Today, software is used for everything from storing healthcare records to landing planes. When data security is compromised, it can literally bring a company to a halt or disrupt its customers’ lives in the present, as well as for years to come.
Here’s what accounting firms and financial officers can do to protect their systems and data, including multi-entity accounting software, from financial data breaches.
The impact of recent data breaches
In recent months, several corporations have made names for themselves, not for their creative marketing or excellent customer service, but for a different reason: massive data breaches.
In April, about 73 million current and former AT&T customers learned that their personal information, including full names and addresses, Social Security numbers and numerical passcodes, had been stolen and were likely being sold on the dark web.
This revelation comes on the heels of an earlier leak involving certain service usage information for nine million users, the result of an attack on a third-party vendor, according to The Record.
Not long after the AT&T incident, many people began receiving letters from Change Healthcare, a technology subsidiary of UnitedHealth Group, informing them of a ransomware attack that occurred in March. Compromised information included health conditions and treatment, payment information, insurance information and Social Security numbers. Data giant Snowflake was also attacked, affecting corporate clients including Ticketmaster and Advance Auto Parts and millions of their customers’ records.
According to TechCrunch, the year’s worst data breaches have resulted in more than one billion records being stolen.
Why data security is crucial
Data breaches have far-reaching consequences, from monetary damages to operational disruption and more.
Avoiding financial and reputational damage
Having sensitive financial data stolen or compromised carries many costs, including potentially paying ransomware attackers, paying your team and other outside personnel to investigate the incident, and possibly paying for ongoing credit monitoring for affected customers.
There may also be legal costs, such as those AT&T has incurred because of the class-action lawsuit currently being litigated in Federal court, and reputational damage that results in lost customers or deters potential ones.
Regulatory compliance concerns
If your business operates in the European Union, you're subject to 2018’s General Data Protection Regulation (GDPR). Businesses operating in California must adhere to the California Consumer Privacy Act (CCPA). In the U.S., businesses that handle health records, including health insurance companies, healthcare clearinghouses and healthcare providers, are bound by the Health Insurance Portability and Accountability Act (HIPAA) and its accompanying Privacy Rule.
Failing to comply with these regulations can result in fines or open businesses up to lawsuits. Violating the HIPAA Privacy Rule, for example, can cost $127-$63,973 per violation, while certain GDPR violations carry a penalty of up to 10,000,000 €.
Operational disruption
According to IBM’s Cost of a Data Breach Report, 70% of organizations experienced a “significant” or “very significant” disruption due to a data breach.
“These disruptions can vary from small breaches that affect only a few systems to long-lasting, organization-wide, operational shutdowns,” the report stated.
Globally, the average data breach in 2024 cost $4.88 million – a 10% increase over the year before, according to IBM's report. More than half of that amount, about $2.8 million, came in the form of lost business and post-breach response activities, such as increasing customer service staff.
In the U.S., the average data breach cost is much higher than the global average, at $9.36 million. Many companies pass those costs along to their customers.
Essential practices for accounting firm data security
Educate employees
Implementing robust security measures is crucial to protect your company and clients. Start with the principles of Zero Trust, which assumes everyone poses a potential threat and grants the least amount of access to data and networks required for employees to do their jobs. Use software solutions with multi-factor authentication, requiring employees to verify their identity with a text message or email prior to logging in. Require users to change passwords regularly and use strong passwords.
Educate employees on data protection best practices, including how to identify phishing attacks and how to respond if they receive suspicious emails.
Microsoft's cybersecurity awareness training is a good place to start.
Implement secure accounting software
Malicious actors most often gain access to customer data through third-party software, such as accounting software. Investing in a secure accounting platform is essential for protecting your company and your client data. Here are some factors to consider as you consider your existing technology stack or evaluate new solutions.
Physical security and access controls
Accounting firms should restrict access to physical spaces where client information is located using employee key cards, visitor logs, badges, and security cameras.
Remote work policies should limit access of third parties to work devices, and those devices should include features that allow them to be wiped clean at any point after an employee leaves the company.
