The COVID-19 pandemic has fundamentally changed the way people work. Millions of employees have been able to stay productive while working from home during the lockdowns thanks to remote collaboration technologies like Zoom, WebEx and Teams. Very quickly, virtual meetings became ever-present, and people could connect with their managers and clients or give presentations from any location with internet access, including other countries. Even as much of the country returns to business (mostly) as usual, firms instituting flexible or work-from-home policies may need to review their telecommuting policies and practices to help keep data safe.
While working from home has been key to business continuity over the last 15 months, it has also opened up some potentially major security issues for firms. In an office setting, there are multiple ways to secure data, including firewalls and physical security measures such as badges, doors, locks and keys. However, remote employees could be working from their homes, their cars, or at a local coffee shop. They have laptops, mobile phones, tablets and smartwatches — all of which communicate with each other and could use several different services (Wi-Fi, Bluetooth, cellular data, RFID).
Being outside a secure office makes these employees, and their data — that is, your data and your client’s data — vulnerable to data leaks and hacks. Even something like a chat or text message could contain confidential information, such as a Social Security number, birth date, tax information, or even medical information.
This is why robust data security is vital for any company. Data breaches that compromise client or employee data are notoriously costly,
It's these risks, by the way, that drove the American Institute of CPAs to add to its Code of Professional Conduct
It is against that background that all firms must make a concerted effort to be vigilant about protecting their data and their client’s data. Accounting firm leaders must recognize the issues affecting their firms and take measures to educate their professionals. With that in mind, here are a few practical ways to help secure access to data, stay compliant, and mitigate the damage in the event of a breach.
Encryption is your friend
You may have outfitted all of your employees with laptops and a secure virtual private network. While a VPN might be enough protection when employees use their devices on a secure home network, what if they’re traveling or decide to work in a cafe? Many hotels, airports and cafes offer free Wi-Fi, but these unsecured networks can allow hackers to gain access to data that is supposed to be secure. A VPN may protect outbound data, but it still leaves the laptop or tablet itself vulnerable via other potentially active services such as Bluetooth, hotspots or RFID. Encrypting the device itself will make it much harder for criminals to access the data.
Encryption can also help protect a device if it is physically stolen. Unattended computers, tablets or mobile phones are tempting targets for thieves. With the device in their possession, the thief could have a treasure trove of confidential information they can sell or use to scam your clients. If a device is encrypted, the data is safe, and you only lose the device. It could mean the difference between $1,000 or $1,000,000.
Turn off services
Mobile devices are designed to make communication easy. This is a double-edged sword, however, unless there are security protections in place. For example, virtually all mobile devices have Bluetooth, and a growing number can be used as internet hotspots or have radio frequency identification (RFID) technology built right in. If these services are turned on, a hacker could potentially compromise the device. While these services can be beneficial, they do not need to be active 24/7. All employees should be instructed to turn them off until they are needed, especially while traveling.
Make sure to back up your data
With millions of Americans telecommuting, tens of millions of laptops and other devices are floating around filled with potentially sensitive data. This creates a greater chance that data could be lost if a device is lost, stolen or damaged. Employees should back up their devices daily, or at the very minimum, weekly, so the information will remain accessible if there is a catastrophic failure. Moreover, it is vital that employees restrict backups solely to company-approved destinations (e.g., cloud storage, on-premises servers, encrypted hard drives). If they make a backup to another location, it exposes their organizations to a potential data breach they have no control over.
As a firm leader, you should work with your IT team to ensure the mobile devices with access to firm information use properly “containerized” apps such that your firm’s data is automatically backed up, even if the rest of the device’s data is not. Note that even email and everyday collaboration tools are loaded with documents and sensitive data that could be easily leaked. To reiterate, always (1) encrypt the devices and (2) back up important information.
A few decades ago, it was practically unthinkable that employees would have access to a secure server from their home, or for them to be a potential target for hackers. Accounting firm leaders must adapt their security practices to the time and, perhaps most importantly, educate employees about cybersecurity. Even with just these three relatively simple steps, firms can significantly reduce the chances of being subject to a costly data breach or cybercrime incident.