This one is mainly for all my new friends in Facebook’s Tax 101 group (especially the people who are new to flying solo). Still, it is good advice for most business owners and just regular people too although not all of it may apply to your particular situation.
- Change your passwords annually. Change the login passwords on your work machine and those for your critical cloud services (tax software, accounting software, client management software, etc.) and use long passphrases (at least 16 characters) where possible. Don’t want to keep track? Consider a password manager such as Last Pass (not an endorsement, just a suggestion). Here are a couple you might not think about—change the password on your router and your WiFi login (or ask your IT person to do it). Your router/modem are the gateway to your computers. My router has the password on a sticker on the side—of course I changed that. And then I change it annually as part of my office security protocols.
- And speaking of your WiFi...use the strongest password encryption your modem allows and stop broadcasting your SSID. Your SSID is your network identifier. It lets people “see” the available networks in the area. You’re a tax shop. Don’t broadcast your network to any rando who’s driving around the neighborhood.
- Add multi-factor authentication to anything that allows it. That way even if your passwords are compromised whichever baddie ends up with them will also have to have your phone or your e-mail account credentials or something else to get into your cloud accounts.
- Purge old files. Paper and electronic files. I’ve heard #taxpros bragging that they have a copy of every return they’ve ever done. Either on a drive somewhere or in a file cabinet (the horror!). You know what that does? It increases your exposure in the event of a data breach by an order of magnitude. Data breaches aren’t all electronic. What happens if your files are on paper and angry burglars bust up your file cabinets and send those papers flying down the street (happened with my Aunt’s personal paperwork—not fun). Do you really want to have to pay for ID theft protection for a client from five years ago if they aren’t still a client? Do you really want to have to notify clients who are long gone in the event of a breach. Make a purge plan part of your written information security plan (WISP)—you do have a WISP, right? You are required to have one if you get paid to prepare tax returns.
- Update your virus software and run a deep scan of your computer hardware. I recommend doing this at least quarterly, but you definitely want to do it before the clients come knocking this filing season.
- Encrypt your hard drives and flash drives, especially any drives that can be lost or stolen easily (so flash drives, removable storage, laptop HDDs).
- Turn off your machines! Now, this is more practical for some people than others, but basically if a machine is on and visible (see Tip #1) people can try to break into it. You can’t break into a machine that is off. Sure, you can set “time out” times for devices on your router (and you should). Turning the machines off if you really don’t require them to be on 24/7 just adds an extra layer of protection. I even unplug my router if I’m going to be away from the office more than a couple of days.
- Implement a “clean desk” policy. For those of you who are fully paperless, the Windows + L key is your friend (it locks your screen immediately). If you aren’t paperless, be sure that if you step away from your desk or leave for the evening that client information is not easily accessible to anyone who might have to come into the office. I mean, my landlord is allowed to enter my office during a building emergency. I don’t want them seeing my stuff!
- Consider (or reconsider) how you are collecting and storing your clients’ personally identifying information. Many amazing applications allow you to conveniently collect all sorts of client data with only a click or two. But you need to know if what you are using is secure. Does it encrypt the data? Is that data passed through or stored somewhere in the cloud? What happens if the company who owns/runs the application has a breach? Are you liable? To what extent? Who knows?! Certain information I simply will not collect using a web-based form because I don’t know enough to answer those questions. You need to decide for yourself and your firm where the line is between automation/convenience and security. And, like all things tax, “it depends”. It’s going to depend on the size/volume of clients your firm handles. It’s going to depend on your risk tolerance. Technology is wonderful and can help us all become more profitable, but it’s important to use it mindfully.
- Remember there are three basic types of security: cyber security, physical security, and operations security. Most of these tips are cyber and physical. Operations security is looking at your office processes and procedures and your staff and ensuring that your processes/procedures keep your office secure and that your staff is trained and not actively or inadvertently compromising your well thought out procedures by their actions.
Good #taxpros don’t rely on luck to keep information safe. Security is an active process! Stay active in the new year!