Given the nature of accounting and bookkeeping work, advisors require access to a lot of systems that contain their clients’ sensitive information (i.e., online banking, payroll software, etc.).
When you’re supporting a high volume of clients who use a vast array of tools in their tech stack, it’s imperative to have procedures in place that will ensure you’re managing your clients’ passwords securely and efficiently.
Our free client password management guide for accountants (created in partnership with SmartVault) provides more considerations for building your firm’s security policy; however, below are some common practices used by best-in-class firms when managing client credentials. (Note: always consult legal and technical advice when implementing any sort of security policy or procedures.)
Avoid sharing login information
As a general best practice, it’s important to do what you can to avoid obtaining client passwords and using shared login information. When logins are shared (i.e., two or more people use the same login credentials for an online account), it is difficult to maintain an audit trail and manage user permissions. There are a few ways to avoid using shared logins.
An important part of your onboarding process for new clients is gathering the information you need to set your client up on their cloud accounting platforms and start the engagement. When it comes to sharing sensitive information (such as passwords), there are a couple of ways this can be accomplished.
Best-in-class firms will usually dedicate one call during the onboarding process to setting up these types of tools. Usually, they’ll send the client a list of the accounts and passwords that they’ll require so everyone is prepared for the call. Then, they’ll either ask the client for the information during the call, or give the client remote access to enter the information during the call. Web conferencing tools such as Zoom enable you to grant remote access to your client.
Provide individual logins
Most cloud accounting apps provide the ability to add an unlimited number of users and control their level of permission/access to the app’s functionality at no additional charge. Advisors can help clients set this up by onboarding them onto the app and helping them understand why different team members require access to the app (e.g., the technologist, the bookkeeper, etc.).
Read-only bank access
Similar to user permissions, major banks enable advisors to be granted with read-only bank access so they can download bank statements without also being granted the power to perform any actions within an account (e.g., transferring money, making payments, etc.). If a particular client’s bank doesn’t offer restricted or read-only access, leveraging a password manager is critical (more on that below).
Use a password management tool
Password management tools (also referred to as simply “password managers” or “password vaults”) are tools that enable you to easily and securely generate, use, share, and store unique passwords for many different sites in one centralized location. Leveraging a password manager is by far one of the best steps your firm can take to securely manage your clients’ sensitive information.
Password managers make it easy to refrain from using the same password for multiple accounts (a practice that is all too commonly used, but should be avoided at all costs). For most password management solutions, unique passwords contained in your password manager are protected by one “master password”. Clients can share password information without sharing their actual password, and in many cases you can save multiple logins for one site, making it easy to securely work with multiple client accounts.
A concern that often surfaces with password managers is that the “master password” model could be seen as a single point of failure. However, most tools have methods for protecting this password and many firms who successfully use password managers have protocols in place for keeping this password secure.
Best practices for password management tools
As with any app or tool, it’s important to have processes in place to ensure the tool is leveraged properly.
Consider the following best practices when using a password manager:
- Set protocols for creating and updating your master password. Train your employees to follow these practices.
- Create secure master passwords. Instead of passwords, think of these more as passphrases (e.g., use a common saying or combination of random words). Make these as long as possible and use a variety of characters.
- Onboard your clients to the password management tool. If they’re unfamiliar with the tool, demonstrate how they can securely share passwords, and show any other features that you will use.
Security is a two-way street
Cloud accounting tools and online systems have robust measures in place to ensure that both your and your clients’ sensitive data remains secure.
However, it’s important to note that security is a two-way street – advisors must also take proactive measures to ensure that their clients’ data remains protected. Password management is just one element of your security policy. Follow best practices and consult legal and technical advice to ensure you remain compliant and can continue to do great work for your clients!
Learn more best practices for managing your clients’ credentials in our free guide – download it here.
About the Author
Victoria is the Content Marketing Manager at Hubdoc. She is a graduate of the University of Toronto's Semiotics and Communication Theory program and has 5+ years of experience in digital marketing. She appreciates a fun pun and is always looking for a good book to read.Follow on Twitter More Content by Victoria Hoffman