By Alexandra DeFelice
Can you sleep soundly at night knowing your firm is safe from data security breaches?
We've all heard the stories of stolen laptops, hacked computers, and begrudged employees leaving the firm with private information. But could that really happen to you? Do you really want to find out?
Security is one of those vitally important areas that often is overlooked or taken for granted by accounting and law firms because it's not looked at as strategic, but rather one of those things that should and must be done "just in case."
"This is defense. We want to spend our time and resources playing offense", said Ian Miller, CIO of Weil Gotshal & Manges, LLP, during a panel discussion earlier this month at the LegalTech conference in New York.
But thinking of security simply as a plan and not a process or strategic investment is by far the worst approach. "Like not being insured, it multiplies the chance you'll get hosed", he said.
Do firms need to invest hundreds of thousands of dollars to protect their clients' personal information from the bad guys - whether they're inside or outside the company? Not necessarily. But they need to create a basic checklist of things to prevent the bad guys from seeing a big flashing sign that says "Take My Information, Please."
There's no need for the checklist to be complicated. It's just a way to guide employees and clients who are exchanging information with you as to where protected information lives and how to protect it better, added panelist Steve Antoniewicz, consulting director at Foundstone Professional Services, a division of McAfee.
"Make them sweat a little bit before they come in", he said of potential mal-doers. "You don't need perfect locks, you just need better locks than your neighbor."
Your checklist could include:
- Use complex passwords (uppercase, alphanumeric, etc.) and insist that passwords be changed regularly.
- Require two-factor authentication for remote access (users must know or have multiple pieces of information in order to gain access to the system).
- Restrict employees from being local administrators of their own computers.
- Ensure mobile devices that are lost or stolen can be wiped remotely.
- Monitor everyone regularly, especially "super users" who have access to the most information.
- Utilize technology that can alert you of atypical activity related to document management (i.e., downloading an unusually large amount of data) or a sudden surge in e-mail. This often occurs when an employee is preparing to leave the firm.
"It's going to be a pain in the neck. We fight people because they want convenience over security", Miller said. "Be prepared. At least, in the wake of a [breach], make sure you have a decent story to tell."
Do a baseline assessment of where you are from a security gap perspective. Look at the full environment , prioritize what needs remediation, and include steps to get there along with an estimated budget, Antoniewicz suggests. "Build a security plan based on that assessment. That will give you a quantifiable way to show management you're making progress vs. 'we implemented antivirus and can see the virus threat has done down,'" he said. But what about the other threats?
Miller explained that firms need to include a plan that details what happens if there is a breach. The plan should include what the firm will do and what it expects its employees, clients, and other firms/vendors with which it has relationships to do.
Let employees know that you're monitoring them. Accounting and law firms alike tend to debate how much access their employees should have because they want them to be able to see important information belonging to the firm. If yours is a firm that leans toward opening up most of your resources to all employees, let them know that you trust them but that the firm verifies that its employees are practicing proper procedures. And if someone is caught, don't let him or her off the hook.
"A public hanging every once in a while speaks volumes", Miller said.
Moderator Neil Araujo, CEO of Protect, Professional Markets at Autonomy Corporation, summed up the panel's primary message for improving a firm's protection: Make it a long-term process, not a project, and know the person in your firm whose primary job is to work on security.
"If you want to sleep soundly at night, hire someone who will stay awake", he said.
- Human Error and Criminal Cleverness Still Beating Data Security
- Data Security Isn't Just a Big Business Issue
- Yes, It COULD Happen to You: Keeping Data Secure
Alexandra DeFelice is senior manager of communications and program development for Moore Stephens North America, a regional member of Moore Stephens International, a network of more than 360 accounting and consulting firms with nearly 650 offices in almost 100 countries. She can be reached at [email protected].