Information protection is essential to any business' relationships with it's customers. With office productivity becoming progressively more dependent on internet communications, and with the web becoming progressively more complex and vulnerable to internet criminals, this can speedily become tricky if you seem uncertain about how internet security works. Your accounting website design is a key piece of your internet security strategy. Generally your customers are not too web savvy, and the information they regularly send you is tremendously sensitive. In order to protect them you're going to want a casual familiarity with your website and it's security features.

Assuming the office is properly secured (network restricted to local IP, doors locked, alarm system, etc.) the weakest spot in an accounting firm's security is during the transfer of data to and from your clients. Email is a huge security issue. Email communications are perhaps the biggest security problem your firm has.

Let me put this plainly. Email is a wonderful medium for routine communications, but it's ease of use has lured many accounting firms up the garden path. Don't allow your clients and staff to email confidential information.

The problem with email is that much of the process occurs outside your control. There is a common misconception that when you send an email it goes straight to the recipient, but nothing could be further from the truth. Messages are routed through an vast network of mail servers. By the time it reaches it's destination it's likely passed through a dozen or so third party servers. If any of these mail servers are hacked along the way, and mail servers are a favorite target of malicious hackers, your email could wind up being intercepted. Identity thieves harvest huge amounts of information in this way.

Layers of protection can be added to email by adding passwords or encryption, but a skilled hacker can defeat these precautions.

Your accounting website design can almost completely eliminate the risk of this type of attack.

When you design your website include a Secure File Transfer feature. When you transfer a file using this type of FTP protocol you can connect directly to the web server, bypassing the outside servers that email depends on. Each client should have his or her own password protected directory on the server, rather like an online safe-deposit box, so that only you and they can access it. Encrypting the transfer adds another layer of protection that will protect your data from an "inside job". The best systems actually keep data encrypted while it's being stored. This makes the directory suitable for long term information storage.

A lot of your clients will be nervous about using the internet to send and store files. If you have a basic knowledge of these systems it will go a long way to easing their concerns, so here are a few of the basics...

Passwords

Passwords need to be protected from "brute-force" attacks by forcing a time out if a login attempt fails more than a few times in a row. If a hacker writes a simple script that runs every possible permutation of a password until it hits the right one a thirty minute delay every three checks will slow him down more than enough to make this tactic useless. Passwords should be long, at least eight characters, and they should include letters and numbers. The number one cause of internet security breaches is human error. You'd be shocked how many hackers get people's passwords by simply asking for them. Never tell anyone your password, and avoid leaving them written down anywhere that your staff and clients can find them.

Security Certificates

Security certificates are central to online encryption. They store the keys used to decrypt online data. Be careful to use them right. Out of date security certificates or certificates obtained from "untrusted" sources will make you look bad and scare your clients away.

SSL and TSL

These are encryption protocols. SSL, or "Secure Socket Layer" is an older protocol that is still seeing widespread use. The second commonly found encryption protocol is much newer. The adoption of "Transport Layer Security" has been slow because many offices use older equipment or unsupported applications that are incompatible with it. Both work pretty much the same way. TLS has made some improvements, but those differences are very technical. There is a third type called PCT, or "Private Communications Transport" that is relatively unused.

SAS 70

This is an accounting industry standard managed by the AICPA. It's a simple auditing statement. It's not just industry self-policing, though. Publicly traded accounting firms must be SAS 70 certified by law. A SAS 70 certification indicates that the security has been accepted by the auditor.

Gramm-Leach-Bliley Act

Also known as the "Financial Services Modernization Act" of 1999, this legislation includes rules that govern the privacy standards of all financial institutions which by definition includes any accounting business that prepares tax returns. The GLB demands of all accounting businesses to fashion a formal information security strategy, name an individual to direct security, analyze security procedures of all departments with access to customer files, develop a continuing plan to monitor information security, and keep these procedures up to date with changing technology.