protection is the security solution that delivers antivirus, personal firewall, and application control capabilities to protect network endpoints or individual devices such as laptops and mobile devices.
- Install anti-malware and antivirus security software on all devices
- Encrypt sensitive files/email and use a strong password in transit and at rest
- Backup sensitive data to a safe and secure source
- Asset Management keeps an inventory of all devices and data accessed on the device. Ensure a ?verifiable? secure data destruction and disposal process is used to retire old devices including hard drives
In the event your business experiences a data loss or theft, you should have an action plan that outlines the steps you would take to recover. The action plan should have a clear communication strategy including a list of federal and state officials you need to notify, recovery access to applications and data, and alert your cyber insurance carrier of the data loss event.
Ready to take the First Steps towards Securing Your Client Data?
Let's schedule a call to discuss your company's cybersecurity plan.