Thumb drives—call them USB drives, USB flash drives or memory sticks—may be small items, but they are a big worry for people like Jim Bourke. And so are SmartPhones, which carry an increasing amount of firm data on the road, data that the firm does know is out of its control.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
“That’s a huge problem,” says Bourke, partner in charge of technology at WithumSmith+Brown, a Red Bank, N.J.-based accounting firm. Staff members often email Excel spreadsheets—which they shouldn’t. “It’s generally outside the firm’s policies—and then phones are lost,” says Bourke, who notes that losing one phone every six months is not unusual.
Information on a lost telephone can be erased remotely. That is, it can be wiped if the staff member reports the device is missing. Employees may not inform the firm for fear of getting in trouble, although Bourke tells them he would rather know as soon as possible.
The size of the issue for Bourke’s firm can be expressed in the number of SmartPhones in the hands of the staff. There are about 100 of them at this moment.
Then, there are those thumb drives, small enough to be easily buried in a laptop carrying case, or lost from a pocket. But they are large enough these days to carry 1GB or more of data.
In fact, data from lost devices, whether thumb drives, laptops or other pieces of equipment that can store data, are a major source of identity theft, according to a 2007 report by Symantec, the anti-virus software giant. (See related story, page 33.)
One problem with the thumb drives is that the firm doesn’t necessarily know staff members have them or that the data is floating around. Employees often purchase them at stores like Computer Depot. And since they are inexpensive, they aren’t a major concern to employees.
They are a concern to Matt Camden, CIO of UHY Adivsors, a Chicago-based firm with 1,500 employees.
“We are really close to basically turning off USB ports for data,” says Camden. “We have looked at how we can manage these things. How can we encrypt them? We don’t know how. We are close to banning the use of these things.”
Camden says that lost drives are a problem because the firm doesn’t know what is on them and the data is not encrypted. One of the worst scenarios, he continues, is in case of civil litigation, since the drives are subject to discovery, as are SmartPhones and other handheld devices.
The firm could have a serious problem if it produced what it believed to be all relevant data, but then later found a thumb drive with pertinent information.
The firm is likely to adopt controls so that USB drives simply won’t work if they are inserted into the port on firm computers.
Issues like this make security a major concern to everyone in business.
Those who want to measure the seriousness of the issue can check the chronology of data breaches since 2005 that is provided by the Privacy Rights Clearinghouse at www.privacyrights.org. By February, it already had logged 36 incidents in 2008. And while several of these have fewer than 2,000 records, it also includes 260,000 Social Security Numbers mistakenly mailed out by a vendor employed by the state of Wisconsin, personal information and SSNs for 150,000 J.C. Penny customers on a lost computer tape, SSNs and other personal information about 300,000 members of Horizon Blue Cross/Blue Shield on a stolen laptop, and 226,000 names and SSNs stolen from the databases of the Davidson Companies.
No wonder data security topped the AICPA’s Top 10 Technology Issues list for 2008, while three other security issues made the list. (See adjacent story.) And security is big business. For many regional firms, security service is their major technology practice. At regional CPA firm LarsonAllen, there are 61 information security principals, compared to 48 tax principals. K2 Enterprises, which presents courses for many state CPA societies, has begun offering an eight-hour course on security, where it once had only four-hour courses.
“We could have used a lot more hours,” says K2 partner Randy Johnston, noting the complexity of the topic.
Camden is not the only one considering a ban on thumb drives. Johnston says it’s probably the best way to control the devices.
“I have recommended that to many organizations. The risk is too high,” he says.
Johnston says firms should consider providing encrypted drives to staff members, making them a standard color and putting the firm logo on them.
“Anything not issued by the company is not allowed,” he says. Johnston also urges firms to implement software such as Airstop from Code-Red, which controls all communications adapters and storage devices on laptop and desktop computers. With such an application guarding data, “You’re not going to get it off the computer anyway,” he notes.
However, David Cieslak, a principal with Arxis Technology, a Sage Software reseller based in Simi Valley, Calif., says it’s not practical for his organization to ban the use of USB drives.
“We have staff running all over the place and they have to copy files back and forth all the time. We need to upload a patch, or download an Excel spreadsheet that is important, a lot of one-off kind of things,” he says.
Arxis is following Johnston’s other suggestion of issuing encrypted drives to the employees, and barring the use of any others.
“It’s just policy. You are not permitted to use any unencrypted thumb drives for any client data or work,” says Cieslak. “It’s grounds for termination.”
The firm is also limiting the devices to a capacity of 1GB, which Cieslak says is enough for moving most of the necessary files. For larger amounts of data, the user probably needs a portable disk drive.
One problem with thumb drives is that once data gets on them, the data is there to stay.
“Everybody puts stuff on there and never erases it. When is the last time you just wiped a thumb drive and started over?” Cieslak says.
Encryption is probably the major trend for solving many security problems.
After tax season, UHY plans to impose encryption for all email that leaves the firm, which for another one dollar per user per month is worth the cost, in Camden’s eyes.
Security Is The Job
In fact, security has become so important to firms that it is a major part of the CIO’s job when put under the umbrella of risk management.
So much of the CIO’s job today is risk management,” says UHY’s Camden. “It’s not about leveraging technology. It’s not about how to save money. You need to think about what you need to manage risk.”
That is particularly true at UHY, where Camden has been building a single technology infrastructure from the six firms that merged to form the new organization. Even something as necessary as automated backup was virtually impossible to administrate.
“There were different backups, and different hardware and software. I could never be sure every day what was being backed up,” says Camden. Both he and Cieslak say that the failure of supposedly automated systems to perform backups as advertised is a common occurrence.
UHY’s solution to controlling backup is the Web-based eVault.
“We moved to eVault because knowledge of things being backed up was weak, and systemology was weak,” he says. “We wanted to do the best to guarantee that when it was supposed to run, it ran.”
With eVault, there is client software on each workstation, with information constantly fed back to the data server, so Camden can have consolidated information about what’s being saved in the field, through a format similar to Windows Explorer.
Previously, the only way to know when backups failed was when an employee was starting with an old backup to rebuild a file. That has changed with eVault.
“We get reports every day on what backups failed,” he says.
Camden says data backup reliability is now 99.2 percent. He can’t provide a comparison with the prior system, however, because he says he can’t prove if it was bad or good.
The Cost Issue
Like everything in business, providing security has a costs and business owners need to perform normal risk/reward calculations to find how much a firm can afford to spend to solve security issues.