6 Security Questions to Ask When Outsourcing Accounting Services

More than half of all data breaches are the result of bad outsourcing decisions. Learn how to make sure you’re in the other half.

Accounting is among the industries that have the most to gain from outsourcing. By focusing on what you do best, you can ensure superior services to your clients and add more value to everything you do. What’s more, you can save a significant amount of money that you can redirect into scaling your firm.

However, this is only true if you choose the right outsourced service provider. Among the many aspects that you need to look into, online security is debatably the most important. It’s because a large part of your sensitive data will live in virtual servers. Without the right security measures, you risk having that data fall into the wrong hands.

The consequences of this can be catastrophic. In some cases, one major security breach can destroy your firm. For this reason, you need to be very careful when looking for outsourced help. Whichever provider you decide to engage, you have to be able to trust them with your data.

To do this, you must ask the right questions and analyse the answers given. Here are the most important things to ask potential providers before you make a decision:

1. What Physical Security Measures Do You Have in Place?

In terms of online security, the first thing that comes to people’s minds is the virtual aspect. As much as this is a normal knee-jerk reaction, it can make you overlook a hugely important factor – physical security.

It’s not uncommon for a data breach to happen due to a theft of data storage drives. What’s more, some outsources keep hard copies of different documents which someone can get access to.

This is why you always need to ask your potential providers about how well they protect their physical data. Ask about the types of employee access and the level of security at their data storage facilities.

But, what if a provider is 100% digital? Then you need to focus on security measures regarding the devices they use. You need to ask about all the measures that monitor data location and dissemination.

Remote workers must always log into secure servers and be in an environment that doesn’t allow data leaks. Your provider needs to ensure that people never connect to unsecured networks when using devices like printers and scanners.

If your potential provider doesn’t show you hard proof that they have the right security measures in place, you’ll want to keep looking. The risk is too high for you to take someone’s word for it.

2. Do You Have A Mandatory Policy to Use Strong Passwords?

Creating a strong password is something that everyone can do, and these passwords can significantly raise the level of protection against a variety of hacking strategies. And yet, about 76% of all data breaches are the result of weak passwords.

Passwords are vulnerable to brute-force bots, particularly the weak ones. Let’s say your password is 1234. A bot only has to count from 0000, 0001, 0002, and up for less than a minute to hack your password. That’s because these bots are able to try thousands of passwords a minute. Unless a program or server puts a limit on failed login attempts, it can be quite easy for a hacker to access it.

Many people neglect to create strong passwords as they don’t understand the dangers of not doing so. When looking for an outsourced accounting provider, you’ll want to make sure this isn’t the case. Otherwise, this irresponsible behaviour can cost you a fortune.

One example is an accounting firm that got hacked by an attacker who forcefully went past its login data. The cybercriminal was able to access all sorts of sensitive information, so he did. He went into the client’s payroll data and changed the direct deposit bank details. He even rolled over SMSF balances to other super accounts.

If an outsourced provider doesn’t already have mandatory password policies, ask them if there’s a way to implementing them. If they’re not willing to do this, you might be better off with a different provider who cares more about data security.

3. What Encryption Methods Do You Use?

Both you and your remote team need to use a strong encryption method for your website and login portals. The most common choice is SSL 128-bit and 256-bit encryptions. If you’ve ever noticed a small lock icon next to a web address, it means that it uses this encryption method.

This prevents data from getting retrieved as plain text. Hackers would have to decrypt the information that travels between you and your remote team or it’d be useless to them. Of course, they wouldn’t be able to do anything if the encryption is unbreakable.

If your provider gives their employees or clients access to data, you need to know the exact level of access. Ideally, you should be able to keep all the sensitive information to yourself and share with a handful of key people in your company. However, you also need to ensure that there are policies that protect your data from 3rd party access.

4. Do You Allow Your Users to Log Into the Cloud Outside of Your Network Infrastructure?

In many cases, a security breach doesn’t have to be the result of your firm’s weak security measures. All it takes is for one of your employees to log into the cloud through an unsecured public Wi-Fi network. A hacker can get access to all the information through it.

This is why you must ask a provider if they allow workers to log into their account from anywhere. If so, this is a red flag and you might want to reconsider working with them.

A good provider uses various tools to make sure that only those with the correct level of access can log into an account. IP address locking through geofencing is a great example. You can lock yourself down to only Australian IP addresses. In doing so, nobody from the outside can access your account even if they have the right credentials.

One of our clients learned this the hard way. They used our services offshore but not onshore, and their onshore team got breached. We saw that the attackers tried to access their offshore system without success. But as soon as they realized that both teams came from the same company, they tried logging into the onshore team and succeeded.

There are more cases of this than you might think. For this reason, you need to make sure that your remote team has tight restrictions to prevent intruders from logging in.

5. What Happens to the Files Once You’ve Finished Using Them?

Depending on their policies, providers handle finished documents in different ways. You need to ask what happens to taxes, bookkeeping, and other documents you get from the remote team once they’ve sent them to you.

Ideally, they’d destroy all documents upon a successful transfer. This ensures that you have full control over your documents. And if they keep the files, you need to know for how long and what they can do to protect them.

Another thing that you need to know is what would happen to your data if you decide to end the relationship. Your documents belong only to your company, so never allow a provider to claim ownership over them. Make sure to get all their policies in writing so that there’s no misunderstanding.

6. What Are Your Policies in the Event of a Breach

Despite their best efforts, your provider might make a mistake and allow hackers to get into their system. Since you won’t have any control when this happens, you need to know their response if a breach occurs.

A good provider needs to have a team and a contingency plan dedicated to this scenario. They need to have cutting-edge technology in place that will mitigate the damage. Moreover, they need to be open about everything that goes on and notify you when this happens.

Outsourcing Security - Disaster Recover Plan

Choose Carefully

Before you make your final decision, it’s of the utmost importance that the provider can give you the right answers to the above questions. They need to reassure you that they have all the right systems in place to keep your data safe.

If you’re thinking about saving money by going with a provider that offers the lowest quote, think again. This might save you some money right now, but you can’t afford the risk of major losses down the road. You might also want to shelf the ‘it won’t happen to me’ mindset, as every person and organisation is a potential target.

There’s a lot more that you need to learn about protecting your company from security breaches. Outsourcing that specialty can be quite risky if you don’t get it right.

To learn more about how you can secure your business, click here to book a Cyber Security Consultation with our team today.