• January 2008
• February 2008
• March/April 2008
• May 2008
• June 2008
• July/August 2008
• September 2008
• October 2008
  • Chair's Message
  • Focus on Members
  • 15,000th CPA Licensed in Arizona
  • The Most Common Reasons Investment Plans Fail
  • What You Need to Know About the New Arizona Trust Code
  • Laptop Security Requires Multiple Strategies
• November 2008
• December 2008

Laptop Security Requires Multiple Strategies

By Suzanne M. Holl, CPA,

 

Nationwide, missing laptop computers continue to cause losses for many CPA firms, especially in terms of user productivity, billable hours and business opportunities. Even worse is the possibility of a client data breach, the costs of which are significant. Not only is there the expense of notifying clients whose personal information has been compromised, but data breaches affect client willingness to continue doing business with the organization that failed to protect their information, resulting in more lost business. A 2007 study by the Ponemon Institute put such costs at $197 per compromised record, or $1.97 million for a database of 10,000 records.

   Most experts agree that there is no silver bullet that will solve all of the problems associated with laptop security. The best security comes from well-trained personnel coupled with written policies and procedures that are steadily applied and ably enforced, including adequate safeguards in the event of a potential data breach.

 

Policies and Procedures

Establishing written policies is a vital step. It causes managers to carefully consider the issues involved in the custody and care of laptops, including physical security (as in locking laptops to a desk or equivalent item), building security, and access codes or keys. It should provide for the “least privilege” rule, in which users do not have any more rights or access to a laptop or program than they need to have, and it should address the procedures that help secure information, such as: 

backup copies of all important data, stored and secured away from your office location, with sensitive information encrypted;

installation of firewalls and secure configurations, including programs to scan for and counteract viruses, malware and spam;

encryption of all confidential client data at all times; and

use of strong passwords and authentication.

Each of these steps is important, but none is sufficient by itself for the adequate protection of sensitive information. For instance, a strong password is invaluable but difficult to remember, and as soon as the user writes it down it loses some of its protective value. Encryption of client data is also a necessity, but it can be unlocked or decrypted with a password or key.

 

Track and Trace and Data Elimination

Policies or procedures that operate without user involvement appear to be most effective in reducing vulnerabilities. Two software applications that bring such added security include “track and trace” and data destruction programs.

“Track and trace” software has recovered more than 70 percent of computers that have the software on them, according to a 2008 report, “Laptop Security for Accounting Professionals.” The applications rely on the Internet to relay information back to the owner about the location of the computer after it has been stolen. One version can even detect a laptop camera, take a photo of the thief, and forward the photo to the owner for evidence. Such evidence can then be used to obtain a search warrant for the location reported by the software program.

Destruction of at-risk data can operate independently of an Internet connection. Programs monitor PC user behavior, and if certain thresholds are exceeded, security measures including data elimination are enforced. Such triggers can be based on a combination of pre-set conditions, including maximum time between client/server communications or number of unsuccessful log-in attempts. If the triggers are activated, the data on the computer can be quarantined through swift elimination of just the encryption key and locking down the encryption. If conditions change and the threat is removed, the administrator can remotely unlock the encryption and restore the key via the Internet. The data can also be completely destroyed if the administrator deems that such action will be necessary.

 

Training and Enforcement

Computer security training for all users helps enhance staff awareness of related risks and the firm’s policies for addressing the risks. The firm should have a person or committee take ownership of the responsibility for ensuring that personnel learn and comply with laptop security policies and procedures.

In the event of compromised client information, the client may need to be notified of the time and scope of the compromise immediately following its detection, depending on the facts of the situation and the laws of the state where the company is located. For instance, in 33 states there is an exemption to the notification requirement if the data has been encrypted. However, in Louisiana, New Hampshire, New York, Texas, Wisconsin and Wyoming, there are no exemptions to notifications even if the data is encrypted. Eleven states have not yet passed data breach disclosure laws.

Again, the best way to solve the security problems associated with laptops is through continuous and vigilant monitoring, policies, procedures, training and enforcement. Such security measures also make great selling points to clients and prospective clients.

 

Suzanne M. Holl, CPA, is vice president of loss prevention services with CAMICO Mutual Insurance Company (www.camico.com).

 

AZ CPA – October 2008

© 2004 ASCPA, Inc. All rights reserved.
Privacy Policy

Home  |   Search  |   RSS  |   Contact Us  |   Site Map