Information security has long been at or near the top of the AICPA’s Top Technology Initiatives and has become an important concern for CPA firm owners. In a “paperless” environment, where virtually all firm and client information exists within the realm of the firm’s IT infrastructure, it is more important than ever to proactively protect this data, particularly as the firm has a fiduciary responsibility to do so. While IT technical personnel usually do a good job of setting up network firewalls, running operating system patches and automatically updating anti-virus applications, they often neglect to update employees on current IT threats or offer security training beyond the initial employee orientation and “firm-policy signing” process done by human resources when any new hire starts with the firm. As technology and IT threats continuously evolve and affect the firm’s computer and Internet use, owners must ensure that all firm personnel are aware of current threats and of resulting changes in firm policies and IT practices. The best way to do this is to mandate that all personnel participate in an IT/security briefing at least once a year.
This briefing should be developed and delivered by a combination of the firm’s IT and human resources personnel to ensure that recommended IT practices are agreed upon, documented in the firm’s written policies and, as an end point, that all firm personnel confirm they are aware of them. In planning the update, begin by reviewing current policies and determining what updates should be considered. Trends that many firms are considering now include BYOD (bring your own device; see a CPA Insider article for more details), the impact of social media, remote access confidentiality when working from home or public spaces, and security on devices such as tablets, to name a few. Firms can turn to resources such as StaySafeOnline.org, Microsoft.com/Security, and SANS.org to get up to speed on the latest threats and gain access to resources they can use in developing their training programs. After the updated policies have been reviewed and approved by owners, they should become a core part of the IT/security briefing.
The IT/security briefing should inform firm members of the updated firm’s policies, IT threats, best practices for minimizing IT risks and how to respond when a questionable event occurs. Reviewing the policies at least annually makes it possible to communicate needed updates and remind firm members of all policies.
Six Key Areas
There are a minimum of six key areas that firms should consider educating employees on annually:
1. Policy review and updates. The firm’s IT policies for computer and Internet use, remote access, smart phone and tablet use, digital client confidentiality , social networking and passwords should be updated annually. The update should focus on specific changes and emphasis points, along with information on how to access policies stored on the network. Employees should be quizzed on policy changes to ensure they are aware of them.
2. Password and PINs. Access passwords should be changed at least twice a year, using complex passwords and passphrases. This means passwords that are at least eight characters and include an upper and lower case letter, along with a number and special character. Employees must be trained NEVER to share them with anyone (especially if they are asked to do so in an email or instant message). They should be educated on “social engineering” attacks designed to elicit disclosure of information that can be used to expose the firm’s security and client data. If a password is disclosed, the employee should change it as quickly as convenient or notify IT personnel.
3. Workstation protection. Workstations should be set up for automatic updates of operating systems, browsers and key security applications, such as anti-virus and spyware tools, so that they can’t be circumvented or uninstalled. Firm members should be reminded of the importance of workstation protection and told specifically NOT to ever turn off their firewall or download any non-firm applications to a local workstation without the IT team’s knowledge and approval. One of the most common attack methods is a message that pops up when browsing a website that states that the computer’s system has been breached and that the user should immediately download a fix. Firm members should be aware of how to safely close a suspicious pop up message (Ctrl+F4) without downloading any malware. If the workstation begins to perform erratically or slowly, the user should notify IT support immediately.
4. Email threats. Firm members must be reminded annually how to identify and deal with suspicious emails. The firm should alert them to current phishing and pharming threats and remind them that they can take many forms, including email, instant messaging or pop ups on any of their screens (workstation, tablet and even smart phone). It’s useful to offer information on how to spot a suspect email address, email subject or attachment name and how to verify the actual sender/hyperlink. Firm members should be on the lookout for generic (“Dear User”) or incorrect salutations instead of their name, obvious grammatical or spelling errors within the body of the text, alarmist messages (“Your information has been breached; click here to minimize your loss”) or ANY request for personal logins or passwords. They should also be reminded NEVER to use a hyperlink from within an email that would link to any confidential resources. Instead, they should open a new window and type in the site they want to visit. Employees should also be made aware that telephone numbers listed within suspicious emails can also be linked to fake calling centers, so care should be taken to verify that the number is valid before calling. For more information on current email scams, turn to the Snopes.com website, which is frequently updated and easy to search.
5. Confidentiality. Firm members should not transmit client, firm or any personal confidential information via email or instant messaging unless there are encryption tools or verified secure (SSL) connections in place, especially when using public or client Internet access. Instead, they should be required to use the firm’s selected method, such as secure portal and/or encrypted email service, and be directed to ask clients do the same. Confidentiality should also extend to work in remote sites. Employees should be educated to take care whenever anyone can view their client data, including, for example, when working on multiple screens at home where a neighbor or family member could inadvertently see the screens. As a general rule, employees should be taught that all public WiFi sites are unsecure as it is easy for thieves to create “Free WiFi” sites or to log activity on these sites.
6. Physical security. Finally, firms should also remind personnel about physically securing devices, since a stolen laptop, lost smartphone, misplaced USB thumb drive or an unsecured door can lead to a security breach. Internet-enabled devices should always have a secure PIN/password and any client data residing on them should be encrypted. Recommended policies include using privacy filters when working in public places, encrypting digital data on hard drives and thumb drives, locking the screen when not in use and reminding users always to have their devices in their possession or physically locked to a desk if they leave their work area. Educate them on IT breaches that have happened to other firms (laptop stolen out of a car in a parking lot) and the firm’s related policies (always take your laptop with you if outside of the office).
The Weakest Link
What’s the greatest vulnerability for most firms? The weakest security link in most cases is firm members’ ignorance of firm computer and security policies or failure to adhere to them. An annual reminder and update will go a long way towards minimizing the risk of falling victim to a security breach.
This article was originally published in the January 2013 issue of The Practicing CPA, a publication of the American Institute of Certified Public Accountants. Copying or distribution without the publisher’s permission is prohibited.