Security remains top of mind for the majority of accounting practitioners at all levels, in the face of both the growing use of technology, and the rise in threats and methods to obtain data or even spread viruses that can go undetected for months.
There are, of course, improved methods, products and platforms available to keep a firm and its data safe -- the cloud in particular -- but the reality is that many simply do not perceive them to be secure.
Findings from a recent survey conducted by CPA2Biz, the technology services subsidiary of the American Institute of CPAs, indicate that more CPA firms are using cloud-based services despite a notable rise in security concerns. Specifically, nearly half of survey-takers said that they were using cloud-enabled business services to some degree in their firms, up from 44 percent a year ago.
At the same time, survey-takers expressed concern over cloud vendors' ability to manage data breaches and maintain effective internal controls, with 43 percent identifying themselves as "somewhat confident" or "not confident at all" -- the two lowest categories -- up sharply from 15 percent a year ago. The online survey was conducted from September 30 to November 5, and polled 312 CPAs who represent a mix of small, midsized and large public accounting firms.
FIXING THE WEAK LINKS
Technology guru and avid proponent of IT security David Cieslak realizes that nothing today is 100 percent secure, but he does advise firms to consider some basic methods to keep data safe, such as starting to move some of their daily functions to the cloud.
"Cloud does fix many of the weak links in internal IT strategies and the net result is that it is still a huge step up from [storing data] in-house," said Cieslak, a principal at Simi Valley, Calif.-based technology consultancy Arxis Technology Inc. "We advise moving what you don't need or, rather, need to worry about having in-house, to the cloud. The hosted desktop and co-los [co-location facilities] are all well and good, but there is still a fair amount of IT responsibility the end user is saddled with."
With the rise in mobility, Cieslak also advises keeping devices more secure through encryption or use of MiFi or personal wireless networks. "Having a risk assessment done for your firm wouldn't hurt either," he said, though ultimately he said that user behavior is the greatest defense.
Other data security suggestions include: keeping antivirus protection on all devices and up to date; strong passwords (i.e., nothing less than eight characters with capital letters, symbols and numbers); two-factor authentication, where available; and keeping operating systems updated.
Sometimes, however, even with the best policies and practices in place, systems can become compromised, and with increasingly strict data breach laws in place, firms can ill afford to have client data compromised.
ANATOMY OF A BREACH
Recently, a 12-person CPA firm in California -- which, along with Massachusetts and Nevada, has the most stringent data breach laws -- found itself the victim of data theft and had to deal with the consequences.
In late October, the firm was in the middle of switching cloud service providers, and while the provider allowed for a simple data transfer to the new service, an audit manager absently chose to download some client data to his laptop with the intent of uploading to the new service later that week. The manager stressed that even though the firm had internal policies against retaining any client data on its devices, he simply "didn't think anything would happen in such a short time."
What happened was that he left his laptop with the client data -- which consisted of payroll information for three clients - in the office, only to return the next day to find it and some other items stolen. The firm reported the incident to the police and informed clients immediately, but the damage was done. "Fortunately, we had mirrored what information was taken in the current cloud provider, so I knew exactly what the data was. I told the partners, contacted our insurance carrier, and they were helpful in putting together the response and notification that the law requires," the manager said. "We also contacted affected clients - the reaction was more, 'We know you will do what you can to rectify this,' but we did have to pay for some services."
Data breach laws require that a firm that has a breach offer potentially affected parties fraud protection services. The three clients had a total of 470 employees who were potentially impacted by the breach, 19 of whom opted to have a year of the LifeLock identity theft protection service. The firm's outlay was $88 per person per year, versus what could have been tens of thousands of dollars in service costs as well as potential fines. In California, data security breach fines even for first offense can average $30,000-$40,000, but only apply if a minimum of 500 individuals are potentially impacted.
New York-based WeiserMazars, a Top 100 Firm with over 650 staff, has had some data security issues too. In fact, in 2011 four staff devices went missing, resulting in fines of approximately $60,000 each, as well as increased security methods, according to the firm's IT security manager, David Feete.
He said that the firm now encrypts and secures all devices, whether company-provided or brought in from home, and increased data security training and use of secure file transfer programs and products, including its own client portal. "Even though we regularly offer training, getting the information absorbed by everyone is hard, but we are getting better at it," said Feete. "We regularly work with banks and financial institutions and need encrypted file transfers. You need a passcode to get to the data, but the sender has to encrypt it. Also, mobile devices are all registered with us; no matter the size, it has to be safe."
ASK THE RIGHT QUESTIONS
The best defense is having the right practices in place and regularly followed, according to David Barton, principal and practice leader of the Southeast region technology assurance and advisory services group at UHY Advisors Inc. "Firms have to really pay attention to where they are and where they do business and more importantly, know what kind of information you are keeping or using and how are you protecting it," he said. "Any firms that don't have formal policies either around BYOD or data classification, you need to get them and never put things on your personal device if it's client-related. If it's on a laptop, encrypt it; it's pretty cheap to do."
Barton also noted that practitioners frequently use Starbucks or other areas like airports that offer free but unsecured Wi-Fi -- but this can leave data open to theft, as most hackers can intercept the traffic.
In addition, Barton noted the rise in firms using cloud-based services, and while these are comparatively more secure than data use on local devices or servers, he said that most firms don't know enough to ask the right questions from their service providers related to data security. "We had a client recently using a cloud service provider, and we came in and asked that service if they had a SOC 2 report that described the controls. They said 'Yes' but when I got a copy of the report, it didn't specifically cover the accounting software, just the data center and operations around providing that software," said Barton. "What firms need to ask is, 'Who has access to my portion of my client records other than me?' and 'Who is the system admin for the data sitting in that facility?'"
