Home > California CPA Magazine > September 2008 Issue > Lock it Down

Lock it Down

California CPA magazine: September 2008

Laptop Security Requires Multiple Strategies

Missing laptops continue to cause losses for many CPA firms, especially in terms of user productivity, billable hours and business opportunities. Even worse is the possibility of a client data breach, the costs of which are significant. Along with the expense of notifying clients whose personal information has been compromised, data breaches affect client willingness to continue doing business with the organization that failed to protect their information. A 2007 study by the Ponemon Institute put such costs at $197 per compromised record, or $1.97 million for a database of 10,000 records.

Most experts agree that there is no silver bullet that will solve all of problems associated with laptop security. The best security comes from written policies and procedures, well-trained personnel and the steady application and enforcement of policies and procedures, including adequate safeguards in the event of a potential data breach.

Policies and Procedures
Establishing written policies causes managers to carefully consider the issues involved in the custody and care of laptops, including physical security (as in locking laptops to a desk or equivalent item), building security and access codes or keys. Policies should provide for the “least privilege” rule, in which users do not have any more rights or access to a laptop or program than they need to have, and should address the procedures that help secure information, such as:

•        Back up copies of all important data, stored and secured away from your office location, with sensitive information encrypted;
•        Installation of firewalls and secure configurations, including programs to scan for and counteract viruses, malware and spam;
•        Encryption of all confidential client data at all times; and
•        Use of strong passwords and authentication.

Each of these steps is important, but none is sufficient by itself for the adequate protection of sensitive information. For instance, a strong password is invaluable, but difficult to remember and, as soon as the user writes it down, it loses some of its protective value. Encryption of client data is also a necessity, but it can be unlocked or decrypted with a password or key.

‘Track and Trace’ Data Elimination
Policies and procedures that operate without user involvement appear to be most effective in reducing vulnerabilities. Software applications that bring such security include “track and trace” and data destruction programs.

Track and trace software has recovered more than 70 percent of computers that have the software on them, according to a 2008 report “Laptop Security for Accounting Professionals.” The applications rely on the internet to relay information back to the owner about the location of the computer after it has been stolen. One version can even detect a laptop camera, take a photo of the thief and forward the photo to the owner for evidence. Such evidence can then be used to obtain a search warrant for the location reported by the software program.

Destruction of at-risk data can operate independently of an internet connection. Programs monitor PC user behavior and, if certain thresholds are exceeded, security measures including data elimination are enforced, according to Cam Roberson of Santa Clara-based Beachhead Solutions. “Such triggers can be based on a combination of pre-set conditions, including maximum time between client/server communications or number of unsuccessful log-in attempts.”

If the triggers are activated, the data on the computer can be quarantined through swift elimination of the encryption key and locking down the encryption. If conditions change and the threat is removed, the administrator can remotely unlock the encryption and restore the key via the internet. The data can also be destroyed if the administrator deems it necessary.

Training and Enforcement
Computer security training for all users helps enhance staff awareness of related risks and the firm’s policies for addressing the risks. The firm should have a person or committee responsible for ensuring that personnel learn and comply with laptop security policies and procedures.

In the event of compromised client information, the client may need to be notified of the time and scope of the incident immediately following its detection, depending on the facts of the situation. In California there is an exemption to the notification requirement if the data has been encrypted.

The best way to solve the security problems associated with laptops is through continuous and vigilant monitoring, policies, procedures, training and enforcement. Such security measures also make great selling points to clients and prospective clients. 

 

Suzanne M. Holl, CPA is vice president of loss prevention services with CAMICO Mutual Insurance Company (www.camico.com). You can reach her at sholl@camico.com.