Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/160971
TECHNOLOGY IN PRACTICE available on the Internet (StaySafeOnline.org, SA NS.org) to help firms develop a comprehensive breach response plan and provide training for frm personnel. UPDATING POLICIES ANNUALLY: Most firms have a computer and Internet usage policy as well as a password policy which all new employees are usually exposed to t he f i rst week t hey a re h i red . Unfortunately, this is usually the only policy exposure the employee gets during their tenure with the frm and with technology continually evolving, most of these policies are woefully out of date. With the advent of social media, remote access and telecommuting, cloud computing, and the Bring Your O w n D e v ic e t r a n s it ion , it i s important for the frm to review all IT policies and ensure personnel understand the impacts of these changes and on how they impact the way the employee works. Human Resources personnel should meet with IT personnel at least annually to discuss updates to frm policies, particularly in regards to ensuring the privacy and confdentiality of frm and client data. Recom mended cha nges a nd training should be approved by ow ners a nd i f necessitated, reviewed by the frm's legal counsel to ensure compliance with local legislation in the States where the firm operates. Owners should be aware of the estimated costs of a breach and discuss acquiring data breach insurance to mitigate the impact. A recent discussion with a professional liability insurance provider pointed out that physically stolen fileservers and data being hijacked through unsecure WiFi was surpassing the claims of stolen laptops, which were the traditional concern for CPA frm data thef. ANNUAL IT/SECURITY BRIEFING: T he ne x t step is to ensu re a l l employees are educated at least annually on these changes which can be done via a formal training session either put on by the frm's 34 By Roman H. Kepczyk, CPA.CITP internal personnel or an external integrator. In some States this training can qualify for continuing Professional Education if protection of client data, privacy and security best practices are integrated. In addition to updates in frm policies, there are f ive areas the annual security briefng should address and below we list examples of items that should be discussed. This is not mea nt to be a comprehen sive listing, but a starting point for frms to develop their own IT/Security listing based on their own policies and infrastructure. • Secure Workstation: Personnel must understand that automatic system updates and keeping their malware/ antivirus sofware running are critical to protecting their workstation and should not be turned of. Any CD/ USB fash media should be scanned before loading a client fle to minimize malware geting into the system. These rules apply to any Internetenabled device that accesses firm resources including home computers, tablets and smartphones. • Thinking Before Connecting: Personnel should be trained to never click a link from within an email/ website to go to an Internet resource and then enter any personal or confdential data. Te general rule is to type in the address to any "trusted" sites directly into a web browser and to look for a secured connection which will have htps:// or shtps:// in the header. If using a public WiFi resource, employees should be trained to verify the proper Wireless Access Point name from the location and to connect through a Virtual Private Network to secure transmissions. If the employee's intuition points to any doubts about connecting, they should be reminded not to click it. To help frms educate users on this there are samples on the Microsoft Security site which has links to a "Real or Rogue" quiz that will help educate staff on what to watch out for. • Being Web Aware: Education of current scams and security breaches will help make your personnel more web wary, but they should also learn TAKING A PROACTIVE APPROACH TO MAKING FIRM PERSONNEL AWARE OF CURRENT RISKS AND CYBER-THREATS WILL GO A LONG WAY TO PROTECTING THE FIRM AGAINST THE MOST COMMON SECURITY BREACHES THAT COULD IMPACT THE FIRM. • Protecting Personal Data: In addition to complex passwords that are changed frequently and unique between different applications, employees should be taught how to protect these passwords securely (and not on yellow sticky notes!). Te IT team needs to be aware of the information sharing policies and privacy setings of the web-based sites the firm connects with to ensure any required firm compliance with HIPAA, GLBA, and Sarbanes Oxley are being maintained. September 2013 • www.CPAPracticeAdvisor.com to protect any data on their internetenabled device whether it is firm, client or personal information by regularly backing it up. Personnel should also be reminded on how social media postings are permanent and the things they do in their private lives can be exposed to current and future employers. If they don't want their family or the owners to see it, they should be reminded not to post it. Training personnel on when and how they can mention the firm in their postings should also be included in any training as Google searches on the individual or frm name can have unintended negative consequences. • Being a Model Online User: Promoting employee Internet usage as a solid online citizen means they should regularly follow frm practices within the frm and to promote good usage habits with other employees. Tis includes reporting any concerns of personnel or system behavior immediately to management so they address them. More IT/Security resources and training tips for educating frm personnel can be found on the StaySafeOnline and Microsof Safety and Security Center websites. REMINDER TRAINING: Mandatory training should be repeated at least annually for all personnel and the firm may want to consider video recording the training session for new hires and those that miss the live session. Tis can be done with webinar capture sofware such as GoToMeeting, Adobe Captivate, and Camtasia and then posted on the frm's intranet for future use. For ongoing reminders, the firm may want to consider posting notices or posters around the ofce, such as those found at StopTinkConnect. org or to link to digital versions via email reminders. Many frms also utilize "lunch and learns" for staf training and IT personnel could be brought into these sessions to provide updates on current threats and recent incidents. Taking a proactive approach to making firm personnel aware of current risks and cyber-threats will go a long way to protecting the frm against the most common security breaches that could impact the frm. It is the responsibi lit y of f irm owners to ensure that the frm does all that is reasonably possible to protect the data they have been entrusted with and an annual IT/ Security reminder training session is a great way to start.