Protecting sensitive client and firm data has been a growing issue for some time, but as technology use has increased -- particularly in terms of mobile devices -- so have the threats of a breach or data loss, and firms of all sizes are forced to keep information security top of mind.

Firms are adopting a variety of measures that range from simply keeping firewalls, security patches and antivirus programs up to date, to moving entire blocks of data and office functions to the cloud or enforcing strict controls on mobile device usage.

The influx of mobile devices, in particular, while helping an increasing number of practitioners serve their clients, has many firms concerned as IT teams and directors struggle with controls over data on the devices. And usage of mobile devices of all kinds does not appear likely to slow down anytime soon.

ON THE FRONT LINES

Firms such as BKD, with a workforce closing in on 2,000 -- the majority of whom work daily on a variety of mobile devices -- are fully aware of the growing security challenges that increased mobile device usage brings. Controls have been put in place to allow its staff to work how they need to, while keeping sensitive firm and client data as safe as possible.

For BKD's chief information officer, Gary Farrar, keeping the data of his increasingly mobile workforce secure is a daily challenge, the largest in the realm of IT security concerns that his firm faces. He claims that because more staff are accessing sensitive information and sometimes taking that data out of the office, he and his staff have had to adopt tools and polices to keep security at a premium. "We've strengthened our entire information security program, and training is a part of that. We notice after our [security] training we get more calls and questions about if what they're doing is secure or in compliance with our policies, so I feel it's working," he said. "One of my biggest challenges is striking a balance between security and the ability to get the job done. ... We keep our devices encrypted so all e-mails and attachments are in a secure container and employee personal data is outside of that. So, if a device is lost or they leave we can wipe the 'container' and not their personal data."

Farrar also noted that BKD has recently been able to hire full-time staff whose sole responsibility is to assess IT security risk, develop policies, make sure the firm has the right controls in place and keep current with what the threats are, and identify what tools the firm needs to use.

BYOD

The "Bring Your Own Device" trend has caused some -- including BKD -- to keep a running list of approved devices, which mostly need to work with software the firm uses. Available tools that allow an IT department to safely monitor and remotely wipe data from a mobile device enable organizations to allow staff to securely use most mobile devices.

New Jersey-based WithumSmith+Brown had controlled the use of mobile devices through issuing or requiring the use of BlackBerry devices for work purposes. All work-related functions could be controlled through the firm's BlackBerry server. However, with the BYOD trend, this task became more difficult and forced the firm's IT department to look into other controls.

"More and more of our staff want to use their iPhones and other smartphones, so we had to see what's out there to manage them better," said WS+B IT director Edgar Basilio. "We found there are solutions out there that can do that now. It gives me more of a comfort level so we can let our users use what they want when these tools are in place."

Basilio also noted that the firm will offer employees a phone for company use, but if it is their own device they need to submit it to the IT department, which will set it up with current controls. "Honestly, we haven't had much pushback with this practice -- our people are more concerned about access to what they need, rather than if we're looking at data on their devices."

Outside of device control, the firm's wireless Internet connection is configured with a security protocol so that visitors who want to connect will be kept separate from the rest of the firm.

Comparatively smaller firms like Brooklyn, N.Y.-based Picker & Aurbach aren't as concerned with a myriad of mobile devices, but remain well aware of security threats, as technology use and data exchange are still regular parts of the firm's life.

The firm is utilizing some cloud-based document management and client portals, but most data security is done through keeping its firewalls and antivirus updated. Managing partner Barry Picker realizes that they could do more, and does his best to enforce safe use of computers and data exchange.

"No matter how much your company says they have this and that encryption, there's still fear that someone is breaking into something and you never know what someone can do. Part of it is being a small firm -- we hope we stay under the radar," said Picker. "We preach about being careful about clicking on links and things, but some of these e-mails can fool people. Some are obvious, but it's getting worse. I don't keep any data on my laptop; if I go to a client, I take their files on an encrypted thumb drive. I also carry around as a backup an encrypted drive for larger things."

Picker also noted that clients are sometimes the problem, particularly those who choose to e-mail him Forms 8879 or even credit card data, rather than send information through the client portal.

SECURITY FIRST

Tech consultancy Arxis Technology Inc. occasionally advises CPA firms on their IT security and general infrastructure needs, and principal David Cieslak feels that most aren't doing enough to control data and keep their systems safe. This is coupled with the rapid increase of malware, which can infect a firm's system for months without detection.

"Investing in IT security can no longer be on the back burner: There are so many scams, and ... firms that become lulled into a false sense of security are at risk," said Cieslak. "We're also seeing too much reliance on traditional methods [antivirus and firewalls], and we will walk into machines that have been compromised for a while. People think about convenience first and security second, but it has to be security first."

He advises that, in addition to keeping up on the latest threats, more firms should look to cloud-based storage and critical applications to run their practice, as he believes they are statistically safer than anything a firm can monitor on their own. "If more of our critical applications and data are in data centers, it will become more compelling for firms to switch," said Cieslak. "We are seeing a day where the internal server infrastructure will disappear, but for now even as you access the cloud, you need to secure the end points -- your laptops, tablets and phones -- and get on top of backup. Every firm needs to see what to migrate to the cloud."