Best Practices for Ensuring File Security at Your Firm

IMGCAP(1)]It’s no secret that professional services firms house troves of hack-worthy data. Accountants, lawyers, consultants, recruiters, media, creative, IT and other service providers routinely access and share sensitive information to meet client needs—making them prime targets for cybercriminals and the ideal potential victims for data mishandling.

In June, insurance giant State Farm had 70,000 email addresses belonging to company personnel and independent contractors compromised when collaboration with a trusted professional services marketing partner, DAC Group, went awry due to a server breach.

[State Farm spokesman Phil Supple sent the following statement to Accounting Today: "State Farm takes the privacy and security of information very seriously. Based on the analyses we and DAC Group have done, the information that was disclosed as a result of this incident does not include State Farm customer data. We learned the vendor had approximately 70,000 email addresses stolen, all of which belonged to State Farm personnel or independent contractors and none of which contained sensitive personal information. We connected with the vendor, and took the appropriate steps to handle this situation.]

But you don’t have to be a large, national firm for cybercriminals to take an interest. In May, two California-based accountants experienced unauthorized access to their work computers. Lynn N. Talbott, Jr., CPA disclosed that her firm’s breach compromised customer names, genders, dates of birth, telephone numbers, addresses, Social Security numbers, W-2 information and direct deposit bank account information. And a suspicious individual accessed Ken Waterman, CPA’s files containing data related to customer tax filings, and possibly their names, addresses, Social Security numbers, wage information, and in certain cases, bank account information.

As evidenced by these breaches, professional services providers work in a highly connected world where sharing files and collaborating online is the norm. These firms are required to house confidential customer data like human resources, financial/accounting and audit information. Plus they need to worry about their own internal data, such as employee and temp on-boarding information that has personally identifiable information (PII) data privacy protection obligations. And without proper file protection and auditing controls, business agreements, legal and financial documents, rate sheets, analytics, human resources, audits, employee information, PII, health care, tax and other critical files are open to unauthorized access and misuse.

The majority of enterprises recognize the data protection and privacy compliance issues these modern collaboration needs create.  According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75 percent of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access. Half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential or regulated information. A whopping 84 percent had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.

Lifecycle File Protection
Professional services organizations may have content management, email security and mobile management in place, but these controls often don’t apply after files traverse the firewall to external networks, users and devices, which can expose sensitive customer and internal information.

Employees may securely receive files from a customer, but what prevents them from inappropriately forwarding the file, making unauthorized modifications, storing it on a laptop or tablet that gets lost or stolen—or being breached like State Farm’s marketing collaboration partner and the California CPAs? What happens to the files when employees or external recipients change roles or move onto another practice?

Luckily, emerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it crosses to various networks, recipients and devices. 

The beauty of this approach is that if any collaborator inappropriately or  inadvertently shares a sensitive file with an unauthorized user, mishandles it accidentally or has it stolen, these solutions can deny access and log the attempt. Professional services firms across industries can make use of this approach. Accountants can store and collaborate on financial data securely, auditors and IT consultants can access, report and sign off on projects with confidence, and HR consultants can secure employee and candidate on-boarding, tax and health insurance files.

Why leave your sensitive internal and customer information exposed to potential unauthorized access, hackers or malware? Persistent file security can be simple and seamless when you have complete and flexible control, whether it resides with you, your partner or your client,  so you can keep your customers’ hard-earned trust and preserve your reputation.

Scott Gordon, COO at FinalCode, Inc., has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An information security authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.

For reprint and licensing requests for this article, click here.
Technology Data security
MORE FROM ACCOUNTING TODAY