Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/36891
SECURITY The Insecurities of Email E What you need to know about maintaining the privacy and security of your clients’ data mail has been around a long time and has evolved into a mission-critical resource to deliver docu- ments and communicate with clients. It’s the default for most businesses — convenient, easy and mature — and has all but replaced time-consuming faxing and manual delivery of documents. However, while email has been a trusted delivery tool for years, you should ask yourself, “Is it safe?” Security v. Privacy Security and Privacy have signifi cant importance in the accounting profession. Unlike the recent trending topics, such as paperless and workfl ow, the measure in which fi rms assure data security and can and cannot access. In a document management system, a user would be granted ‘rights’ to access certain docu- ments. Audit refers to the mechanism for tracking access and activity of a system or service — in short, who did what and when. In a document management system, an audit log would allow you to generate security and compliance reports of which users uploaded, accessed or changed the properties of a document, and when. Privacy is really a subset of Authori- zation. It centers on ensuring that an individual’s privacy is protected during the course of sharing data with others, whether that data is shared online or stored in fi le cabinets in the offi ce (who has access to those fi les?). When we PORTAL TECHNOLOGY IS DEFINED BY BUILT-IN SECURITY AND OFFERS ONE OF THE SAFEST AND MOST INTUITIVE PLATFORMS FOR EXCHANGING DATA AND DOCUMENTS WITH CLIENTS. privacy has been a focus for accountants for decades. And now with new state and federal mandates hit ing the profes- sion at warp speed, ensuring the security of data and the privacy of client information has a renewed signifi cance and has elevated to Job 1. First, it’s important to understand the diff erence between security and privacy if fi rms are to comply with mandates geared toward client data protection. Consider each separately: Security is comprised of three primary elements: authentication, authorization and audit. Authentication refers to the ability to authenticate the person signing on. In other words, making sure an individual is who she says she is, typically via a unique user name and password. Authorization determines a user’s access to various resources, based on the user’s identity. T is has to do with set ing permissions — what an individual are talking about sharing and collaborating over the Internet, it’s easiest to think of security as the padlock — no one gets in without the right combination. Privacy is the shield that protects a person’s identity while actively sharing information via the Web. Second, it’s critical that fi rms understand why they should care about security and privacy. T e Internet is the foundation of communication in most businesses, including accounting fi rms. Accountants send hundreds of emails every week. Without worry, fi nancial statements, tax returns, and other common reports and forms are at ached and sent. A few may send email links to documents, which are secure, but don’t require the user to have an email and password to access the document. And without user authentication, there is no way to verify that the person accessing the document is the intended recipient. Some fi rms have advanced to using encryption as a means to protect docu- ments, which can add a lot of complexity to managing hundreds of passwords for the documents encrypted. You also have to think about how you are get ing the password to the recipient. If you are emailing it, that could be a security risk. And if the password is lost or expires, the document is eff ectively “dead” and unable to be opened by the sender or the recipient. T e result is that you end up duplicating your eff orts in order to recreate and send the information again. T e bot om line: Most fi rms are riding on the hope that email is safe. But what if it’s not? It only takes one time, one breach of a client’s data, and your fi rm’s reputation is at stake. In fact, consider all that you are risking — your clients’ business privacy, your fi rm’s privacy, and civil and criminal penalties. Also consider that as the topic of data privacy continues to garner at ention, clients may look to you as an expert, seeking education on how they can protect themselves against potential data breach. T ese are all good reasons to care and give security and privacy their due at ention. The Journey of the Standard Email Now for the big question: Is email safe for sending sensitive documents? T e truth is that if most people were aware of the multiple stops an email makes en route to its fi nal destination, they might think twice about sending private information. Email doesn’t simply move from your inbox to the recipient’s. It is transported across multiple servers, and at each stop point ‘sits’ unprotected. IT experts refer to this as “data in the clear.” While in the clear, emails are open game and at the mercy of the server administrator, who can alter or even delete a message. Below is a simplifi ed illustration of the typical email journey. Email will most certainly continue to be a primary delivery tool for fi rms. But as new data privacy mandates continue to emerge, fi rm leaders may want to look at alternatives for delivering sensitive fi nancial data. A Resolution to Email Insecurities — the Cloud (Portals) A bet er solution for exchanging docu- ments that contain private client data is through secure portals. No one is saying email should be abandoned completely. Email will continue to be a fi rm’s primary communication source. It’s only when sensitive information like tax returns, social security numbers or financial statements are attached within an email that firms should consider a bet er alternative like portals. T e best portal solution also off ers the ability to use email as the core com- munication tool. However, via portals, sending a link to a document is secure because the document is stored online, not at ached in the email. Exchanging and delivering documents CONTINUED ON PAGE 50 August 2011 • www.CPAPracticeAdvisor.com 49