|Global Knowledge Gateway||
How Secure Is Your Client’s Data?
by Peter Docherty, General Manager, Public Practice, CPA Australia | June 13, 2018 |
If no one is too big to fail, it’s also true that you are never too small to be hacked. In 2017 an Australian insurance broker Fenton Green had 17 claims from small and medium-sized accounting practices (SMPs) for cyber-security breaches. Green doesn’t insure all accountants in the country and even so that’s a sizeable number of claims for a country with such a small population (nearly 25 million). Last year a survey of 183 small Australian practices by accounting consultant Smithink revealed that one in six firms had been hacked or suffered from malicious incidents.
“As far as risk profiles go, accountants with their access to client data including bank accounts and financial statements are at the top as hackers are concerned. Their sheer financial footprint means their risk profile is high,” notes principal Drew Fenton. According to Fenton, only 25 to 30 percent of Australia SMPs use the Cloud to store sensitive data, and there remains increasing concerns around data security in the Cloud with 66 percent concerned about the security risk, a six percent increase from the previous year. SMP owner Tanya Titman, who is an avid Cloud champion, reflects on the days of putting client files on USB sticks. “Did anyone keep track of those USB sticks? With the Cloud there’s so much more security and much more process.” Drew Fenton agrees: “At the end of the day if you are not in the Cloud you are not protected.”
So what are the risks of this so called more secure digital data storage? They boil down to the same old issue: keeping track of your data. IT security expert Dr Michael Axelsen says, “Losing USB sticks used to be the greatest risk, but today the risk occurs when you go from one Cloud provider to another.” Using numerous Cloud providers may increase your security risk. Why? Because cloud providers have the right to edit and modify your inputted information. Cloud providers don’t agree on or maintain the same security agreements and – due to tough competition, potential cost issues, and outsourcing overseas - your sensitive data can potentially become compromised.
“Practitioners need to make sure when they change Cloud providers that their data is taken off the backup systems - otherwise they could end up with a patchwork quilt of different service providers” notes Axelsen, who argues that the Cloud is still far better than the alternative.
But what is the easiest way to get hacked? It’s not the Cloud, Fenton says, the easiest way to get hacked is by opening the wrong email. ‘Innocent emails’ asking you to click on attachments is an open door for hackers to access your system.”
Axelsen says firms can counter these events by initiating a “data respect culture” which involves making staff hyper-aware of data security. “That’s probably your best line of defense. Your data might be encrypted and relatively secure, but hackers can get something from your firm by social engineering methods or phishing.” He recommends having a strict risk policy and email protocols in place. Businesses are increasingly testing their staff through “phishing tests”, which are test emails sent to staff emails asking them to click on a variety of requests. People need to change their mindset to constantly be on guard and suspicious of all emails that are asking for an action or personal information.
Here are factors to consider in order to keeping your data, and your clients, safe.
Tips on Keeping Data Safe:
- Technology Risk Management Framework
The first step firms should take is to build and maintain a technology risk management framework. This includes policies and procedures on how a firm assesses and identifies risks associated with the use, ownership, operation, and adoption of IT.
- The Cloud
Today’s cloud is safer than in-house servers, but data management is key. Know who your providers are and where they are storing your data. Consider security solutions such as two-factor authentication.
- Disaster Recovery and Business Continuity Plans
It is too late to build a disaster recovery plan after an attack. Failure to build and maintain an effective business disaster recovery system can be catastrophic. Firms need a proactive risk management plan that covers system and software back-ups; off-site storage; and trial restores.
It is important to have system utilities to protect the firm from malicious attacks. Systems that can proactively combat cybersecurity attacks include, firewalls, virus protection, malware/spyware programs, and anti-spam and phishing software.
- Policies and Procedures
Installing good IT governance procedures within a firm is critical. Policies should include guidelines that ensure that systems are not misused, with practices to ensure that applicable policies are continually reviewed and updated to reflect current risks. Ongoing education to all employees of the firm on technology risks should be part of the firms risk management framework.
Keep a log of hardware (including laptops and phones). Maintenance contracts should be sustained with hardware suppliers so that hardware failures can be quickly rectified. Ban staff from using free Wi-Fi -- on company or personal hardware -- to access sensitive data.
Keep an updated tracking system of current, past, and potentially future software subscriptions. Regularly upgrade software to current levels and allow time for system patching before shutting down your devices.
Adequate insurance for the firm must be maintained and cover the cost of replacing infrastructure, and labor costs to rebuild systems and restore data. Also, consider insurance for the loss of productivity resulting from a major system failure or catastrophic event.
IFAC has recently launched an updated the Guide to Practice Management for Small- and Medium-Sized Practices, which includes a new chapter on Leveraging Technology and covers Developing a Technology Strategy, Hardware and Software Options, Technology Risks and New & Emerging Technologies.
Like what you see here? Subscribe to The Latest, our customizable update sent every two weeks.
Do you have a perspective you'd like to share with the global profession? Email Gateway@ifac.org to inquire about becoming a Gateway contributing author.