Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/58700
TIPS & TRICKS HOW YOU HANDLE SECURITY IS JUST AS CRITICAL, AND AS YOUR FIRM EVOLVES, IT'S JUST AS IMPORTANT TO ASSESS THE SAFETY OF YOUR CLIENT DATA, THE MOST VALUABLE ASSET YOU HAVE. SSN/TIN Masking Along the same lines as the inherent lack of security of email, the documents themselves may be insecure whether they are in paper or digital format, and in some states can face the same penalties. What am I talking about? Mostly Social Security, Taxpayer ID and account numbers. T ere is rarely any reason for these numbers to be printed (paper or digitally) on a cli- ent's copy of tax returns or other documents, at least not in their entirety. Most modern practice manage- ment and tax systems have features that either mask sensitive information automatically, or have a user set ing to do so (such as hiding all but the last four digits of an SSN, for example.) which is encrypting your client emails, but doing so manually and on a one-at-a-time basis is tedious, time consuming and prone to user error. What's the risk? Potential loss of client data, of course, but also potential fi nes, as many states ramp up digital protection laws. In Massa- chusetts, firms can be fined up to $10,000 for each breach of security. You still need to deliver returns, reports and other documents to your clients, of course, and in the paperless world, this means using a secure portal or document management system that automatically encrypt fi les before they even leave your computer, and stay that way until a client logs into their side. You can read our review of portals at www.CPAPracticeAdvisor.com/ 10457012, and our review of docu- ment storage and management systems will be coming in our May and June issues. Password Strategies T h e most common way that the bad guys will get into your com- puter, server or mobile devices isn't through a virus or high-tech approach. T ey are much more likely to get in by guessing your password. Unfortunately, most business professionals, and especially those in the accounting and tax space, interact with so many soſt ware programs and websites that require passwords, that trying to remember dozens or more different passwords at the recom- mended strength is a major challenge. We all know we're not supposed to use the names of loved ones, birthdates and other generally accessibly information, but what else should you think about? Good passwords should have six to eight characters, including upper and lowercase let ers and numbers, while excellent passwords also include non alpha-numeric characters. And take it seriously. A recent report by information security provider Trustwave shows that far too many people are really lazy, with the most commonly used business system password being... "Password1," and other variations of the word are also common. Egads. It just isn't possible to remember all of them if they are diff erent, so most users have resorted to either using the same password on most technologies, or even worse, having a Post-It note or scrap of paper listing all of their passwords. T e fi rst method is at least a lit le bet er than the second, which is just so trans- parently dangerous. Another option is to segregate your online accounts and programs into those that hold truly sensitive data (such as tax programs, bank accounts, etc.), and those that don't (such as online sub- scriptions and news and entertain- ment websites). Once separated, you can have diff erent passwords for each group, which isn't optimal, but does off er a modicum of protection and is better than the all-in-one or scrap paper options. If you've got too many to keep up with without using one of the bad options above, a bet er solution may be to use a password management tool, such as Roboform (www. RoboForm.com) or LastPass (www. LastPass.com), which you can use to store passwords, and then only have to remember your password for that tool. Both of the systems then can automatically input your correct password into programs and online sites. CNET and PCWorld rated both programs as eff ective and secure. SAS 70 SSAE 16 The AICPA's SAS 70 standard has been replaced by SSAE 16, the "Statement on Stan- dards for At estation Engageme n t , Reporting on Controls at a Service Organiza- tion." Is your firm required to use only SSAE-audited online technology vendors? No, but April 2012 • www.CPAPracticeAdvisor.com 7 it can offer an easily-identifiable means of assurance that the document management or data backup service provider takes security issues seri- ously. Others to look for include SSL security credentials, such as VeriSign, Digicert and T awte. Paper and Digital Document Retention If you're serious about being a paperless fi rm, then it takes more than just a scanner and a document management system to make that happen; it also requires a change in how you process your engagements. For tax returns, the best practices that have been developed focus on front-end scanning; that is, digitizing the documents right when they come in the door, then destroying the original or returning it to the client. T e less paper retained in the offi ce reduces the risk of loss, and also reduces the need for physical fi ling cabinets. Just as with paper-based docu- ments, digital fi les oſt en have the same general retention requirements. Most advanced document management system, and some tax systems with built-in document management functions, include the ability to set retention policies, whereby fi les are automatically (or with prompting) deleted aſt er a predetermined time frame, such as three years. Technology has driven today's fi rms to be ever more productive and capable, but to get the most from paperless, online and workflow automation systems, it's necessary to take a step back and see if your pro- cesses need to evolve along with your new technologies. How you handle security is just as critical, and as your fi rm evolves, it's just as important to assess the safety of your client data, the most valuable asset you have.