Recruiting and retaining appropriately qualified accountancy staff is a financial and administrative headache for many businesses. As a result, it is no surprise that increasing numbers now choose to outsource accounting and tax functions to specialist external service providers.
The best external providers offer bespoke, flexible solutions at an attractive price. However, any form of outsourcing inevitably involves a potential risk to the integrity and security of the client company’s data. Moreover, when so much of this data is financial, the repercussions if data is stolen or misused are potentially very serious.
If your business intends to outsource its accounting functions, you need to have complete confidence in your chosen provider’s ability to safeguard your customers’ data and prevent its misuse. Technological and physical barriers are both important. We highlight thirteen of the most significant considerations.
1. CCTV and door entry security systems
It is essential that CCTV and appropriate door entry systems secure the office premises of your chosen accounting service in order to monitor who enters and leaves the building, and when they do so. Needless to say, the outsourced accountancy service should retain all CCTV recordings for a minimum period of time. The Information Commissioner’s Office provides useful guidance on the installation and use of CCTV, and on image retention.
2. Security screening of staff
The accounting service should employ only those individuals who have passed a pre-employment security screen through the UK Disclosure and Barring Service. This should include a criminal record search and checks on identity and adverse personal financial information. These checks reduce the risk that staff at the accounting service will pose a deliberate threat to your company’s data.
3. Virtual Private Networks (VPNs)
Online privacy is of paramount importance for an outsourced accounting service. Make sure your chosen provider safeguards client privacy via the use of an effective VPN that acts as a private tunnel between two devices while also encrypting your data.
4. Anti-virus software
Computer viruses are a constantly evolving threat. The best anti-virus software protects against a range of malicious software (also known as “malware”), including adware, bots and botnets, key loggers, ransomware, rootkit, spyware, trojans and, of course, viruses.
Most malware is designed to lurk on operating systems and remain undetected for as long as possible. Anti-virus software is the key to its detection and neutralization. Any accounting service should have a robust anti-virus package that not only detects malware but also uses behavior-monitoring to catch so-called zero-day malware that is designed to attack as soon as it infects an operating system.
5. Password managers
Password managers store any number of passwords in an encrypted vault that is unlocked via a master password. Most can also generate complicated, hard-to-crack, random passwords.
Although most security-conscious businesses regard password managers as essential, they are not immune to security breaches as illustrated by a number of high-profile hackings. However, the best password managers have strengthened their inbuilt security as a result of these attacks. Consequently, password managers remain an important plank in any online security system and you should expect your chosen accounting service to use one.
6. Back-up drive managers
Back-up drive managers allow the restoration and recovery of material that is lost as a consequence of a storage drive failure. Differing from external, cloud-based storage, back-up drive managers act as a kind of library repository to retain a precise copy of particular files. These files are not usually accessed unless required and are often retained in a read-only state to ensure no-one can amend them without appropriate authority.
7. Personal technology
Staff at accounting service may be subject to a contractual requirement to leave personal phones, smart watches, tablets, and laptops in locked lockers during their working hours. This reduces the risk that rogue staff members may use their own personal technology to steal client data.
8. Non-disclosure and confidentiality agreements
It is often standard for an accounting service to enter into a non-disclosure and confidentiality agreement with its client. As the client, your business is able to set the parameters of the agreement in order to reflect your particular security concerns. Non-disclosure agreements are legally enforceable and any breach may result in a court-ordered award of financial damages.
9. Audit trails
If something does go wrong and a data breach occurs, it is crucial to establish when it happened and who was involved. Comprehensive audit trails of all activities undertaken on an accounting service’s computer systems can play an essential part in this. If asked, your chosen accounting service ought to supply you with an outline of its internal audit process.
10. Internet restrictions for staff
An accounting service may choose to restrict internet access for its staff to those business sites that are necessary for work purposes. Where it does not routinely do so, it may agree to a client request to restrict internet access for the duration of a particular project.
11. Disable USB and DVD drives on staff computers
In order to prevent unauthorized copying of client data, an accounting service may disable USB and DVD drives on its workers’ computers. It may be prudent to ask if this is the case and, if not, what alternative security measures are in place.
12. Use of dual monitors or restricted print permissions
Many accidental data breaches occur when documents are printed and then discarded without immediate shredding. Many accounting services choose to use dual monitors to reduce the need for their staff to print documents in order to make comparisons. Alternatively, or in addition, they may restrict print permissions so that only particular, authorized individuals are allowed to print documents.
The General Data Protection Regulation, or GDPR, is an EU regulation on personal data protection and privacy with automatic application to all UK businesses. Although it may have no obvious application to business or financial data that does not identify an individual, a well-drafted GDPR policy is a very useful gauge of how effectively a business approaches data security. Consequently, it makes sense to request a copy of the GDPR policy of any accounting service that your business is considering using.