Serious Security Issue for Accountants - Part 1 Thumb Drives
As accountants we are trained to keep the information of our clients and our companies confidential. We expect this of ourselves and others also expect we will act with due diligence. The "First Digital Decade" (see Bill Gates 15th and final CES Keynote, 1/6/2008, for more info the First Digital Decade) has brought about significant changes in the ways we store and transport confidential information. Many accountants have embraced the new technology without properly addressing the related security risks (this comment is based on casual empiricism gained from providing CPE to over 30,000 accountants each year). These weaknesses in our business practices are widespread and extremely serious. This is the first (i.e. Part 1) in a series security risks faced by accountants as we enter the “Second Digital Decade.” Each post will focus on a specific security risk and on the alternatives for addressing that risk.
Thumb Drives - Also known as flash drives. They are everywhere. They have replaced floppy drives and even CDs for the “sneaker net” method of moving data. A 4 GB flash drive could easily contain the accounting records (ex. client QuickBooks files) and tax records of dozens of companies and the related payroll tax information on hundreds of employees. Statutory laws and regulations impose criminal penalties for mishandling this information. Security Breach Notification Laws (now in effect in 34 states), Sarbanes Oxley, HIPAA, and state board regulations are just some examples of such laws.
These drives are easy to lose and easy to leave behind at a client or customer location. The consequences of losing a thumb drive with confidential information are severe and often require direct notification of everyone whose information is on the drive (including all the employees of all the companies whose QuickBooks files are on the drive). Criminal penalties can result from failure to comply.
Are accountants addressing this issue? Are staff accountants given proper training? Do companies and firms have policies for protecting data that is stored on portable devices? Are thumb drives containing confidential data routinely encrypted to protect the data? Form many accountants, the answer to all these questions is no.
The solution is simple: Clear policies, employee training, and secure flash drives. IronKey.com is “best of class” with respect to secure flash drives. Watch their online demo; it’s well done and informative, even if you decide to buy a different brand of secure flash drive. As an added benefit, it is such a cool device that you will feel like James Bond when you use it. There are dozens of other secure flash drives and software you can buy to secure existing flash drives (ex. Pointsec mobile, Code Red, TrueCrypt, Lexar JumpDrive, Sony Micro Vault, and hundreds more).
It’s time to get serious about flash drive security. You need a policy, you need the right hardware and software, and you and your staff need training. This is not brain science and it’s not rocket surgery. Failure to comply results in serious business risk.
William C. Fleenor, CPA.CITP, Ph.D.
Shareholder, K2 Enterprises, LLC
by The K2 Team - Look here for anything that involves technology and accounting. K2 Enterprises is the largest supplier of technology CPE (Continuing Professional Education) for CPAs, CGAs and CAs in North America. The K2 team routinely reviews software and hardware products from all major publishers and teaches accountants how to use these tools effectively. The entire K2 team has 10+ years of experience, many with 30+ years of technology and accounting experience.