Portable Device Security — Protect Your Client's Secrets
As more portable devices allow CPAs to have 24/7 access to client information, many firms are now looking to protect private and sensitive data that may be stored on them.
There are several good ways to physically protect the data on laptops, netbooks, smart phones, personal data assistants (PDAs), memory sticks and other portable devices. Because these devices are small and generally not secured, it makes them especially susceptible to theft. Even if the data is protected and/or encrypted, theft of a portable device is nonetheless inconvenient and frustrating. In a worst-case scenario, the exposure of private and sensitive data could lead to serious consequences for a CPA firm.
Portable devices with wireless capabilities are vulnerable to a wide range of potential attacks. Many devices are stronger than others when it comes to security. For example, Research in Motion (RIM), the company behind the BlackBerry, has made significant strides when it comes to smart phones and PDAs.
Securing portable devices combines many different techniques. For example, you probably have one or more passwords that need to be entered before accessing data. Be smart and keep these in mind when using and creating passwords:
Store Data in Different Places
Don’t put all of your eggs in one basket. Never, ever allow your portable device to be the sole storage location of confidential or sensitive data. Consider storing data in separate locations. There are a number of storage mediums available that can be used for this purpose. External storage devices, like network area storage (NAS) boxes, are ideal. A reasonably sized NAS box can be purchased for under $200. In addition to storing data in different places, a NAS box works extremely well for frequent and timed backups of portable devices. This helps to guarantee availability of data if the portable device is lost or stolen.
Encrypt Your Files
Encryption helps ensure that unauthorized parties cannot access confidential and sensitive data, even if they have physical access to the portable device. Full disk encryption on laptops and netbooks is a must when such machines are used on engagements and may contain confidential and private client data. This technology prevents an intruder from starting a portable device without a password or biometric swipe.
Laptops, netbooks and PDAs should receive the same level of security as your office desktop computer. Viruses are very common on the Internet and could potentially cause significant damage if your device is not protected. Take the protection one step further by implementing a solution that defends against other threats, such as malware.
A firewall is an essential component in portable data protection. This mechanism monitors inbound and outbound traffic and also offers protection when you’re traveling. When using your laptop or netbook in a public space, you will frequently encounter various available networks. While some of them will enable you to securely access the Internet, others will appear to allow Internet access but covertly capture activity that may be passed through the connection. A firewall will help to detect the intrusion and automatically block these efforts.
Ask yourself, “Is it really necessary that I transport this sensitive information?” If the answer is no, then don’t put the sensitive information on the portable device. In addition to the aforementioned measures, deploying and training your staff on portable-device-security best practices will also help protect confidential and private data.
Understand how your portable device works. Read all of the instructions. New portable devices have more features, which means that you will have more of a learning curve to be able to understand and use these items properly. Default settings are often the least secure for devices as everyone with that same device will have the identical default settings.
Keep Up With Patches
If the device is a laptop, netbook or PDA, keep the patches current. Most vendors provide simple notification and update procedures (e.g., Microsoft Windows Update). If the device is a BlackBerry or other device with a proprietary operating system, make sure that the operating system is updated frequently.
Don’t assume that just because you are deploying new portable devices that they have current patches installed. Often, devices are produced months before they are sold and initial operating systems have since been updated.
Disable Unused Access Methods
If you have a portable device equipped with a wireless card and that card is not being used, turn it off. Lock the portable device when not being used or when the device is being placed somewhere outside of your control.
Whenever using mobile data, always consider, “What could happen if an unauthorized person gained control of this information?” Look for and try to use the most secure methods for handling data. Vendors are a good source of data. Visit their websites for additional information.
James C. Bourke, CPA.CITP, CFF, is a partner at WithumSmith+Brown and also the director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and chairs the AICPA CITP Credential Committee. He was recently named one of the Top 100 Most Influential People in the profession.