IBM Security Global Forum

 View Only

4 Critical Steps for Small Financial Firms To Safeguard Customer Data

By Andrej Kovacevic posted Sat January 20, 2024 11:00 AM


For the average small business, cybersecurity is critical because a misstep can cost a small fortune. As a result, a staggering 60% of all small businesses close for good within six months of a cyberattack. However, there are some small businesses for whom the stakes are even higher than that. An excellent example of this is financial firms, including accountants and bookkeeping companies. They have both professional and legal obligations to safeguard their customers' financial data, which includes additional liability in the event of a data breach.

Oddly, however, you hardly see any mention of cybersecurity with regard to businesses of that type. Even detailed guides on how to start a bookkeeping business mention cybersecurity as little more than an expense to factor into planning. But there are quite a few things that all small accounting and bookkeeping firms need to do to maintain airtight customer data security. Here are four of the most important among them.

Use Hardware Keys and Encryption

The first and most important thing small accounting and bookkeeping firms can do to keep customer data safe is to use encryption on any device handling customer data. However, that alone isn't enough. To maximize the protection that encryption offers, it's important to eliminate any way an attacker might use employee credentials to bypass it. The best way to do this is to use hardware authentication keys instead of passwords or conventional multi-factor authentication.

The reason hardware keys work so well is that an attacker would need physical possession of one to gain access to any of the company's encrypted data. And, even a lost key doesn't pose much of a risk since anyone who found one would have no way to know what the key could unlock. That gives companies that use hardware keys ample time to revoke privileges long before anyone could use a lost key for nefarious purposes.

Minimize User Access Rights

Even with bulletproof encryption and authentication controls in place, it is still important for any firm dealing with customer financial data to do whatever it can to minimize user access rights. In other words, all user credentials in such companies should follow the principle of least privilege (POLP). This means granting each employee access to only the specific data and systems necessary for them to work. It also means eliminating overprivileged accounts, which are commonly used by the owners of small firms. Those types of accounts not only make for appealing targets for attackers but render all other cybersecurity efforts moot once compromised.

For the same reason, small accounting and bookkeeping firms should make regular permissions audits part of their standard operating procedure. This is important to prevent the kind of permissions creep that can lead to cybersecurity lapses. In general, quarterly permissions audits will suffice, along with a well-defined offboarding procedure to revoke access rights for all departing employees.

Deploy a Patch Management Solution

Next, it's also important for small accounting and bookkeeping firms to keep their devices and software up to date at all times. Missing software patches are a serious threat to businesses of all sizes, with such oversights playing a role in more than half of all data breaches in recent years. Depending on the nature of the missing patches, this can even undermine security measures like encryption and secure access controls.

The simplest way to solve the problem is to choose and deploy a patch management solution. This refers to software and platforms that track installed software and operating systems and deploy patches to them automatically. They also allow businesses to set update standards that prevent individual employees from delaying or bypassing update schedules. Such delays are common and represent a major cybersecurity vulnerability for businesses of all sizes.

Schedule Offsite Secure Backups

Another thing that small accounting and bookkeeping firms should do to safeguard customer data is to use a data backup system that allows for secure, encrypted, offsite backup storage. For businesses with on-site hardware, the simplest way to do this is via tape backup with a rotation schedule. There are multiple reasons for that.

One is that tape backups are relatively inexpensive, so there's no real penalty for making multiple complete data backups instead of incremental ones. This way, an employee can take a completed backup tape offsite each day for secure storage and return it when the time comes for an overwrite. That provides a fairly foolproof means of disaster recovery in the event of a fire or natural disaster. It also provides an excellent defense against ransomware because it gives the business multiple data archive copies to work with, increasing the odds of a quick and safe recovery.

Cybersecurity Is Not Optional for Small Financial Firms

With little more than the above tactics, a small accounting or bookkeeping firm can protect itself from the existential and legal peril of a data breach or other successful cyberattack. Of course, these aren't the end-all-be-all when it comes to cybersecurity, and such firms can and should engage the services of a professional cybersecurity consultant to formulate a more complete cybersecurity plan. However, any security measures are better than none, so the above is well worth putting into action in any case.