Sleep Soundly with Data Security
by AccountingWEB on
By Alexandra DeFelice
Can you sleep soundly at night knowing your firm is safe from data security breaches?
We've all heard the stories of stolen laptops, hacked computers, and begrudged employees leaving the firm with private information. But could that really happen to you? Do you really want to find out?
Security is one of those vitally important areas that often is overlooked or taken for granted by accounting and law firms because it's not looked at as strategic, but rather one of those things that should and must be done "just in case."
"This is defense. We want to spend our time and resources playing offense," said Ian Miller, CIO of Weil Gotshal & Manges, LLP, during a panel discussion earlier this month at the LegalTech conference in New York.
But thinking of security simply as a plan and not a process or strategic investment is by far the worst approach. "Like not being insured, it multiplies the chance you'll get hosed," he said.
Do firms need to invest hundreds of thousands of dollars to protect their clients' personal information from the bad guys - whether they're inside or outside the company? Not necessarily. But they need to create a basic checklist of things to prevent the bad guys from seeing a big flashing sign that says "Take My Information, Please."
There's no need for the checklist to be complicated. It's just a way to guide employees and clients who are exchanging information with you as to where protected information lives and how to protect it better, added panelist Steve Antoniewicz, consulting director at Foundstone Professional Services, a division of McAfee.
"Make them sweat a little bit before they come in," he said of potential mal-doers. "You don't need perfect locks, you just need better locks than your neighbor."
Your checklist could include:
- Use complex passwords (uppercase, alphanumeric, etc.) and insist that passwords be changed regularly.
- Require two-factor authentication for remote access (users must know or have multiple pieces of information in order to gain access to the system).
- Restrict employees from being local administrators of their own computers.
- Ensure mobile devices that are lost or stolen can be wiped remotely.
- Monitor everyone regularly, especially "super users" who have access to the most information.
- Utilize technology that can alert you of atypical activity related to document management (i.e., downloading an unusually large amount of data) or a sudden surge in e-mail. This often occurs when an employee is preparing to leave the firm.
"It's going to be a pain in the neck. We fight people because they want convenience over security," Miller said. "Be prepared. At least, in the wake of a [breach], make sure you have a decent story to tell."
Do a baseline assessment of where you are from a security gap perspective. Look at the full environment , prioritize what needs remediation, and include steps to get there along with an estimated budget, Antoniewicz suggests. "Build a security plan based on that assessment. That will give you a quantifiable way to show management you're making progress vs. 'we implemented antivirus and can see the virus threat has done down,'" he said. But what about the other threats?
Miller explained that firms need to include a plan that details what happens if there is a breach. The plan should include what the firm will do and what it expects its employees, clients, and other firms/vendors with which it has relationships to do.
Let employees know that you're monitoring them. Accounting and law firms alike tend to debate how much access their employees should have because they want them to be able to see important information belonging to the firm. If yours is a firm that leans toward opening up most of your resources to all employees, let them know that you trust them but that the firm verifies that its employees are practicing proper procedures. And if someone is caught, don't let him or her off the hook.
"A public hanging every once in a while speaks volumes," Miller said.
Moderator Neil Araujo, CEO of Protect, Professional Markets at Autonomy Corporation, summed up the panel's primary message for improving a firm's protection: Make it a long-term process, not a project, and know the person in your firm whose primary job is to work on security.
"If you want to sleep soundly at night, hire someone who will stay awake," he said.
- Human Error and Criminal Cleverness Still Beating Data Security
- Data Security Isn't Just a Big Business Issue
- Yes, It COULD Happen to You: Keeping Data Secure
Alexandra DeFelice is senior manager of communications and program development for Moore Stephens North America, a regional member of Moore Stephens International, a network of more than 360 accounting and consulting firms with nearly 650 offices in almost 100 countries. She can be reached at firstname.lastname@example.org.
You may like these other stories...
From May 20-23, the Association for Accounting Marketing (AAM) held its annual conference. Frequent contributor Sally Glick picked up some ideas that she will be sharing with us in the coming days, as she has done in...
Success, for a practitioner in a busy CPA firm, requires the ability to handle multiple tasks effectively. To get everything done, CPAs typically track their agenda with a "to do" list or other open-item systems to...
Everyone loses clients. You've seen the statistics. Clients and heirs often change accountants, attorneys, and advisors after a death or divorce. That's understandable. What about ongoing relationships when the...
Upcoming CPE Webinars
Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
FRF for SMEs Series--Statement of Cash Flows, Subsequent Events, Related Party Issues, Accounting for Investments including Consolidations, Part 4A
This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.