Ensuring the security of your clients’ financial data becomes more and more vital in the computer age. Large company hacks in recent years, such as the Sony and Target incidents, have made businesses more and more concerned with data breaches and the protection of financial data. As with most types of security, the best means of protection is prevention.

Given that the people who do all of the legwork to pass the CPA, sift through financial documents, and mitigate fiscal risks have limited experience with regard to data security, it’s probably best to have a solid system in place to protect their work.

Where Does Your Client Data Live?

Financial services companies either store clients’ critical data on in-house servers or in an off-site data center—the cloud is a viable option for data storage in any other instance, but super-sensitive data is best kept in a physical data center. Determining which option works best for your firm will rely on how involved you want your company in some of the very important minutiae of cyber security. However, both methods will have a long list of compliances of which you must be aware and you’ll need to ensure these are checked off in your security audits.

The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of client sensitive data. The Safeguards Rule of this act requires companies to assess and address the risks to customer information in all areas of operation. Adhering to the law—also just good business sense—involves ensuring both the physical location of the servers that hold sensitive client data is secure as well as the cyber pathways that allow for internal and external data transfer and communication.

Physical Location

The physical location of your data servers needs to have considerably tight security. For off-site data centers, is the building listed publicly? What are the monitoring systems in place? What are the protocols for security breaches? How do you oversee the safeguards for handling client information? These are just a few of the questions that need answers for off-site data storage.

These questions are also paramount for assessing on-site server security. In addition, who has access to the servers? What are the recurring tests in place to assess risks and monitor security safeguards? Where is the storage for physical documents and how secure is that space? Do you have designated security employees and what are the systems in place to ensure consistent performance?

Cyberspace

The physical location of your data center occupies real space, making it easier to envision problems or opportunities, audit for security, and to think about in general compared to the cyberspace portion of your data security. With cybersecurity and cloud, you can’t see it or touch it and it’s abstraction makes it hard for those not directly involved in the computing world to conceptualize and think about. So it’s crucial to develop policies both internally and externally to secure your client data.

Using a Secure Sockets Layer (SSL) for secure connections, making sure your data is encrypted, establishing secure handling of disposal of data, and deauthorizing terminated employees, personal devices are paramount to maintaining a safe digital infrastructure. These are few key things to keep in mind with securing the cyberspace aspect to your data security.

Who Has Access?

This is particularly important in protecting your small business clients’ financial data. Depending on what type of type of financial services your firm is providing, your list of employees that will need access to sensitive client data will vary. Significant consequences can follow breaches for those in the financial services industry, such as the exposure of financial records, passwords, and account numbers. And human error is the greatest danger in this regard.

Thus, limit access to client information to employees who have a business reason to see it. But realize the list for who will need access will be sometimes extensive and long with many employees from different departments. A small sampling of potential types of employees include CPA experts, CFAs, EAs, and even administrative assistants.

Most of the people you’ll need to have access to such data will have undergone an ethical portion in their pursuit to licensure. And background checks should be a given when hiring within this industry. After mitigating the risk of choosing untrustworthy employees, secure their devices. Develop policies that will ensure if you have, say a CPA that telecommutes or visits a client remotely, they’re using secure devices. Laptops and smartphones should always be setup to ensure proper encryption of data and password protection.

Perhaps the most important thing to consider in terms of protecting your client data is the current state of technology, the web, and cyber security. The way we interact with the ever-growing pile of data presented to us in this sector is constantly changing. Staying on top and up to date on the latest trends in data security will keep you in line with the number one way to secure data: prevention.

Jess has helped hundreds of students pass the CPA Exam with study tips and strategies on her review website Beat The CPA