If you think this article doesn't pertain to you, your firm, or your clients-either because your business is too small, too big, or because it's the perfect size for guarding against IT security threats-think again. Security woes even hit computer security software company McAfee, which in February had to warn some 9,000 current and former employees that their names and Social Security numbers were on an unencrypted CD that was lost after being left on a plane by an employee of auditor, Deloitte & Touche.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
That same month, Ernst & Young confessed to some of its clients that their Social Security numbers and other personal data were lost on a laptop stolen from a locked car belonging to one of the firm's employees.
And closer to home, in May the American Institute of CPAs had to tell its approximately 330,000 members that a hard drive containing their Social Security numbers and other data-sent out for repair in direct violation of the AICPA's internal control procedures-was lost in transit by FedEx.
That faux pas was particularly galling since this year's rendition of the AICPA's Top Ten Technology list ranked information security as the No. 1 technology issue.
"From the standpoint that every AICPA member was affected, if that doesn't serve as a wake-up call for CPAs, I don't know what will," says Susan Bradley, a recognized IT security expert who is a CPA and partner at Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp., where she is the network administrator.
There have been no reported incidents of theft or misuse of the data on that drive. But it may have also served some good, experts say, in raising awareness among accountants of the difficulty in staying on top of security.
With virtually all businesses relying on IT, the combination of Internet connectivity, e-mail, mobile computers, sophisticated Internet-based criminal networks, laptop-grabbing thugs, natural disasters-and perhaps most dangerous of all, careless, naive, or corrupt employees-threatens the information security of just about any business outside of the neighborhood lemonade stand.
Start with the networks that link the computing devices in most firms. They often aren't up to snuff, now that they are hooked up to the Web.
"The quality of network firewalls in CPA firms is low enough that most CPA firms are at risk," says Randy Johnston, a specialist in accounting software and network security who is executive vice president and partner of technology consultants of Hutchinson, Kan.-based Network Management Group.
He adds that many accounting firms and their clients are also lax in enforcing e-mail security policies, such as encrypting customer data files attached to e-mail messages.
Moreover, the responsibility for businesses to monitor, prevent, and report on security breaches is expanding, as industry groups, creditors, government agencies, and others increase pressure on companies to acknowledge and better manage risks to critical data.
The trend is providing lots of jobs in the security arena.
"My business for the last year or so has specifically been on the regulatory compliance burden associated with IT security and infrastructure investment-and unfortunately, business has been good," says Jeffrey M. Zalusky, a certified information systems auditor and principal of Rockville, Md.-based Chrysalis, a consulting firm specializing in IT security and risk management. Zalusky, who formerly performed similar work for Urbach, Kahn & Werlin, a firm that then became part of UHY-Advisors, went out on his own about two years ago.
The security threats that have hit their targets over the past year or so-even those considered most wary of and guarded against attacks- meanwhile, have startled the business world.
In May of this year, personal data about 26.5 million military veterans was stolen from a Department of Veterans Affairs employee who had taken the data home on a laptop hard drive. In June, the Internal Revenue Service reported a missing laptop contained data on 300 employees and IRS job applicants while the Department of Agriculture said a network breach compromised information on about 26,000 employees and contractors.
Dealing with Low-Tech Threats|
When a drive containing information on 330,000 members of the American Institute of CPAs went astray, it wasn't a high-tech problem. An employee sent the drive out for repair through FedEx and it was lost.
In fact, many of the most highly publicized incidents have been very low-tech, with lost or stolen equipment representing a bigger problem than any hacker attacks, agrees Matt Camden, CIO for Chicago-based UHY Advisors.
One solution is to take the responsibility for enforcing policies out of the hands of IT and put it with HR, "If somebody does something stupid like leave a drive in the back seat with the car door open," says Camden.
So UHY is transitioning many duties, such as enforcing policies on electronic communications, away from IT and giving them to the HR department.
Of course, if the delinquent staff member is a partner, a rainmaker, or any other highly valued person, they usually don't lose their jobs, especially in a tight job market.
Recognizing that at least one notebook is likely to be lost each year, UHY is rolling out hard-disk encryption software to make the data harder to get at. Other firms equip the portables with the equivalent of a Lo-Jack system so that lost or stolen PCs can be retrieved. UHY is also buying Dell notebooks with fingerprint readers.
"I am confident that between finger-print readers and hard-disk encryption and a policy to store client files on servers, never on notebooks, that we will lose notebooks and we will have damaged notebooks, but we won't lose client data," says Camden.
The problems fall into two general types: the failure to adhere to business processes that would prevent employees from losing critical data files, and the failure to protect those files, whether on a network, in e-mail, or on a portable storage device, through effective firewalls and data encryption.
And even the smallest of firms use e-mail that can deliver viruses and other malicious software into company networks and onto desktop computers, where the intruders can corrupt files or capture sensitive data like customer accounts and passwords.
Since stolen information can be sent around the world almost immediately, security must start the moment data comes in the door. After all, if a business doesn't know that something has been stolen, it can't take action.
"These days even in normal discussions with tax clients, we're telling them to act as if their I.D. is already out there and to make sure they're immediately opening their credit card statements and reviewing the transactions," says Bradley.
Bradley, who holds a string of technology and security credentials-AICPA Certified Information Technology Professional, Microsoft Certified Professional, and GIAS Security Essentials Certificate-says her firm routinely addresses security issues with its small and midsize business clients, regardless of the type of engagement.
Indeed, accountants need to be extra careful in maintaining records for tax clients, since many tax preparation software applications are not designed to encrypt client Social Security numbers.
"Whatever network firewalls are put on network servers, there's no additional layer of protection," she says, adding that she and others have been talking with tax software companies to add the encryption. "An individual could get into a server and drill down to where client programs are and read a Social Security number in plain text."
A security breach doesn't have to result in compromised data to present a major and costly problem, due to several state and federal laws that require businesses to report data breaches to their clients.
In addition to industry-specific notification laws for health-care records and consumer credit card data, more than 20 states have followed California's lead in adopting laws that require companies to report data security breaches to their customers, and there are several bills pending to make a California-type law effective nationwide.
The impact of Sarbanes-Oxley, which sets rules for public companies regarding the protection and reporting of corporate financial data, is also filtering down to privately owned small and midsize businesses.
Regardless of whether data is stolen or corrupted, these laws require companies to notify their customers whenever their data records are infiltrated outside of company-approved procedures. Besides the immediate damages, which can include fines, one of the biggest issues is customer flight to competitors.
"Most of the time when computers are stolen, it's not for data on them, it's just for the hardware," Bradley says. "But that doesn't release you from the requirement to inform clients that the theft occurred."
Shutting the Data Door|
Given the problems that have occurred this year involving lost or stolen hard drives and notebooks, an increasing number of organizations are keeping their data in the office.
Register now for FREE site access and more