In the era of online shopping, email, banking and remote working, you can do almost anything online. This makes life supremely convenient, but it also makes us vulnerable to a host of new crimes in cyberspace.

Cybercrime continues to stay in the news… In February 2024 alone, Prudential Financial experienced a data breach; sensitive data pertaining to more than 63,000 employees at Verizon Communications was stolen, and a Bank of America vendor was breached, resulting in the theft of sensitive personal information from 57,028 Bank of America customers. And this is just the tip of the iceberg!

So, how can you make sure that your data is safe? Let’s take a look.

Imagine your client data is a great mountain of gold, and you're the dragon tasked with defending it. How might you make sure no nefarious dwarves or misled hobbits steal your prize possessions? Well, being a fire-breathing monster would help somewhat, but beyond that, you probably want to situate your hoard in a secure location.

You want a castle with high walls that are hard to climb and thick doors that are difficult to penetrate or knock down. It might help to add some archers to the battlements to detect threats as they appear, and perhaps a murky moat filled with crocodiles wouldn't be amiss.

So, how do we create our impenetrable fortress? One that considers the perimeter, endpoint, application, data and user?

Let's start with the perimeter – the moat filled with crocodiles would be your firewall. A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to lower the bridge over the moat and let it pass – or whether to block it and set the crocodiles upon it.

Unsure which firewall to use? Here are a few recommended by G2 according to their ratings in user reviews:

For a full list, visit their ranking site here.

What if there's a really intrepid criminal who manages to dodge the crocodiles and get onto the castle grounds? Well, then, you'll need some sure-fire archers to take him down.

Stationed at every battlement of the castle, you have a man with a bow and arrow. In our case, this is an antivirus tool. An antivirus works by detecting, quarantining and/or deleting malicious code, preventing malware from causing damage to your firm's devices. So, if any sneaky software finds its way onto your devices, the antivirus will scout it out and get rid of it with the excellent aim of an archer.

Some good antivirus options include Intego (voted best antivirus software of 2023 with a 9.8 rating and available on Mac and Android), Total AV (award-winning anti-virus) and Norton (high-accuracy, low-impact solution with online backup capabilities).

Okay, so far, so good, but now, what if someone finds the secret entrance to your castle that only the servants are meant to know? You've been ratted out, and someone has gotten in. This is why you need the best lock in the business – a super cryptic riddle.

In IT terms, the impossible riddle is called encryption. Encryption works by encoding "plaintext" into "ciphertext." To decode encrypted data back into plaintext requires the use of a decryption key, which is a string of numbers or a password that is created by an algorithm. In other words, this is nearly impossible for most mere mortals to achieve. And this is why it's highly recommended that you encrypt all company hard drives.

GoogleCloud notes that we encounter examples of encryption every day, on our smartphones, PCs and banking apps. They give the example of websites whose addresses start with "https://", explaining that the "s" stands for "secure" and that this is a sign that the website is using transport encryption. Take a look at the websites you use to see if they have this "s" in their URL and if there is a little lock icon next the URL. Another example of encryption can be found in VPNs, but more on that later.

But now for the difficult conversation we must have about those guards of yours—I mean your employees. Having the best tech in place is great and recommended, but you're only as secure as your weakest link, and, let's face it, the weakest link is typically human. How do you make sure your staff does their bit to keep the data secure?

There are several ways to keep your guards vigilant. The first is training them in the importance of cybersecurity and ensuring that they pay attention. At Syft, we use software called Vanta to ensure we are as secure as possible, and this includes requiring all employees to complete annual security training.

We also require two-factor authentication so that when you log into Syft, you don't just rely on one password.

Authentication, authorization and frequent monitoring are all key to keeping your guards on top of that treasure. Plus, it's a good idea to update and patch your network devices and software regularly and to encourage your staff to use secure passwords for all their accounts and devices.

If your staff work remotely, advising them to be cautious with public WiFi is also good. You don't know who else could be using a public network, so it's always better to use a VPN, a virtual private network that encrypts your data and masks your IP address, browsing activity, identity and location. This creates an additional high barrier for thieves to scale.

Most businesses interact with other businesses, especially if you consider the software you use. There are many protocols that others have in place that you may want to assume in your own business.

It's a good idea to align your network security architecture with industry standards and frameworks. These provide best practices, guidelines and benchmarks to improve security posture and compliance. Some of the most widely used standards and frameworks are ISO 27001, NIST Cybersecurity Framework, CIS Controls and SANS Top 20 Critical Security Controls. You should choose the ones that suit your business context and objectives. At Syft, we follow the guidelines of SOC 2, meeting criteria around five key pillars:

Although the requirements are different for a SaaS company and an accounting practice, many of these pillars are beneficial for both types of organizations. For instance, when it comes to security, Syft ensures that network and application firewalls are in place, as well as two-factor authentication and intrusion detection. Where possible, you want to make sure these measures are in place. If you use software such as Xero, QuickBooks, Sage or Syft, see if you can set up two-factor authentication to secure your account.

Regarding privacy, Syft has certain measures to control who has access to data. You may want to apply this principle in your own firm by only giving staff members access to information that pertains to them—the principle of least privilege.

It's also considered best practice to perform regular risk assessments and vulnerability scans to determine the level of exposure and potential impact of different threats. This will help you prioritize your security needs and goals so you can be proactive in your approach to security.

It's not enough to have all these measures in place though; you need to know what you're up against.

Are you protecting your gold well enough? Not just from greedy dwarves or well-intentioned hobbits but from whole armies of orcs? Each type of criminal has a different modus operandi, so you and your staff need to be aware of the approaches they may try and how you can evade these. Some of the most common crimes include:

Although cybercrime is prolific, I do have some good news for you. As Xero wrote:

"Despite stereotypes you might have seen, cybercriminals aren’t necessarily well-funded geniuses who lurk in the shadows building sophisticated hacking programs. The barrier to entry is actually much lower, with cybercrime tools and services available to anyone with the right motivation."

That's right – most criminals are not super-smart tricksters ready to evade every line of defense. And now that you know the kind of security you can put in place to protect against their attacks, you're well on your way to being a very happy dragon and knowing that your golden hoard – your clients' data is safe.

There are many bad actors out there, from your traditional hacker to cyberactivists and "script kiddies" who don't really have much technical expertise to malicious insiders—employees who steal from right under your nose. The last point may be worth stressing again. Threats aren't always from external parties; sometimes, your right-hand man has nefarious intentions, so establishing policies around least privilege access and monitoring your employees' activity is so important.

The best thing that you can do to protect your firm and client data from internet criminals is to put in place layers of defense, including:

With all this in mind, you are now ready to get your layers of defense lined up to prepare for whatever opportunists may be checking out your trove of precious information.