From the Summer 2021 issue of New Jersey CPA magazine (njcpa.org/newjerseycpa)
By Anthony Mongeluzo, PCS
Cybersecurity has been linked to computer use from the first day hackers made an appearance. The coronavirus pandemic has changed the thread of the security conversation like never before.
Though remote computing has existed for decades, what was essentially a trickle of workforce participation has turned into a waterfall. With a large workforce operating outside the traditional office, it’s worth reviewing cybersecurity issues from outside the office walls before turning inward.
Have computer, will travel?
Not quite. This is an unexpected issue that my accounting clients and others ask. How safe is our data with staff working from home? If a team member uses their own computer and connects to your network, it presents a plethora of security issues. It dramatically increases the possibility that their device is the attic door to someone hacking your business. Here is a simple analogy: If you are circumspect about your home security and allow a dog walker, house cleaner or neighbor to have entree, an intruder only has to obtain the key or combination from any of these people to enter. The same principle applies to an employee entering your system with their own computer. You cannot know the quality of safeguards on each staffer’s personal computer and whether it is equal to what you use on the office’s network.
The choice is yours. You can accept the risk and reach for your prayer beads, hoping for the best. Allowing staff to use their devices creates problems of uniformity and security. Each individual computer could have a different security configuration. Also, you face the possibility that a wide variety of technical issues will arise that your IT person will have to confront. Think of a mechanic and your Audi. Do you want the guy who works on Audis every day or the one who sees one Audi per month?
One way to solve the issue is to make the investment and provide all your employees with a company laptop (or yes, even desktop) which is explicitly configured with your safeguards in place. You add uniformity to the security issue and stunt possible technical issues.
Another benefit is that you eliminate downtime. Don’t assume there’s a computer for everyone in a household. If you need that report by 6:00 and your staffer has a high schooler who needs to log in for the advanced placement test, the last thing you need is conflict over who gets to use the computer. And a smartphone is not always the obvious answer.
If an employee uses a company computer, you can configure it the way your IT person or consultant suggests, ensuring that everyone is on the same page with capability and security issues, including monitoring how a staffer uses it. According to the Ponemon Institute’s 2018 State of Cybersecurity in Small and Medium Size Businesses study, “Mobile devices are the most vulnerable endpoints or entry points to networks and enterprise systems, according to 55 percent of respondents. Almost half (49 percent) of respondents say the use of mobile devices to access business-critical applications and IT infrastructure affects their companies’ security posture.”
Cybersecurity action plan
The following tried-and-true tactics can bolster your company’s security:
- Perform proper backups. I still see businesses (yes, even accounting firms) that regularly fail to back up their data. I’ve covered this before: offsite, onsite and DON’T keep the hard copy at the office (flood, fire, burglary). This trident security approach will provide the backup you need.
- Segment access. Who has access to client data? This can be touchy. It begins by encrypting your drive, resulting in only allowing some employees to have access. If you have a more extensive accounting practice, it is almost mandatory that you segment access according to a need-to-know formula.
- Create complex passwords. To protect your security, use a screen saver that automatically appears after a few minutes. You don’t need someone strolling past and seeing someone else’s logon. This approach, combined with a multifactor authentication routine, creates a tricky bridge to cross if someone is trying to enter your digital realm.
- Test, test, test. This is where a few accountants I’ve worked with become uncomfortable. If I bring up the issue of security, they casually say, “Anthony, we have an excellent system. We’ve been reading your column in New Jersey CPA magazine.” The discomfort arises when I ask: “How do you know?” You need to have a threat assessment test against your network. I have a friend, an older fellow, who is a world-class jiu-jitsu competitor. He surprises people at the local level with his skill. Yet he still competes at the world championship level for one reason: He wants to find out how good he really is. He confirms his skill level — win or lose — and it gives him a clearer picture of his shortcomings. Some in-house IT personnel are adept at threat assessment; many are not. The best approach is a disinterested party, intent on (theoretically) taking your system down. That’s the only way you’ll know — like my world-class jiu-jitsu competitor friend — how good your defenses are.
- Fortify the fortress. Employ a higher-end security system. I’m not referring to Windows Defender (which is generally fine for home use). An example is Carbon Black, which offers exceptional protection.
ROI
A few of my suggestions can lead to increased investment. It’s not a dreadful amount (unless your organization has 50 employees who need laptops) but it requires a change in mindset. If you fail to make some of these fundamental changes, you’re going to grimace when undoing the damage of an intrusion. Consider that the work-from-home environment will not remain an isolated phenomenon. A portion of the workforce might never return to the office full time after the pandemic ends. For some, even if part time, working from home will be permanent.
Finally, I’m not a lawyer, but there could be legal repercussions from an intrusion, if it affects your client or customer list. Having a robust cybersecurity system in place provides significant evidence as a potential defense but the best defense is ensuring your data remains safe and sacrosanct with a security plan and systems that protect it.
Anthony Mongeluzo is the CEO of PCS, a 150-person IT managed services and support firm that provides technology solutions to a national client base. He can be reached at Anthony@helpmepcs.com, on Twitter at @PCS_AnthonyM or online at helpmepcs.com.