Sleep Soundly with Data Security

By Alexandra DeFelice 

Can you sleep soundly at night knowing your firm is safe from data security breaches?
We've all heard the stories of stolen laptops, hacked computers, and begrudged employees leaving the firm with private information. But could that really happen to you? Do you really want to find out? 
Security is one of those vitally important areas that often is overlooked or taken for granted by accounting and law firms because it's not looked at as strategic, but rather one of those things that should and must be done "just in case."
"This is defense. We want to spend our time and resources playing offense," said Ian Miller, CIO of Weil Gotshal & Manges, LLP, during a panel discussion earlier this month at the LegalTech conference in New York. 
But thinking of security simply as a plan and not a process or strategic investment is by far the worst approach. "Like not being insured, it multiplies the chance you'll get hosed," he said.
Do firms need to invest hundreds of thousands of dollars to protect their clients' personal information from the bad guys - whether they're inside or outside the company? Not necessarily. But they need to create a basic checklist of things to prevent the bad guys from seeing a big flashing sign that says "Take My Information, Please."
There's no need for the checklist to be complicated. It's just a way to guide employees and clients who are exchanging information with you as to where protected information lives and how to protect it better, added panelist Steve Antoniewicz, consulting director at Foundstone Professional Services, a division of McAfee.
"Make them sweat a little bit before they come in," he said of potential mal-doers. "You don't need perfect locks, you just need better locks than your neighbor."
Your checklist could include:
  • Use complex passwords (uppercase, alphanumeric, etc.) and insist that passwords be changed regularly.
  • Require two-factor authentication for remote access (users must know or have multiple pieces of information in order to gain access to the system).
  • Restrict employees from being local administrators of their own computers.
  • Ensure mobile devices that are lost or stolen can be wiped remotely. 
  • Monitor everyone regularly, especially "super users" who have access to the most information.
  • Utilize technology that can alert you of atypical activity related to document management (i.e., downloading an unusually large amount of data) or a sudden surge in e-mail. This often occurs when an employee is preparing to leave the firm.
"It's going to be a pain in the neck. We fight people because they want convenience over security," Miller said. "Be prepared. At least, in the wake of a [breach], make sure you have a decent story to tell."
Do a baseline assessment of where you are from a security gap perspective. Look at the full environment , prioritize what needs remediation, and include steps to get there along with an estimated budget, Antoniewicz suggests. "Build a security plan based on that assessment. That will give you a quantifiable way to show management you're making progress vs. 'we implemented antivirus and can see the virus threat has done down,'" he said. But what about the other threats?
Miller explained that firms need to include a plan that details what happens if there is a breach. The plan should include what the firm will do and what it expects its employees, clients, and other firms/vendors with which it has relationships to do.
Let employees know that you're monitoring them. Accounting and law firms alike tend to debate how much access their employees should have because they want them to be able to see important information belonging to the firm. If yours is a firm that leans toward opening up most of your resources to all employees, let them know that you trust them but that the firm verifies that its employees are practicing proper procedures. And if someone is caught, don't let him or her off the hook.
"A public hanging every once in a while speaks volumes," Miller said.
Moderator Neil Araujo, CEO of Protect, Professional Markets at Autonomy Corporation, summed up the panel's primary message for improving a firm's protection: Make it a long-term process, not a project, and know the person in your firm whose primary job is to work on security.
"If you want to sleep soundly at night, hire someone who will stay awake," he said.
Related articles:
Alexandra DeFelice is senior manager of communications and program development for Moore Stephens North America, a regional member of Moore Stephens International, a network of more than 360 accounting and consulting firms with nearly 650 offices in almost 100 countries. She can be reached at

You may like these other stories...

With tomorrow being Tax Day, you might see some procrastinators at your office filling out forms, printing out paperwork, or getting last-minute tax advice from their accountant so they can meet the IRS’s filing...
You can read volumes on how to manage an accounting practice. But if you want the quick version, just read the following four points. Everything else is just commentary.  (These points come out of the 1997 book, The...
There is a growing trend of accountants moving away from traditional compliance work to more advisory work. Client demand is there, but it is up to the accountants to capitalize on that. What should accountants' roles be...

Upcoming CPE Webinars

Apr 17
In this exciting presentation Excel expert David H. Ringstrom, CPA shares tricks that you can use with pivot tables every day. Remember, either you work Excel, or it works you!
Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.