Controlling your data
Target. Home Depot. Anthem. The IRS. The U.S. government. Numerous hospitals and universities. The commonality? All have been the victims of headline–splashing cyberattacks that led to the breach of confidential data. With so many cyberattacks in the news, many CPA firms may wonder, “Are we next?”
CPA firms can be a treasure–trove of informATIon for cybercriminals. Firms routinely collect sensitive informATIon from both clients and employees, including Social Security numbers, bank account informATIon, earnings and business informATIon, and, if the firm accepts credit cards as payment, credit card numbers. All of this informATIon requires protection under professional standards and various state and federal laws and regulATIons.
Most firms have acknowledged that data security represents a critical risk requiring careful management. However, implementing controls over data security can be unfamiliar territory with a daunting vernacular. This can be especially challenging for sole practitioners or firms without dedicated IT resources. To help get started, consider implementing these baseline security measures.
Implement access controls to help ensure only authorized individuals are permitted to access sensitive or critical areas of informATIon.
Physical access controls
CPA firms likely restrict access to their premises already, but access to the area in which the firm’s server is kept should also be restricted with a lock or access code. If mass storage devices (flash drives, external hard drives, etc.) are used, purchase the encrypted versions. While the cost may exceed that of unencrypted devices, the protection they provide justifies the additional expense. Another option is to use software to encrypt unencrypted flash drives.
Encryption of all laptop and desktop computers and mobile devices is one of the most beneficial controls CPA firms employ. A lost or stolen computer or device can result in a devastATIng and expensive data security breach if it is not encrypted. Full–disk encryption may help to mitigate damages if a breach occurs. Various state breach notificATIon statutes create a safe harbor that waives notificATIon requirements if encrypted data are breached. Refer to applicable state breach notificATIon laws for informATIon on whether a safe–harbor provision applies.
Full–disk encryption is built into all major operATIng systems including Windows and Mac OS X. Instructions on how to “turn on” encryption are available online from Microsoft or Apple. BlackBerry devices are encrypted by default as are iPhones and iPads running iOS 8 or newer. The Android operATIng system supports encryption, but it must be enabled.
Logical access controls
Assign access privileges to software or network folders where sensitive informATIon is stored based upon the principle of “least privilege,” meaning a user should only have the minimum access required to perform his or her job responsibilities. Conduct routine reviews of access and modify access authority when an employee leaves the firm, changes roles, or is perceived to be at risk of becoming disgruntled. Many data security breaches are from the inside and perpetrated by a dissATIsfied employee or former employee who has knowledge of the firm’s systems and their vulnerabilities.
Prepackaged software often comes with default settings. update the default settings and tailor access rights to your firm. In addition, be sure to implement software updates or patches when they are provided by the vendor. These updates may help troubleshoot and fix a security vulnerability identified and addressed by the vendor.
To help further control access, use passwords. While complex passwords (those that use a combinATIon of upper– and lowercase letters, symbols, and numbers) are good, they are easily forgotten. Instead, focus on long passwords or phrases, 16—20 characters in length, that are changed periodically. Be sure to keep passwords and encryption keys in a secure locATIon. Costly data security breaches have occurred because a password was taped to the bottom of a laptop.
Many software tools are designed to help prevent or detect intruders in the firm’s network.
Data breaches do not always take the form of a cyberattack. The theft or loss of a laptop or flash drive or a misdirected email are common types of data breaches at CPA firms, both of which are preventable. For these reasons, regular security awareness training, constant vigilance, and attention to detail are essential for all firm owners and employees.
Even with these controls in place, a data breach can still occur. Security incidents can take a toll on a firm of any size. Putting an incident or data breach response plan into place can help the firm act quickly, helping to prevent further data loss, regulatory fines, and client backlash.
Sarah Beckett Ference (email@example.com) is a risk control director at CNA. Nickolas Graf (firstname.lastname@example.org) is a risk control consulting director at CNA. He is a Certified InformATIon Systems Security Professional, Certified Ethical Hacker, and Certified InformATIon Privacy Professional.
Continental Casualty Co., one of the CNA Insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the NATIonal Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides informATIon, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the article date. This article should not be viewed as a substitute for recommendATIons of a retained professional. Such consultATIon is recommended in applying this material in any particular factual situATIons.
Examples are for illustrATIve purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situATIon is covered under any CNA Insurance policy. The relevant Insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.