Security and Compliance
Security Series Part 5: Secure Sensitive Data

The security and integrity of the data in your office is of paramount importance—especially considering CPA firms tend to have large amounts of confidential and sensitive information about their clients. In the course of accessing, using, and transferring this data, it can be found in a number of locations and forms. Not only are you ethically responsible for protecting this data, but in many cases, you’re legally responsible as well.
So what can you do to ensure sensitive data remains protected, regardless of its current state or location? Below are some guidelines to keep in mind.
Protecting data in motion
When handling sensitive information within a web browser, like Chrome, Safari, Firefox, or Internet Explorer, always make sure the address starts with “https,” which indicates a secured connection. Data transmitted over a secure connection is encrypted, which means attackers can’t access or tamper with the information sent. Most browsers highlight the address bar in green or display a closed lock to show that a connection is secure.
Avoid using any website that your browser flags as having an untrusted certificate, as the site or connection may be compromised. In these cases, your browser might display a message like “The site’s security certificate is not trusted” or “There is a problem with this website’s security certificate.”
Protecting data at rest
Data stored on your computer or a network storage device also needs to be secured. Most modern operating systems support “whole drive” or “whole disk” encryption. Once this is enabled, you can gain some peace of mind from knowing that if your computer is ever lost or stolen, the data stored on it can’t be accessed. To get started using whole drive encryption, search for “BitLocker” from the Start Menu on Windows Professional or “FileVault” on Mac OS X.
For data that you back up off of your computer, or that needs to be sent to other parties, file encryption is crucial. Use applications like SecureZIP or OpenPGP implementations like Gpg4win for Windows to secure your own data for storage, as well as to ensure protected communication to third parties.
Protecting data in the cloud
Confidential information stored in cloud services, whether for archival or operating purposes, typically must meet minimum requirements imposed by industry-governing bodies. Payment Card Industry (PCI) standards in the payments space and HIPAA for healthcare data mandate minimum encryption standards for data that’s processed or stored. These standards often require ongoing audits by external parties to ensure continued compliance. If you’re ever in doubt about the ways a service provider protects your confidential information, always ask for their security practices.
When in doubt about the ways a service provider protects your confidential information, always ask for their security practices and certifications.
Bringing it all together
Throughout this security series, we’ve looked at simple but important steps you can take to protect the cyber assets in your firm. If you’ve followed these instructions, your network, passwords, systems, and data should be on a stronger security footing.
But bear in mind that security isn’t a one-time event. Technology changes and new threats will continue to arise, but the practices we’ve discussed in this series will remain relevant. Keep your asset inventory up to date, and refer back to these tips as a checklist to maintain your firm’s security in the years ahead.
To get all of our security tips in one convenient resource, download our e-book, “Building a Secure Practice: A guide for CPAs.”