Accounting firms: 4 best practices for online security

minute read

Last Updated September 29, 2023

Category Cybersecurity


Cybersecurity is never static. Threats change rapidly, and so do best practices for online security. Firms that aren’t dynamic in the way they handle security leave themselves open to attacks.

Cybercriminals never stop advancing the sophistication or their attacks, so you can’t fall behind in securing your firm. Already, cybercriminals can break into 93 percent of company networks—likely including yours, especially if you’re lax in implementing the latest security practices.

You need to do everything in your power not only to prevent attacks but to mitigate data theft should an attacker breach your defenses. The details of cybersecurity can be excruciating and time-consuming to manage. Firms are better off working with expert security partners to protect themselves than trying to deal with threats on their own.

Four steps your firm can take toward best practices for online security

It all sounds daunting, and it is. But you’re not defenseless. There are four broad steps your firm can take right now to implement best practices for online security.

Limit data access to only those employees who need it

Simply put, not everyone needs administrator privileges in your networks that allow access to everything. Not even your IT people need unfettered access. The idea here is to provide access only to the information that each employee needs. If a user works on one or two accounts, provide that person with access to only those accounts and not to any others.

This isn’t necessarily about you not trusting your employees. It’s about minimizing the opportunity for an employee error to lead to theft of all of your clients’ data. Yes, an attacker stealing data from one or two of your clients is a disaster, but it’s not nearly as big a disaster as having all of your clients’ data exposed.

The truth is, too, that some accounts are more critical than others. Consider the firm that does back-office work for billionaires, people with recognizable names. One leak of that information could effectively shut down the firm. So, that firm creates firewalls around the data related to its highest-profile clients.

Most tax applications have document management functionality that allows you to limit fairly easily who has access to which files and accounts. Lacerte has a document management system and also integrates with SmartVault. Thomson Reuters offers GoFileRoom for large and medium-sized firms, while many smaller firms work with a Thomson Reuters application called FileCabinet CS. A cloud provider can help you set up employee-specific permissions for applications running in the cloud.

As a partner, you can create a space for yourself and other partners to store and access confidential firm data. You can also set rights to access all client data while limiting employees to what they need to see. Some document management applications will even tell you who has tried to log in to restricted areas.

As for your IT people, they can do the vast majority of their work by logging in with an end-user account rather than through an administrative login. They should only use admin privileges in a real emergency. If one of your IT people makes a mistake and leaves an admin account vulnerable, an attacker who breaks into that account will have access to all of your firm’s data. But an attacker who breaks into your IT admin account can steal absolutely anything.

Tighten practices for password management and user authentication

Passwords alone are a weak security measure, easily breached by attackers with sophisticated technology. That’s particularly true for passwords that only require eight or fewer characters. Today, passwords should be at least 14 characters. Users in your firm need to use long passphrases rather than short passwords, and they absolutely cannot reuse passwords across applications or pull the old “password1” and “password2” trick of just changing a number when updating credentials.

For many users, passwords are a consistent bother. They’re easy to forget and frustrating to recover or redo. One answer to that problem is a password wallet, which can securely store a user’s passwords. Good examples of password wallet vendors include 1Password, Keeper and DashLane. One popular vendor to avoid is LastPass, which has recently suffered breaches and is not currently secure. An attacker who steals a user’s LastPass password can steal all the data that user can access.

Of course, a password alone isn’t enough to secure your firm’s data. As one of your best practices for online security, you also need multifactor authentication (MFA), which prompts a user to confirm their login on a different device after the user enters a password. Biometric security methods, including facial recognition and fingerprint scanning, add another layer of security that’s very difficult to break into and will likely be more common in the future.

Ideally, your security setup should include all three elements of access—a password, a biometric security method and MFA. For instance, a fingerprint scan could lead the user to enter a password, which MFA would validate via another device. When you run applications in the cloud, you can access all of your hosted apps through the cloud provider’s interface with a single login. However, it’s still not a bad idea to add an extra measure of security by having users log in to each application separately.

Secure your devices

Most security measures target the network itself. Essentially, the servers rather than the devices you use to access data on the network. To be sure, running applications in a hosted, secure cloud model is safer and easier than trying to run a server in your office. However, you still need to protect your computers and other physical devices you use to do your work.

That includes not only the computers, phones and tablets in your office—if you still have one—but also the devices you use in your home office and on the road. When you and your employees work at home, you need to make sure you’re all connecting through secure Wi-Fi connections. One of your best practices for online security should be to connect through a virtual private network (VPN).

When you’re on the road, your safest bet for connecting to the internet is actually a hotspot on your phone rather than Wi-Fi, even if the Wi-Fi is protected with a password. That goes for connecting at clients’ offices and in airports or coffee shops as well. A breached Wi-Fi connection can install malware on your computer without you realizing it. Hotspots are generally safer.

But device protection goes beyond using just VPNs or hotspots, and your devices include more than just computers and phones. They also include printers, scanners and other peripherals you use for work. One important measure to take is never to mix personal or family devices with work devices. Never, for instance, access client files from your kids’ computers, which could already be loaded with malware.

Keep work and fun devices separate and find a security partner that can protect the devices you use for work. The right partner can secure your firm’s computers, for instance, no matter where they’re located. A good partner can monitor and eliminate or mitigate threats as you work. That is basically impossible for you to do on your own.

Train your employees to avoid security threats

Almost every type of security threat requires human intervention to work. A user who clicks on a malicious link downloads malware into your network. An employee who is fooled by social engineering allows physical access to your building or access to your computer. Hackers can use artificial intelligence to spoof your voice, convincing an employee to transfer money into the attacker’s bank account. The human element is critical to the success of cyberattacks.

In fact, the comprehensive Verizon Data Breach Investigations Report notes that 82 percent of data breaches involve human participation in some way. You can put all the security measures you want in place, but if your employees don’t know how to recognize and avoid threats, your data will still be vulnerable.

A good security partner can offer training to your employees on how to keep your firm’s data safe. With online lessons and quizzes, employees stay up to date on the very latest in cybersecurity threats and trends. Preferably, the partner should be able to offer accounting-specific training that takes the uniqueness of your profession and technology into account.

Best practices for online security work better with a partner

It’s hard for the leader of any firm (or any type of business) to manage cybersecurity effectively. It’s a task best left to experts, such as a security partner that provides cloud hosting, device protection and employee training. You shouldn’t have to try to keep up with the constantly changing cybersecurity environment when a partner can do it for you.


Are you ready to take the next step to secure your firm? Start here.

Catch Roman’s presentation on best practices for online security at the Rootworks Empower conference.

Rootworks empower agenda

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.