Sleep Soundly with Data Security

By Alexandra DeFelice 

Can you sleep soundly at night knowing your firm is safe from data security breaches?
 
We've all heard the stories of stolen laptops, hacked computers, and begrudged employees leaving the firm with private information. But could that really happen to you? Do you really want to find out? 
 
Security is one of those vitally important areas that often is overlooked or taken for granted by accounting and law firms because it's not looked at as strategic, but rather one of those things that should and must be done "just in case."
 
"This is defense. We want to spend our time and resources playing offense," said Ian Miller, CIO of Weil Gotshal & Manges, LLP, during a panel discussion earlier this month at the LegalTech conference in New York. 
 
But thinking of security simply as a plan and not a process or strategic investment is by far the worst approach. "Like not being insured, it multiplies the chance you'll get hosed," he said.
 
Do firms need to invest hundreds of thousands of dollars to protect their clients' personal information from the bad guys - whether they're inside or outside the company? Not necessarily. But they need to create a basic checklist of things to prevent the bad guys from seeing a big flashing sign that says "Take My Information, Please."
 
There's no need for the checklist to be complicated. It's just a way to guide employees and clients who are exchanging information with you as to where protected information lives and how to protect it better, added panelist Steve Antoniewicz, consulting director at Foundstone Professional Services, a division of McAfee.
 
"Make them sweat a little bit before they come in," he said of potential mal-doers. "You don't need perfect locks, you just need better locks than your neighbor."
 
Your checklist could include:
  • Use complex passwords (uppercase, alphanumeric, etc.) and insist that passwords be changed regularly.
  • Require two-factor authentication for remote access (users must know or have multiple pieces of information in order to gain access to the system).
  • Restrict employees from being local administrators of their own computers.
  • Ensure mobile devices that are lost or stolen can be wiped remotely. 
  • Monitor everyone regularly, especially "super users" who have access to the most information.
  • Utilize technology that can alert you of atypical activity related to document management (i.e., downloading an unusually large amount of data) or a sudden surge in e-mail. This often occurs when an employee is preparing to leave the firm.
"It's going to be a pain in the neck. We fight people because they want convenience over security," Miller said. "Be prepared. At least, in the wake of a [breach], make sure you have a decent story to tell."
 
Do a baseline assessment of where you are from a security gap perspective. Look at the full environment , prioritize what needs remediation, and include steps to get there along with an estimated budget, Antoniewicz suggests. "Build a security plan based on that assessment. That will give you a quantifiable way to show management you're making progress vs. 'we implemented antivirus and can see the virus threat has done down,'" he said. But what about the other threats?
 
Miller explained that firms need to include a plan that details what happens if there is a breach. The plan should include what the firm will do and what it expects its employees, clients, and other firms/vendors with which it has relationships to do.
 
Let employees know that you're monitoring them. Accounting and law firms alike tend to debate how much access their employees should have because they want them to be able to see important information belonging to the firm. If yours is a firm that leans toward opening up most of your resources to all employees, let them know that you trust them but that the firm verifies that its employees are practicing proper procedures. And if someone is caught, don't let him or her off the hook.
 
"A public hanging every once in a while speaks volumes," Miller said.
 
Moderator Neil Araujo, CEO of Protect, Professional Markets at Autonomy Corporation, summed up the panel's primary message for improving a firm's protection: Make it a long-term process, not a project, and know the person in your firm whose primary job is to work on security.
 
"If you want to sleep soundly at night, hire someone who will stay awake," he said.
 
Related articles:
 
Alexandra DeFelice is senior manager of communications and program development for Moore Stephens North America, a regional member of Moore Stephens International, a network of more than 360 accounting and consulting firms with nearly 650 offices in almost 100 countries. She can be reached at adefelice@msnainc.org.

You may like these other stories...

Curious as to what the fastest-growing accounting and finance jobs might be for the next several years? According to the new 2015 Salary Guide from staffing firm Accounting Principles, some of those jobs include bookkeeping...
An increase in hiring of accounting and finance professionals can be expected in the next 12 months, according to a recently released jobs outlook from staffing firm Brilliant.Brilliant, in conjunction with Richard Curtin,...
2013 marked the third consecutive year CPA firms in the United States saw a spike in annual revenues, according to the latest national practice management benchmarking survey by The Rosenberg Associates Ltd. and The Growth...

Already a member? log in here.

Upcoming CPE Webinars

Oct 30Many Excel users have a love-hate relationship with workbook links.
Nov 5Join CPA thought leader and peer reviewer Rob Cameron and learn ways to improve the outcome of your peer reviews while maximizing the value of your engagement workflow.
Nov 12This webcast presents basic principles of revenue recognition, including new ASU 2014-09 for the contract method. Also, CPAs in industries who want a refresher on revenue accounting standards will benefit.
Nov 18In this session Excel expert David Ringstrom, CPA tackles what to do when bad things happen to good spreadsheets.