If you have a physical office, implement access controls, surveillance cameras, and alarm systems. Role-based user access ensures that employees can access an accounting solution only to the extent that is needed to complete their job duties. An entry-level customer service representative likely doesn't need access to your company's entire vendor list, and your warehouse manager shouldn't have access to customer credit card numbers.
Data encryption
Encryption uses algorithms to scramble data so it can only be read by someone who has the key. Even if an attacker finds a way to access an accounting system, the information is useless to them. Especially in a cloud environment, it's important to encrypt data not only when in transit but also at rest.
Audit trails
Audit trails are another deterrent for potential inside attackers. In an accounting solution, audit trails, a form of version control, provide full transparency into who entered what information and when for every transaction. This allows your team to correct mistakes easily while retaining the history of all changes. In addition to protecting your accounting data from outside attackers, it also reduces internal risks such as fraud or embezzlement.
Regular security updates, data backups and disaster recovery
For every level of security your business develops, there's a malicious actor seeking to break through it. That's why frequent security updates are imperative.
If you use an on-premise solution, backing up financial data to secure offsite locations is also essential. This ensures your data is safe in the event of a breach or a natural disaster. Cloud-based accounting solutions include automated backups and updates so your team never has to worry about losing data or patching software to address new updates.
Regulatory compliance and cybersecurity certifications
An accounting software vendor should have written proof they have taken appropriate steps to protect client data and other sensitive information. SOC (System and Organization Controls) require that a vendor work with a licensed CPA firm that will evaluate their risk management and controls framework.
SOC 1 reports focus primarily on areas that could impact a client's financial reporting, while SOC 2 reports delve into areas beyond financial reporting, such as confidentiality, processing integrity and privacy.
Firms like PwC also offer industry-specific attestation reports (also known as SOC 2+), such as HITRUST certification for organizations working with protected health information and GDPR compliance reports for vendors with clients operating in the EU.
What security measures should you look for in an accounting vendor?
When looking for accounting software, features like the ones discussed earlier are important, but it's equally important to ensure the vendor itself demonstrates a true commitment to security through characteristics like the following.
An established track record
When selecting an accounting solution, do your due diligence: look at reviews. Search the vendor's name online. Ask the vendor if they've ever experienced a data breach and, if so, what steps they have taken to prevent another such incident from happening again.
Third-party audits
An accounting vendor can't just earn SOC 1 or 2 certifications once and be free from potential threats. Malicious actors are continually honing their tactics, so vendors need to continually ensure that their defenses remain strong.
User training and support
The most exhaustive list of security features won't keep your customers’ data safe if employees don't know how to use them. Look for an accounting solution vendor that provides training and support as part of the implementation process.
Responsive customer support
If you suspect a data breach or have concerns over a potential security vulnerability, you need assistance immediately. The accounting solution you choose should have responsive customer service to address concerns promptly. Review sites such as G2 or Software Advice can provide firsthand insight into a vendor’s customer support.
How Gravity Software ensures data security
At Gravity Software, we earn our clients’ trust by ensuring that their customers’ data is well-protected. Gravity is natively built on the Microsoft Power Platform, allowing our solution to use Microsoft’s powerful and up-to-date security features.
In addition to role-based user access, complete audit trails for every transaction, and data encryption both in transit and at rest, Gravity’s Microsoft-powered security features include:
- The Azure Security Center, which provides robust threat detection capabilities and 24/7/365 platform monitoring.
- Microsoft Defender for Office 365, which provides advanced protection for your communication and collaboration tools including Outlook and Teams.
- Defense measures such as strong passwords and multi-factor authentication.
- Automatic security updates so you’re never leaving your company vulnerable.
- Certifications and compliance with standards including SOC 1, SOC 2 and HIPAA.
- The ability to limit users’ access to specific companies within your multi-entity enterprise database.
- A highly responsive customer service arm able to address any security concerns you may have.
Experience the peace of mind that comes with best-in-class security. Schedule a demo today.
Gravity Software
Better. Smarter. Accounting.
