Information Technology Security Concerns Every CPA Firm and Accountants Could Face
Best Practices for safeguarding your Accounting and CPA Firm computer network
Preventative and Proactive Information Technology Security Best Practices
Purpose: To provide guidance to Accounting Firms and Certified Public Accountants (CPAs) on securing their computer networks and hardware against hackers, fraud, data leakage, data loss, compliance lapses, Internet viruses and other malware, including spyware and spam.
Overview: Being able to access client accounting data easily but also securely is vital to the functioning of any CPA firm. At the same time CPAs must access the Internet for information or communication. But because your client’s confidential financial information is stored in electronic format, it is susceptible to the same accidental and malicious man-made or natural threats to which other computer services are susceptible. We will address in this article data security issues CPA firms must address at a time when we read about security breaches daily.
Data Confidentiality, Integrity and Availability:
Top technology priorities for accounting professionals
IT Controls, commonly known in Information Technology Security circles as "CIA" Confidentiality, Integrity and Availability are an integral part of an effective information security program at any accounting firm. No harm has ever come from efforts validating your controls with a culture of "trust but verify". Depending on the accounting firm, it may even be required to have an independent party review those controls on a regular basis.
Keeping your data, or your client's data, confidential means preventing it from being accessed by unauthorized individuals. There are a number of ways data can be kept from unauthorized eyes or accidental bystanders.
Password protection, access controls, , and encryption are three proven ways to help protect data. Many states and the American Institute of CPAs (AICPA) in it's Information Management and Technology Assurance Member Section (IMTA) have passed strict privacy laws and provided recommendations requiring data confidentiality. Technologies such as full disk encryption for laptops and encrypting offsite storage of backups are seen as mandatory in every CPA firm that has this data.
Your accounting staff and CPA professionals may not have confidential data on their laptops, but in addition to losing the passwords cached on the laptops, the reputational damage due to the perception of the loss itself may be a lot worse.
Data integrity in relation to Information Management and Technology Assurance applies to any piece of data that is considered an authoritative source and/or is used for decision-making purposes. When data has integrity, there is assurance that unauthorized, malicious, or accidental modifications have not been made to it.
For example, a CPA relies on a spreadsheet of financial modeling for a CPA firm client, if the spreadsheet has integrity, that CPA can feel comfortable the data has not been modified by anyone outside of those job responsibilities. Another example is email. Emails sent with digital signatures mean that the identity of a sender of email can be assured.
Data availability ensures the right people have access to the right data when they need it. Following the above spreadsheet example, this means that the spreadsheet file is available when needed but only to the person that needs it, using the security model of "least privilege". If the current copy of the file becomes corrupt or accidentally deleted, availability controls ensure that a backup copy can be quickly accessed or restored.
Important data should always have a backup; preferably in several versions (visioning). Hardware will eventually fail. Redundancy, and the level of redundancy you deploy depends on the importance of the data and the cost benefit, (money spent vs value of the data) to protect the data. Highly available, geographically dispersed, or clustered architectures, may be too little or too much to spend on data availability. But as our Disaster Recovery Team likes to point out is today within reach of even smaller accounting firms. For more information about high availability backup and disaster recovery systems see this link or call. We have demos available to show how this service could enhance your CPA practice.
Top Information Technology Initiatives - American Institute of Certified Public Accountants (AICPA) Survey
The Information Management and Technology Assurance member section of the AICPA found in surveys recently that securing the IT environment is top business technology priority for accounting firms and AICPA members. The top information technology priorities and concerns for accounting professionals are as follows as per the survey:
- Providing Information Technology Security in the organization
- Managing and retaining data
- Managing Information Technology risk and compliance
- Ensuring privacy
- Leveraging emerging technologies
- Managing IT systems implementation
- Governing and managing IT investment / spending
- Preventing data breaches, data leakage and responding to fraud
Please contact Computer Systems Support & Design Information Technology Security staff or Johannes Banck for more information and support. We will help you find the other 9/10th of security risks that you may not have found yet.
Accounting Firm Recommended Information Management and Technology Assurance Best Practices
Below is a checklist of network security items for CPA firms. It is by no means comprehensive. Only a network security assessment can deliver a solid evaluation of your accounting firms Information Technology Security stance:
- A firewall or Unified Threat Management (UTM) system. Connecting an office to the Internet opens up a two-way flow of traffic. In order to block information at the office from being accessed by hackers, viruses, or other malware, a firewall should be installed. You can have a software firewall, a hardware firewall, or both. We have had great results with Cisco SA500 UTM devices.
- A UTM goes beyond the firewall by including greater security protections such as antivirus software and anti spyware, among others.
- Good Internet security software will include antivirus and anti spyware protection. Some also include a software firewall. These generally run the duration of one- year, after which time they expire. It is crucial to have this protection on your computers and servers at all times. Ensure that your package comes complete with periodic updates in order to catch newer viruses and advanced spy-ware. Download and install antivirus software updates as they become available.
- Never open any files or macros attached to an email from an unknown, suspicious, or untrustworthy source. Delete these attachments immediately, and then delete them again by emptying your Trash folder.
- Delete spam, chain, and other junk email without forwarding.
- Scan external media drives for viruses before using them.
- Moderate your Internet usage and do not visit social networking and other non-work related sites while at work.
- Most accounting offices employ a wireless router to connect some computers, laptops and mobile devices such as an IPhone or IPad in the office to a network. Unfortunately, some wireless routers are not as secure as wired routers. If using a wireless router, you must make sure that the router is secure and requires a robust encrypted password to access the network. We highly recommend Cisco AP541 Wireless Access Points. We have had great results with these easy to install and maintain AP's.
* THIS DOCUMENT IS INTENDED TO PROVIDE A BEST PRACTICES OVERVIEW FOR ACCOUNTING FIRMS. THE FIRM SHOULD ESTABLISH A NETWORK AND COMPUTER SECURITY POLICY IN CONSULTATION WITH ITS IT CONSULTANT.
Please call (877) 717-6075 Ext 211 to review your Information Management and Technology Assurance system, IT and network security. We are a local Connecticut based IT Tech Support Services provider helping accountants and CPAs use technology safer and smarter.
Check out our 6 Tips For Using Passwords to Protect Against Identity Theft suggestions about how to best handle our myriad of passwords.