5 Tips for Keeping Client Data Secure
By Jaren Nichols, Last updated: 2021-05-26 (originally published on 2019-04-09)
Lawyers, accountants, financial planners—everyone who deals with client data on any level needs to make sure they are keeping it secure. You are and will be targets of cyber security threats because of the type of valuable information you manage. Here are five tips for keeping that client data secure:
1. Always Use Verified Encryption
Encryption is the process of converting sensitive information from a readable form to an encoded version, that can only be decrypted with a key. This method helps to prevent unauthorized access and protect client data.
Hopefully, you are already in the habit of sending encrypted emails whenever client data is involved. Some would go as far as suggesting that you only send sensitive information via email as a last resort. But as it is common practice now, just make sure you use password protected documents and communicate the password separately.
If you are using a cloud service, find one that encrypts data both while at rest and in transit (many do not). Because storing your data with a third-party provider can be an additional security risk, make sure that your company follows this best practice.
2. Stay Current
Whatever business you’re in, staying on top of current trends is crucial to industry leadership. The same is true of your data protection efforts. To keep client data secure, you need to keep up with software updates, information backups and routine maintenance.
Some 80% of security vulnerabilities are caused by outdated software with an easily available patch. Whatever software you use—including your security software—should be regularly updated. Not only does this give you the best available version of your product, but these updates (small or large) often include new code that helps address the most recent threats. Even if you have the best anti-hacker software, neglecting updates will make you vulnerable.
Using a secure server to regularly backup client data will also protect you. It is a good practice to protect from accidental deletion or loss of client information by performing data backups. There are many software products that backup your data automatically—so you don’t even have to think about it.
Routine maintenance, including the latest updates of operating systems and protocols, is a good protection as well. Routinely review data and purge anything outdated or duplicate. Don’t hang onto ten-year-old 1099 forms. The more unnecessary data is available, the more is at risk.
Keeping current will also improve your disaster recovery plan. Whether human-induced or natural disaster, having a current recuperation strategy in place will improve recovery time and client communication.
3. Consider a Cloud Provider
Most companies have moved from in-house servers to cloud-based systems. Cloud providers have the advantages of encryption, sharing and accessibility.
If you choose a cloud provider for your data management and security, take the time to find one that best covers the needs of your business. Consolidate your data storage into one location to limit your exposure to data risks and lower your costs. This will streamline your security plan and give you greater control of your data. However, if you do choose to utilise a cloud provider, remember that it is still your responsibility to ensure the data is safe.
If possible, it’s not a bad idea to completely outsource your security needs to an expert. Whether you are an attorney or an accountant, hiring an IT consultant or using an offsite server protected by a security team is a great move for keeping client data secure.
4. Layer your Network Security
There is no such thing as too much protection. Network security should be layered and defensive including: firewalls, antivirus software, internet security, email security, intrusion prevention, etc.
And don’t neglect physical security either. Things like security cameras still have a place in your data protection plan. Make sure that all computers, laptops or personal devices are locked with strong passwords and encrypted files to protect from personal or company theft. Wifi passwords should also be secure.
The increasing prevalence of BYOD means that companies need to take it a step further to secure devices and cloud-accessible data. Personal mobile devices and passwords create additional security vulnerabilities. Any personal device that has access to company data should have an enforced device lock as well as other device management protocols. As soon as a device is reported stolen or missing, enforce remote purging to delete any sensitive data accessible from the phone or device.
5. Limit Human Access
Of all the security threats, the hardest to anticipate is human error. In fact, 100% of government IT workers said that employees are the biggest threat to cybersecurity. Because humans are often unpredictable, it is important to enact a group strategy of data security, including regular training and protection on every level.
Start by educating your employees on best practices for internet use and data protection policies. Teach them to avoid compromising activities and phishing scams. Classes and training videos can work, as long as they are up-to-date and held often. One lawyer even suggested subjecting your employees to internal phishing emails to catch users off guard and then, following up by teaching them to avoid these kinds of risks in the future.
Additionally, consider using a password manager to help create and store strong passwords; grant information only on an as-needed basis; and change access rights when a critical employee leaves, especially if data is cloud-accessible.
You should also educate your clients on internet safety and data protection. Early on in your interactions, make sure they know about email security and encrypting sensitive communications. Encourage clients to be an active participant in monitoring their data security.
Data protection must be adopted in your company culture—from the executive to the intern—and be adopted from the beginning.
Security is Not a One Time Thing
This is by no means a comprehensive list of data protection tips. In fact, as you’re reading this, new security threats are being created. The best defensive strategy is perpetually evolving, so perform ongoing assessments and regularly monitor threats.
Security is not a one time thing, but one slip up could put your practice and your clients at risk.
Jaren Nichols is Chief Operating Officer at ZipBooks, free accounting software for small businesses. Jaren was previously a Product Manager at Google and holds an MBA from Harvard Business School.