How can accounting firms work remotely – and securely?

Almost overnight, the coronavirus pandemic forced personnel at most accounting firms to work remotely 100 percent of the time. While many firms were already utilizing the cloud, or had implemented cloud-enabled applications, or had a structure to support remote workers, many had personnel that had never actually worked remotely and were simply not prepared to do so. In the rush to get those users connected, some firms took shortcuts which could expose the firm to security threats. Since protecting client data is a fiduciary responsibility for firm owners, management should ensure that proper remote work protocols are in place. Following are ten considerations for working securely during this crisis.

In times of uncertainty, leaders must lead. This includes transparency in communications with both clients and firm personnel. With all firm personnel moving to working remotely, it is important for firm leaders to communicate that work will continue as scheduled and that the security and confidentiality of client information remains paramount. Owners should communicate to clients and staff how client information will be protected through the use of secure email/portal solutions and explain the processes for delivering documents through the mail or by using secure onsite protocols.

Communicating face-to-face via video conferencing can help firm personnel deal with imposed isolation by adding familiarity to interactions. If your firm utilizes Office365, Microsoft Teams is an effective tool for video conferencing as well as messaging and on-screen document sharing (as long as everyone has access to a video camera, microphones, and speakers). At the start of the pandemic, many firms jumped on the free version of Zoom without training, exposing security concerns. Firms can make Zoom more secure by requiring a password, mandating that all participants be first sent to a virtual lobby to then be admitted by the administrator/host, and only allowing the administrator/host's screen to be shown. Personnel should also be reminded not to share screenshots of video calls on social media as the meeting access name can be exposed. It is also important to only run application updates directly from the vendor websites as hackers are sending out fake software update links.

Many firms continue to utilize antiquated rules on passwords (8 alphanumeric/special characters) which today's hacker tools can compromise. Firms should transition to strong, complex passwords of at least 12 characters or "pass phrases" (consisting of at least three random words) and also require multi-factor authentication to connect. Passwords should not be utilized on more than one account, so using a password wallet such as LastPass, DashLane, or Keeper will help you keep track of your passwords and keep them secure.

Employees should work only on firm-assigned equipment. However, we have heard of many personnel using their personal home computers. This should not be allowed if any other family members also utilize that device, and definitely not if it is still running Windows 7. Firms should verify any remote computers have automatic updates configured, particularly for the Windows operating system and antivirus/ malware.

The home workspace should be setup in a private area where client discussions and onscreen information can be kept confidential. Ideally, all work should be done only onscreen with all data and applications residing in the cloud or remotely accessed on the firm's servers. If a local printer is used, all printouts containing client information should be shredded.

Firm personnel should utilize a virtual private network (VPN) when connecting to firm resources through the internet and preferably physically connected by Ethernet cable directly to the router in the house or digital cellular network if the speed is adequate. If Wi-Fi access must be utilized, the firm should verify that the employee's WiFi router is secure by first updating the firmware on the router and changing the password. It is also advisable to segment business access from family/guest use and from "IoT" devices such as smart speakers, doorbells, video cameras, etc.

All firm personnel should be trained on educating clients to utilize the firm's secure email, portal, and digital signature solutions for the secure transfer of source documents and firms should disallow the use of USB flash drives for any file transfer (preferably by disabling the USB ports on firm-owned devices).

Firms should immediately review internal policies to ensure that they have been updated to address remote work requirements including client confidentiality, proper equipment configuration, secure network accessibility, team and client communications, as well as hours of availability when at home.

Information security is an ever-moving, rapidly evolving threat, particularly in an unfamiliar "remote" environment. It is imperative that firms keep personnel abreast of current threats by having the IT Team do security briefings. Employees should be educated on social engineering practices that hackers use to get personnel to compromise the firm's security as well as to be aware of increasingly sophisticated phishing and ransomware scams. Red flag suspicions should be raised whenever a message seems out of character, "urgently" requests financial or personal information, or asks the recipient to click on a link or go to a website.

Personnel should also be made aware of hackers utilizing COVID-19 schemes to trick staff members into downloading malware through "FREE" tools and resources for government loans, stimulus payments, and summaries of regulations. Accountants should only go to trusted, verified websites for such information and should not download data through email links.

While no one can predict the long-term impact of the pandemic, accounting firms are finding that remote work capabilities are a highly viable solution that may well become the new norm. And Thomson Reuters is always there to provide the tools and resources you need to succeed, such as: PPC’s Guide to Managing an Accounting Practice, PPC’s Accounting and Auditing Update Newsletter, PPC’s Guide to Compilation and Review Engagements, PPC’s Guide to Audits of Nonpublic Companies, PPC’s Guide to Audits of Nonprofit Organizations, PPC’s Guide to Quality Control, and PPC’s Guide to Construction Contractors.