By Jason Bramwell
To eliminate redundancy and reduce costs, many companies have implemented a bring your own device (BYOD) policy for their employees. But without the appropriate security controls in place, BYOD could turn into a security nightmare for a firm's senior management and IT staff.
"Security challenges have definitely grown in scale and scope with the variety of devices like iPads, smartphones, and laptops that people want to use to connect to their network," Jeffrey Stark, CPA, audit partner at CPA and business advisory firm Sensiba San Filippo LLP, who is also a cyber risk expert, told AccountingWEB.
According to Stark, hackers can gain access to smartphones through low-security applications like social media and personal e-mail. Once a hacker attacks, he or she can breach the company network through linked applications, such as a company e-mail account. A skilled hacker can then access, extract, or even erase the company's sensitive data.
Many industries, including accounting, are still evolving from paper-based work to paperless, and many businesses are still solving the challenges that result from this transition, he said.
"You must match your network security policy with where you are at in the use of Internet data storage, whether you are using a Cloud provider or you are storing data internally," Stark added. "Also, you need to look at the skill sets of the people who are supporting your network. Are you outsourcing data storage to those people? Do they understand the security risks, or are they just IT guys who are pretty good at troubleshooting issues? You really need to understand where you are at in the evolution of the technology you are using."
What security measures can small to midsized businesses and accounting firms implement to prevent BYOD cyberattacks from occurring? Stark offers the following five tips.
1. Develop a comprehensive network security policy by assessing risks and identifying weaknesses: The first step in developing a comprehensive network security policy is making sure the firm's employees and partners or owners have an understanding of what data the business has, what data it owns, what can be shared, and what cannot be shared.
"You need to educate the users of the data on what the security risks are. Make sure they know what data is highly confidential. If you call data confidential but you did not tell anybody that it is confidential, it is not really confidential," he said. "So user education is important. Monitoring of a company use policy or an access rights policy for effectiveness is important to do on a periodic basis, and then remind the employees of that policy or policies on a periodic basis."
Physical and network security is the next step. If people can access and get in and out of data storage sites remotely from their laptops or smartphones without difficulty, then the firm's network security is not robust or sufficient, Stark said. One way to make it more secure is through a network-enforced password that should be rotated on a periodic basis.
"Most operating systems nowadays offer that solution," he stated. "You can enforce password policies as well, such as minimum password lengths, special characters that must be used, and changing passwords on a timely basis. At the same time, you need to make sure the people who are using the network are not putting their password on a hand-written note and placing it on their computer."
Another area that should be included in a company's network security policy is remote access to the network.
"You need a solution that is going to be secure when it is first implemented and monitored," Stark said. "Make sure no major changes are made that are going to leave back doors into the system."
2. Establish criteria to distinguish authorized users and their level of access based on ranking and classification: Stark said firms should not assign network user rights to an individual user e-mail account. The user rights should instead be assigned to a role.
"You really want to provide the people who are the normal, general users with normal, general access. Then you might have a second level up – maybe you want to call them power users – who need more network access for specific business reasons. You want to assign user rights to a role, then people go in and out of that role," he said.
The same tactic applies to super users, such as the network administrator or the firm's chief IT person.
"You want to make sure your IT guy who has the required super-user rights is using a separate account for his day-to-day e-mail and normal workflow processes," Stark said. "He would then access a separate rights account, or separate rights role, to manage the network and make any changes to the network."
3. Use key data protection tools like firewalls, encryption software, content filters, virus protection, and passwords: Stark said firms must mitigate risk through the use of appropriate technology and tools, such as firewalls and encryption software.
"If you have a network connection to the Internet, some sort of firewall or device in between your network and the Internet is basically a requirement," he added. "That gateway should be secured so that unauthorized access is prevented and authorized access is allowed. Firewalls allow that to happen. There are inexpensive, low-cost solutions, and there are solutions that cost many thousands of dollars to hundreds of thousands of dollars. You could also outsource it to professionals that can do the service for you."
Network encryption is another critical element of data protection. If there are connectivities between an employee working from a remote site and the firm's office, that transmission of data should be encrypted, Stark said.
"If the data is passing in the clear, it is relatively straightforward for someone to snoop that data and get it if it is not encrypted. If it is encrypted, it is breakable, but it is extremely difficult to break," he added.
Stark said his firm recommends to its private company clients to install encryption software on their laptops, which adds an extra layer of data loss prevention if the laptop is stolen or lost.
"The only way to boot into the laptop and access the hard drive is if you know the password to the laptop. Otherwise, all the data in the hard drive is encrypted," he stated. "That way, if you have sensitive client information like Social Security numbers or credit card numbers on the laptop, and if you lose it or it gets stolen, the risk that the data would be accessed is reduced quite a bit."
4. Implement an external, offsite backup system for user data based on data classification and sensitivity: Hosting data offsite is becoming a preferred storage method for many small businesses and accounting firms, according to Stark.
"It makes a lot of business sense. It solves a lot of problems for business-continuity reasons, and it is a simple and effective method to store data," he said. "I talked to a couple of clients who had a massive, catastrophic data loss because of hard drives that failed on computers and the backups were not working. Any type of backup solution, whether it is a Cloud system or internal, needs to be monitored to see if the backup is working and then periodically tested to see if you can restore the data. That is absolutely critical."
The Service Organization Control (SOC) 2 reporting standard from the American Institute of CPAs (AICPA) enables Cloud providers to offer customers and other stakeholders a written report on the security, availability, processing integrity, confidentiality, and privacy of their systems and internal controls.
"SOC 2 is really focused on the evolving landscape of IT and how Cloud has become such a valuable solution, but you really want to have some sort of assertion that providers' systems are sound," Stark said. "We expect this report to be more demanded by customers of Cloud service providers. It is something any small business can ask for when they talk to potential providers: Do you have this report? How are your systems set up? What is your response time? Where is the data physically located? How am I going to make sure that it is available when I need it?"
5. Monitor and maintain physical risk assessment of the network under security procedures: Successful risk assessment takes IT personnel to sometimes take a step back from a system that "may be their baby" and figure out if the system is vulnerable to risk, Stark said. He also said it is critical for senior management to understand that security is an important element for the business to survive and thrive.
"You really need to have a multitiered, multipronged approach with top-level support from management. It should be aligned with the business risks that you have, and it should be aligned with the use of the technology that your company has," Stark said. "A mom-and-pop grocery store may have one different set of challenges versus a company that handles confidential client data and has multiple offices connected remotely with people with laptops."
Monitoring the network is another critical piece of any control structure, Stark added.
"You can either do it as a surprise, or you can do it on a consistent basis. But the monitoring element has to exist because of the changes in technology and the changes in access solutions," he concluded. "At a small or medium-sized business or accounting firm, monitoring the backup system and testing the data restore function needs to be done at least on an annual basis or when there have been major changes to the network. If you think the backup is running and it actually is not, that is a big problem."