Protecting electronic data in an unsecure world.

• Author: Ohanesian, Michael V.

The world is not a safe place--at least not for electronic data. One need look no further than current news headlines to discover that yet another large company has lost its customers' data to a cyberthief.

Large companies spend millions of dollars every year trying to defend themselves against cyberattacks, yet attacks still occur. Many practitioners might ask: If a large company dedicates vast resources to cybersecurity and can still be hacked, what hope does a small company with limited resources have?

Some practitioners may find the task of protecting a firm's electronic data to be overwhelming and hopeless and do not know where to begin, while others may feel that their data are safe and no additional steps are necessary.

When it comes to protecting data, a practitioner cannot live in a world where emotions and feelings overcome facts. Accounting firms across the country are at risk of being targeted and attacked by cybercriminals. The IRS is continually issuing alerts notifying tax professionals about scams that are targeting firms. These scams are attempting to get access to confidential client information by sending emails mimicking software providers or asking for updating of accounts for IRS e-services. Firms have a responsibility to keep their clients' data safe; therefore, it is important for companies to take proactive, defensive action.

Securing a firm's data is complex. There is no one right way to start or one correct plan of defense. Consider taking small, actionable steps rather than being overwhelmed by several big tasks. A good place to start is to think of the past, present, and future.

The Past

When focusing on the past, one should ask the critical questions of what firm data might someone want and how would that person get it? While there are many answers to these questions, the following are some key areas of consideration:

Retention policy: The more data a firm holds, the more it has to protect. Consider maintaining a company policy of removing client and employee data after a specific amount of time. Ensure that the retention policy is implemented and carried through in a systematic way. If client data must be retained for longer than the stated retention policy, be sure to have an IT professional encrypt and securely store these data (and ensure that when the reason for retaining the data is gone, that the data are promptly removed).

Employee access: On an employee's last day working at a firm, it is common to...