Today's digital environment presents significant risk as well as rewards.
One area in which many firms and their clients are at high risk is with the use of small, inexpensive USB drives that have the capability to quickly copy, back up, transfer or store data. There are several reasons your firm should assess the risk and develop the policies and procedures necessary to reduce or manage that risk. The cost of doing this depends upon your firm's tolerance for risk. Based upon what some firms are doing, it appears that their tolerance for risk is extremely high. Perhaps this is due to lack of knowledge, or simply to the fact that no one is responsible for risk management in their firm. Too often, everyone is responsible and no one is accountable.
The following scenario is pretty common - most people have one or more USB or "thumb drives" on which they back up, transfer or store client data. Vendors often provide these devices for free at trade shows, and they are very inexpensive and available in stores and online. Some of the data placed on these devices may not be sensitive, but often data that comes under state, national or international security and data privacy laws resides on these devices. Most states have security breach laws requiring businesses to notify customers or clients of breaches of the security, confidentiality or integrity of unencrypted data held by the firm or business.
If these rules and regulations don't inspire your firm into action, then there are other reasons:
* More sophisticated clients are now asking firms about their data security and privacy policies.
* Firms want to protect their digital assets. Employees and partners have been known to download client files before leaving the firm.
The cost of protecting the firm has a direct correlation to the firm's tolerance for risk. The basic levels are:
* Ignore the risk.
* Encrypt data and approve appropriate policies.
* Encrypt and manage the portable devices with policies and enforcement.
This is a firm problem and not an IT problem. The IT department will play a role, but firm leadership and management are responsible for approval and enforcement of the policies. If a sophisticated solution is provided, the IT department can utilize technology to assist with enforcement.
Some of the common solutions that firms are using for encryption come from leading vendors such as CMS, Kingston and IronKey. All vendors provide drives of different sizes and encryption software. A quick Web search will provide the technical details. Some of the features you should consider are:
* Ease of use (always on, no need for drives or software installation);
* Anti-malware protection;
* Centralized remote administration of devices;
* Remote destruction capability;
* Enforcement of firm policies such as password length and strength;
* Public key infrastructure and digital certificates;
* A high-speed, reliable platform for virtual machines; and,
* RSA SecurID.
I suggest the following action steps to adress the issue of USB storage devices in your firm:
1. Identify the person in charge of risk management in your firm.
2. Assess the level of risk and the tolerance for risk in your firm.
3. Develop and approve an appropriate policy to manage the risk.
4. Select a vendor and encryption methodology that will allow your firm to comply both with your own policy and with any applicable laws.
5. Educate your employees.
Yes, it does cost more to implement devices, encryption and policies that provide maximum protection. However, most firms find that the cost is much less and the systems easier to manage than ignoring the problem until a breach occurs and you have to notify clients. Your firm's strategy may also be integrated with other mobile devices such as notebook computers and PDAs.
A few dollars spent on prevention will save thousands of dollars in notification and damage to your brand when a breach occurs.
Gary Boomer, CPA, is the president of Boomer Consulting, in Manhattan, Kan.
(c) 2009 Accounting Today and SourceMedia, Inc. All Rights Reserved.
http://www.webcpa.com/ http://www.sourcemedia.com/
