How Secure is Your Paperless Process?

The most common way that the bad guys will get into your computer, server or mobile devices isn't through a virus or high-tech approach. They are much more likely to get in by guessing your password.

Unfortunately, most business professionals, and especially those in the accounting and tax space, interact with so many software programs and websites that require passwords, that trying to remember dozens or more different passwords at the recommended strength is a major challenge.

We all know we’re not supposed to use the names of loved ones, birthdates and other generally accessibly information, but what else should you think about?

Good passwords should have six to eight characters, including upper and lowercase letters and numbers, while excellent passwords also include non alpha-numeric characters. And take it seriously. A recent report by information security provider Trustwave shows that far too many people are really lazy, with the most commonly used business system password being... "Password1," and other variations of the word are also common. Egads.

It just isn’t possible to remember all of them if they are different, so most users have resorted to either using the same password on most technologies, or even worse, having a Post-It note or scrap of paper listing all of their passwords. The first method is at least a little better than the second, which is just so transparently dangerous. Another option is to segregate your online accounts and programs into those that hold truly sensitive data (such as tax programs, bank accounts, etc.), and those that don’t (such as online subscriptions and news and entertainment websites). Once separated, you can have different passwords for each group, which isn’t optimal, but does offer a modicum of protection and is better than the all-in-one or scrap paper options.

If you’ve got too many to keep up with without using one of the bad options above, a better solution may be to use a password management tool, such as Roboform (www.RoboForm.com) or LastPass (www.LastPass.com), which you can use to store passwords, and then only have to remember your password for that tool. Both of the systems then can automatically input your correct password into programs and online sites. CNET and PCWorld rated both programs as effective and secure.

SAS 70 SSAE 16

The AICPA’s SAS 70 standard has been replaced by SSAE 16, the “Statement on Standards for Attestation Engagement, Reporting on Controls at a Service Organization.” Is your firm required to use only SSAE-audited online technology vendors? No, but it can offer an easily-identifiable means of assurance that the document management or data backup service provider takes security issues seriously. Others to look for include SSL security credentials, such as VeriSign, Digicert and Thawte.

Paper and Digital Document Retention

If you’re serious about being a paperless firm, then it takes more than just a scanner and a document management system to make that happen; it also requires a change in how you process your engagements. For tax returns, the best practices that have been developed focus on front-end scanning; that is, digitizing the documents right when they come in the door, then destroying the original or returning it to the client. The less paper retained in the office reduces the risk of loss, and also reduces the need for physical filing cabinets.

Just as with paper-based documents, digital files often have the same general retention requirements. Most advanced document management system, and some tax systems with built-in document management functions, include the ability to set retention policies, whereby files are automatically (or with prompting) deleted after a predetermined time frame, such as three years.

--------------

Technology has driven today’s firms to be ever more productive and capable, but to get the most from paperless, online and workflow automation systems, it’s necessary to take a step back and see if your processes need to evolve along with your new technologies. How you handle security is just as critical, and as your firm evolves, it’s just as important to assess the safety of your client data, the most valuable asset you have.