As data theft and similar online security breaches grow in both frequency and sophistication, more CPA firms have vowed to make it security a priority for 2012 and beyond.
Technology consultants and researchers agree that some of the current and commonly seen security threats to firms stem from their increased use of mobile devices, particularly those on multiple platforms. Adding to that heightened risk is a reluctance by firms to upgrade from older, unsupported operating systems, a decision that places them at greater rise for data loss, viruses and malware.
As an example, recent findings from Web analytics concern StatCounter showed that Windows 7 had become the most popular PC operating system in the world. It now exceeds Windows XP in terms of market share. But experts say that doesn't necessarily signal a dramatic decline of Windows XP, a good news/bad news scenario since XP has traditionally been vulnerable to security breaches.
"People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favorite target," according to Sean Sullivan, security advisor at anti-virus and computer security software company F-Secure.
The growing number of employees using multiple mobile devices for work - often their personal Androids, iPads, iPhones and Blackberries - are placed at a greater security risk. Rick Mark, senior manager of the technology services division at Los Angeles-based CPA firm SingerLewak, explains that it has become increasingly difficult for IT departments to support multiple devices - especially those that are Android-based, as there are more of them and that platform is less secure. At his firm, strict policies and network access controls are in place to keep SingerLewak's mobile workforce secure.
"Once you give a device to an employee, the assumption is the IT team will support [it] and that's not always the case," said Mark. "With the iPhone, it's one device. Blackberry is easy to know and support. But Androids have 30 models from 10 manufacturers and are not configured the same. Hands down, policy trumps all when it comes to IT security. Controlling what users can and can't see is the most important piece of IT security, and network access controls help implement the technology behind the policies."
Mark noted that SingerLewak now has a policy in place not to allow work use of any Android device, and is only accepting the use of iPhone and Blackberry devices.
THE BEST POLICY IS TO HAVE ONE
David Barton, principal and practice leader of the technology assurance and advisory services group at UHY Advisors, stressed that while there is no tool to keep a firm 100 percent safe from security threats, clear enforcement of policies on the use of all technology and platforms "goes a long way" in the prevention of security breaches and data loss.
Specifically, Barton advised firms of all sizes to have policies in place around the use of mobile and wireless devices or anything that will leave the office containing sensitive data; social media; and updated knowledge of malware and viruses.
"Policies are first and foremost when you are talking about data security, and one of the most important policies a firm should have is a strong data classification; how a given piece of data is classified," explained Barton. "You have to enable people to do their jobs. So define what is appropriate and what is not. Spell it out. Then you have a course of action you can take if something were to go wrong."
Tech consultancies such as MantisPro often advise businesses and accounting firms on IT security. And while they also preach that defined policies are a good weapon in the security wars, principal Stephen Yoss warned they are not always adhered to or easily enforced. He stressed that threats to IT security are more prevalent at smaller firms, since they often do not have the most updated systems or security tools in place.
"Big firms can absorb a big [security] breach, small firms would be put out of business, and small businesses and firms are being targeted because they are not employing best practices," said Yoss, a CPA and partner in his own family CPA practice. "We see small firms using older versions of software. They say, 'What I have works great; why spend the money?' But the newest versions of QuickBooks or Windows versus older versions are exponentially more secure."
LOOKING TO THE CLOUD
"We have approximately 1,500 tax clients and 500 business clients in a 10-person firm and for us, IT security is a major consideration," Yoss said. "I tell all CPAs that if you don't know something, hire someone to give you the right advice. Whatever you pay them an hour is better than spending hours learning it or putting yourself at risk by not knowing something or doing it wrong."
For firms transporting client data - be it tax or financial documents or bookkeeping functions - the most secure place is the cloud, say experts. More firms are becoming attuned to the fact that their data is far safer on a server farm or hosted nearby than in their own offices, and many are moving their files and data off-premises.
Nixa, Mo.-based Kinzey & Arndt began moving data to the cloud approximately four years ago, beginning with its tax work on UltraTax, which at the time offered a hosted virtual office encrypted with Citrix. The firm also moved its write-up work to the cloud-based AccountantsWorld's Accounting Relief application, and more recently engaged eFileCabinet to store all client documents. Scott Kinzey, managing partner of the six-person firm, said it is about halfway to being entirely paperless, and feels his office is "more secure than ever" since moving to the cloud.
"I still meet some small-firm CPAs that feel their desktop is the safest place for their data," said Kinzey. "Can you imagine there are still small firms having to patch their firewalls constantly? You have to be connected with a bigger company that does it 24/7 and knows what's going on. I'm doing taxes, I don't have time to figure it all out. These days we keep very little on the other side of our firewall."
Harshman Phillips & Co., a 12-person firm from Atlanta, is in the process of getting rid of its servers entirely, opting to outsource all of its file storage and operations programs to run the firm. Currently all of the firm's tax data is on the Web and all copies of returns are scanned and stored in SmartVault.
Managing partner Bruce Phillips claimed that at this point only his on-premises time-and-billing system has some data on it, but all work is conducted via cloud-based systems: "We vastly improved our IT security getting things out of our office. We are looking into hosting our time and billing, for our accounting clients we use RightNetworks to host QuickBooks and Peachtree, and we're looking at other cloud-based bookkeeping services. All of these companies are 1,000-times more secure than we could ever be."
