Five critical security recommendations for SMB accounting professionals and other business owners

After hearing about many breaches and hacks of accounts of fellow accounting professionals, I decided to write an article with critical recommendations to improve your safety. But first, let me say that the overwhelming majority of these hacks are due to operator error or failure to implement and maintain proper security measures. Also, if any of this seems too hard or you don’t understand it, then get someone who does to help you NOW. On to the recommendations:

1. Make EVERY password in your life at least 16 characters long and composed of random characters of all types. Passwords must also ALL be unique. Never use the same password twice. If at this point you are making excuses in your head about why you cannot do this and your system of changing a few characters at the end for each password to help you remember them, then STOP READING. You are beyond help. Choose a good password manager (I recommend LastPass) and use it, always and everywhere, to both generate and remember secure passwords. This is the single most important thing you can do to improve security. For two particular passwords, make them even longer. That is your wi-fi router password and your wi-fi network password. Mine are 50 characters long and I never have to type them, thanks to LastPass. After you make all of your passwords secure, use your password manager to put them on a schedule to require you to reset them
2. NEVER EVER EVER EVER click on a link in an email or an ad in a webpage, even if it is from your bestest best friend ever. They could have been hacked. As a side matter to this, learn to recognize typical phishing emails (Google it) and delete them permanently. But hey, I click on links in email all the time, though only when I am absolutely sure of the source and it’s security. If you don’t feel competent to know that for sure, then just don’t do it. It took a long time for me to learn to always think before clicking.
3. Implement two-factor or multi-factor authentication for all of your critical accounts. This means, and in this order, email accounts, bank accounts, social media, accounting software, and online merchants (e.g. Amazon). This goes for both business and personal accounts. Now as to which method to use. Do not use email to authenticate, and texts sent to your phone are barely better. One-time passwords are very secure, but not convenient. The best easy-to-use option is an authenticator program like Google Authenticator. Personally, I use the LastPass Authenticator because it is integrated with the password program and makes its usage very easy. And every time I set up MFA for an account, I do it on my phone and tablet at the same time so that they are the same and I can use either one to authenticate.
4. Keep all software up to date. A large percentage of updates are to fix security holes before anyone exploits them. There are actually a lot of good Samaritan actors out there who find these holes and notify companies about them so that they can fix them before anyone else finds them.
5. Secure all devices, including your “safe” office computers, so that they require reauthentication within a short period of inactivity, 5 minutes at the most. Yes, it is a pain, but may save you if your device is misplaced or stolen, or if you have to leave your desk suddenly.

Final observations: The vast majority of small business and personal hacks happen because numbers 1 and 2 just aren’t followed very well. Often the big company breeches also often start the same way.

Finally, notice that I never even mentioned antivirus and firewall software. That is because the above are all MORE important. But security software is ALSO important. And please don’t skimp. Choose one of the best. It is easy to know which ones actually work, because industry experts evaluate and test them against actual viruses every year. There are basically 4 companies that are at the top each year for stopping malware: Bitdefender, Norton, Malwarebytes, and Webroot. There are other good ones, but they haven’t been quite as consistent. This is not me talking. It is the experts. Kaspersky also always does well, but a large portion of experts don’t recommend it because they don’t trust a Russian company to be free of infiltration by hackers and control by the government. So pick one of those four, buy their complete security product (antivirus and firewall) for all devices (Macs too!), and keep your subscription active, always.

Please send me any comments or suggestions for improvement to the above recommendations. I am not an expert, but I do have a lot of experience in this area.