A Step-by-Step Guide to Maintaining Data Security When You're Working from Home
The coronavirus pandemic has forced many accounting professionals to work from home exclusively. Whether you already did so occasionally or this is new to you, one question is foremost on many people's minds: How can I keep my firm's and my clients' data safe? Here's a step-by-step guide to walk you through exactly what you need.
The COVID-19 shutdown has forced unprecedented numbers of people to work from home. Many had never done so prior to the shutdown, or they had, but only occasionally. For those in this situation, perhaps data security has not been a significant issue with respect to their own previous computing activity. Now, however, it is.
Accounting professionals and their employees more than likely worked from home on a routine basis, but perhaps not to the extent they are now. In doing so, they are accessing and dealing with much higher volumes of client confidential and sensitive data. This brings up the question: Just how safe is client data? And, will using a personal device for work-related tasks increase vulnerability to security breaches and compromise your personal data?
So, how can you keep data safe when working from home?
Before I answer this, I’d like to review a few key facts to add context for my comments. First, there is no such thing as 100 percent security with respect to the internet. No product or device will provide foolproof protection, despite claims to the contrary.
Secondly, internet security and anonymity are not the same thing; I will only address the former here. Third, many providers claim running applications in the cloud is safer and more secure than running on-premise applications, i.e. applications installed on company servers or individual computers. In my experience, many people making those claims are associated with the cloud provider business in some way or another, and I do not consider their comments objective. Certainly, cloud data centers generally have better internet security than private company data centers or individual home computers. But, there are also firms that invest in security, and, as a result, their data is just as safe. So, you shouldn’t automatically assume your data isn’t secure just because you aren’t accessing a public cloud.
Now, protecting your and the company’s data starts with the company to whom you are connecting. They should be using a VPN (virtual private network) system-wide as part of their infrastructure, regardless of whether the individual is directly connected or remote. If you are new to working from home, your employer should provide you with a VPN client, usually by emailing the password-protected install file to you or making it available on a secure webpage.
So, what is a VPN, and why is it safe? Well, it’s an encrypted tunnel through which an on-premise or remote user connects to a server, accesses company applications, and shares resources and files. Because the connection is an encrypted tunnel, neither your ISP nor anyone else outside the tunnel can read the data traffic. If your company is using a current technology router, in addition to the VPN Client software, your company may provide end-point security software from their router vendor that provides additional protection and allows the company network administrator(s) to monitor security for all workstations on the company’s network. All your ISP knows is that you are accessing a server using a VPN. They do not know what URL or domain you are requesting or what you are doing, nor can they read the data traffic. VPNs are usually the safest way to protect your computer, other devices and the company data. Like everything else on the internet, VPNs are not 100 percent secure against being hacked. They simply make your system so difficult to hack that a hacker may not even try.
Now, one might ask: Why invest in being secure if it cannot be 100 percent achieved? Well, the actual objective is not 100 percent security. Rather, the goal is to make it so onerous to hack the network and/or devices that it is not worth the trouble to do so unless there will be a significant reward for the hacker, typically meaning they will obtain data valuable enough to monetize. In most cases where companies have not been successfully hacked, it is because there is not a commensurate reward given the level of security achieved by the firm and the value of its data. It isn’t because the infrastructure is totally secure.
Now, perhaps you’re a one-person firm for whom a VPN Client isn’t an option. If this is your scenario or similar, or if you do most of your work in a public place using public Wi-Fi, you can purchase private VPN Client software from many different vendors, usually for a low monthly fee, $4 - $12 per month per user. Typically, one license covers 5 to 6 of your devices, such as a desktop computer, phone, table, notebook and server. One important thing to look for when selecting a vendor is whether the VPN vendor logs your activity, which would negate some of your privacy. One of the highly rated VPN vendors is NordVPN, but there are several others that will show up in the top 10 when you do a search.
How does a private VPN work? It’s simple: You install a VPN Client application purchased from a vendor and use it to connect to the vendor’s VPN Server. The connection is an encrypted tunnel between your device and the VPN Server. The vendor masks your IP address and forwards your original website request over an HTTPS encrypted connection from the VPN server to the requested URL. Once you login onto the server, you can access the company’s applications, files and resources. If your company’s server supports encryption, then the data traffic between the VPN server and your company’s (the endpoint) will have some level of encryption. Traffic between the VPN server and your company’s server is obviously the weakest link.
When using a private VPN, you achieve anonymity on the internet because your devices’ IP addresses don’t show up in the network packets sent between the VPN and your company’s server. Therefore, the IP addresses cannot be associated with the contents of your data traffic, which could be readable if they are not encrypted.
So, what else can be done to keep your computer and data secure? At a minimum, your computer or device browsers should use HTTPS for all browser traffic. You should also have a firewall, highly rated anti-virus software and multi-factor authorization for logins. Your objective is to protect against hackers being able to compromise your devices with viruses and malware, steal data and/or use your computer or devices as conduits to your company’s corporate network. All those actions together will enable you to meet the objective of maximum protection. It is also very important to keep all your software updated.
Of course, a VPN isn’t the only way to protect yourself. Depending on how technologically inclined you are, you may have come across the term “TOR browser” in your research. While you could go this route, I advise against it for a few reasons.
In the beginning, TOR provided total anonymity, but now various spying agencies have defeated its methods to extract some data. Of course, developers are always working on new security measures. And, with that being said, for the average user, it can add another layer of security by making it harder to hack devices and steal company data.
Another downside: TOR slows everything down because of the time it takes to bounce around all the servers. A VPN will also slow your connection because it is also another layer between you and the company server. But, if you have decent bandwidth, you won’t really notice, and it won’t be nearly as slow as it would be with TOR.
I would also like to address one caveat to the discussion of current security technology. AI is going to strongly impact the issue all the way around, both hacking and defense. Everything will change significantly over time, but we must deal with things the way they are today. In my opinion, there probably will never be 100 percent security. The reason is simple: Whatever man can invent, man can also reverse engineer given time and money. Take a good look at history and you will see mankind has been in a continuous cycle of technological innovation since the beginning, and we will until the end.
However, that does not mean you shouldn’t keep up with the latest security measures. Keeping data private is crucial for numerous reasons and should be a top priority. So, take note of the measures listed here, see which your firm has already implemented, and fill in the gaps to give yourself and your clients peace of mind.
You might also be interested in
Danny is a professional with a unique blend of skills and expertise combining Financial management, Software development, and Digital transformation and modernization. As a CPA, he has extensive experience in Auditing, Tax, and Consulting with clients of all sizes in a variety of industries. In private industry, he gained deep experience in...