Being connected to the office and clients has also placed firms and clients more at risk than ever for a data breach, as has the reluctance of some to upgrade to newer, comparatively secure systems. However, these days the greatest threat to any firm's or client's data lies in processes, and not technology itself.
Public security breaches and data theft examples such as Target, Home Depot and most recently Sony did not happen overnight or by hacking a firewall. In fact, data security experts say that these took months and likely began by simple human error.
Statistics indicate that it is not about to get any easier for businesses and firms to protect themselves, either. A study released in September by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policies, found that 43 percent of companies had experienced a data breach in the past year. The report on data breach preparedness indicated that this was a 10 percent rise from the year before.
Big Four firm PricewaterhouseCoopers' annual Global State of Information Security survey showed even more disturbing results, with survey respondents in 2014 reporting that the number of detected data breach incidents soared to a total of 42.8 million, a 48 percent leap over 2013.
EASE OF ABUSE
What is most alarming to firm data security experts like Ken Pyle, who conducts IT consulting through Bowman & Co., is how easy it is to both cause and prevent such breaches from occurring. Pyle noted that simple, daily activities that CPA firms engage in leave data most at risk. "Firms are giving away tons of information every day and don't know it; they publish PDFs and the metadata on those files has information about the machines or the IT environment," said Pyle.
Pyle said that the easiest way to prevent sensitive data in a PDF from being discovered is by clearing that data before posting or sharing it. This can be done by right-clicking (or holding the Command key and clicking) on the document, viewing the properties and details, and removing the hidden information.
Mobile devices, particularly Android phones, are also easy targets for hackers, Pyle noted, as there are Web sites where both good and malicious hackers can go to view activity on a given device. Vulnerability happens, for example, if someone is using their Android phone for work and shares a photo of a document with a client.
Pyle stressed that the most common portal for hackers these days is e-mail. "We spend so much time on firewalls, we don't realize that we're most vulnerable through e-mail -- getting users to click on links that look remotely legitimate is doing the job," he said. "If I am a hacker and have an e-mail address to try, I have a way to attack. It's not hard to send phishing e-mails out; spam filters do complicate things, but if someone's committed, they can get around it. The more things people open, the more access I can gain as a hacker, and once I have a foothold in your perimeter, it's only a matter of time before I can get into the firm and its data."
THE PEOPLE PROBLEM
IT security experts agree that technology alone simply cannot abate attacks on a firm's infrastructure and attempts to procure data. Moreover, with people being the largest threat to sensitive information, consultants and IT leaders are looking to increased training to help stem the flow of data leaks and breaches.
David Barton, a managing director at Top 100 Firm UHY Advisors and an IT services expert, often speaks to firms and at industry events about the security risks they face on a daily basis. He finds that as often as he delivers a similar message, it needs to be repeated.
"The point I make lately is, 'Are we insane?' Doing the same thing over and over and expecting different results. This has gone on in IT security over the past 20 years, adding more technology solutions for a problem that is not strictly technology," said Barton. "Look at Target and Home Depot. In both cases, [hackers] got in because somebody likely clicked on or imported something they shouldn't have. The only way to really stop that is through training, and [your firm should be] regularly having exercises whereby you regularly teach them not to click through on links or visit suspect sites or download unknown items."
But Barton does not want firms - particularly small to midsized firms - to abandon technology to help stem the flow of security hacks, but rather to keep up with where other firms are moving. He specifically recommended moving relevant functions to the cloud and doing a legitimate risk assessment on those service providers in the process.
"Training is important, but the fact of the matter is most accounting firms wouldn't know where to begin to deliver a high level of training, so they need to get into the idea of outsourcing that task," said Barton. "We tell our clients, 'Don't do your own taxes, we're the experts.' In the same light, firms shouldn't be doing their own IT security and they shouldn't be afraid to use outside services for cloud and IT security."
For larger and growing firms that have full-time IT staff, the challenge is in the numbers: the more people and more devices they want to work on, the greater the risk to firm and client data. This is why an IT leader like Jeff Bathurst, chief information officer of Sparks, Md.-based Top 100 Firm SC&H Group, focuses on year-round training programs for the firm's 200-plus staff, which is an evolution of the once strictly gatekeeper role he and others like him once had.
"Because technology does so many things, IT leaders become more internal consultants. I don't want to control what you do, but I want a conversation because I am responsible for the security of that information," said Bathurst. He notes that, in addition to trying to direct employees in the right way to deal with current technology, he offers advice on the positive and negative aspects of using modern devices and services. For example, he notes that moving certain functions to the cloud is "far more secure" than anything on a local server or desktop. E-mail, backups and certain types of file exchange are "the right approach" for using the cloud.
All of these functions, however, come with caveats. "Using the cloud is about the right approach for the right application, mostly the things that are commodity services [like e-mail and data backup], is where you want to go," said Bathurst.
EXPLORING THE CLOUD
Many smaller firms, like Woodland Hills, Calif.-based Kaufman & Seargeant, are moving nearly all of their functions to the cloud for convenience and work flexibility, specifically those that want to serve clients around the country. Jeff Seargeant, the firm's co-founder, also made the move - albeit a gradual one -- for security purposes as well.
"We realized about three to four years ago that the concept of having your own server, trying to manage that and finding local IT firms to help maintain that, was challenging," said Seargeant. "We do client accounting services, we are experts there and we tell our clients that we can do this task better than any employee can. We made the decision to outsource our data and functions in a similar way to an expert."
Seargeant's firm had the majority of its functions outsourced to a hosting firm, with servers in the Seattle area. He claims this has been working out, but is in the process of moving to more direct cloud vendors, including eFileCabinet for file storage, as well as Intacct and QuickBooks Online for client accounting functions.
"We will likely keep some things with our hosting service in Seattle, but letting the top in the field worry about the data security is better," said Seargeant. "We had too many clients with their own servers getting hacked, doctor offices and the like. At some point you have to wonder, how invested is the local IT guy in your practice? Making the move to cloud services was best for us and our clients."
While moving a firm's functions to the cloud is not a move to be taken lightly or without research, it is one that IT consultants like David Cieslak of Arxis Technology Inc. are advising more firms to make for the sake of security. His firm is often called in to assess a CPA firm's IT infrastructure.
"From our point of view, cloud-based services are very helpful because they have two-factor verification and if some local device gets clobbered with malware, it won't come back and infect the host service you work with," said Cieslak. "With CPA firms, there's a heavy reliance on applications that aren't hosted or in the cloud, and it's frustrating. There's an over-reliance on old technology, and at this point it's unnecessary and unsafe for them and their clients," he said. "A perfect example is when you hear firms saying how awful Windows 8 is -- you have to put your palm to your head, because right now it's the most secure operating environment they've ever come out with. It's one thing to say you are not making [new technology] available to your firm to be more efficient and safe, but you are placing your clients at notable risk as well."
