Managing cybersecurity risks

CPA firms and other businesses need to keep cybersecurity top of mind as they look to cash in on opportunities created by the growth of mobile and cloud computing. “It’s all about managing risk,” accounting-technology expert David Cieslak, CPA/CITP, CGMA, told a packed audience during his annual Security Update session at the AICPA Practitioners Symposium and TECH+ Conference (PS/Tech), held in June in Las Vegas.

Mobile and cloud computing were among the most talked-about topics at PS/Tech, with many discussions exploring the ways the two technologies are transforming the accounting profession. Some of the most dramatic changes are taking place on the cybersecurity battlefield. The proliferation of mobile devices connecting to business networks and the increased migration of critical data processing and storage to the cloud have expanded the number of potential targets for cyberattacks. This article outlines cybersecurity threats on the mobile and cloud fronts and lists steps that accounting firms, individual CPAs, and others can take to reduce their risk of suffering a devastating data breach.

THE BATTLE OF BYOD

Smartphone and tablet sales continue to grow at remarkable rates. Worldwide smartphone sales reached 144.4 million units in the first quarter, a 45% increase year over year, research firm Gartner reported. Tablet shipments jumped 120%, to 17.4 million units worldwide, according to a report from research company IDC.

The growth in the market for mobile devices has sparked a surge in malicious software targeting smartphones and tablets (see sidebar “The Malware Offensive”). At the same time, there has been a rapid rise in the number of employees—and, perhaps more important, executives—wanting to use their personal mobile devices for work, a trend called “bring your own device” (BYOD). With BYOD, organizations allow employees to connect to work IT systems with their personal devices. The practice can have several benefits (see the CPA Insider newsletter story “BYOD: A Revolution on the Rise“), but it also poses a number of potential security risks.

“BYOD is quickly becoming a significant threat to organizations,” said Cieslak, principal of Arxis Technology.

One of the biggest BYOD risks involves employees or executives downloading personally identifying or confidential client information to their personal smartphones or tablets. If one of those mobile devices is lost, stolen, or otherwise compromised, the critical data contained on it could fall into the hands of cyberthieves. Such a scenario could expose accounting firms and individual CPAs to liability and regulatory consequences while also causing untold damage to reputation and brand.

Organizations can attempt to block BYOD, but that likely would be a losing fight, especially when it’s CEOs and managing partners who want to access work systems with their iPhones and iPads. Instead, Cieslak recommends several steps organizations can take to mitigate the IT security risks associated with mobile devices and BYOD.

1. Require the use of lock codes on mobile devices. Only users who know the code should be able to access the device.
2. Prohibit the storage of work data on the device unless the data is encrypted.
3. Require all employees to sign agreements authorizing the organization to remotely erase all files on any lost, stolen, or misplaced personal device with access to the organization’s network.
4. Instruct employees to never use public Wi-Fi, such as in a coffee shop or airport, unless they immediately route all traffic through a virtual private network (VPN), which creates an encrypted connection between the mobile device (including laptops) and the host server over the internet. In addition, employees should be encouraged to use secure websites (those with “https” at the start of the address line) whenever possible. Many popular web apps, including Gmail, Twitter, and Facebook, offer such an option.
5. To avoid public Wi-Fi altogether, you can connect each mobile device directly to the internet via a 3G or 4G connection from vendors including Verizon, AT&T, and Sprint. Cieslak suggests the use of a fast, secure mobile hotspot device available from these cellular vendors, such as the Novatel Jetpack MiFi 4620L, or an alternative like the Clear Spot (clear.com). The Jetpack also made the list of recommendations from the presenter of PS/Tech’s Mobile CPA session, Marc Staut, national director of technology for top 20 accounting firm Reznick Group. Staut’s other favorites include the D-Link Mobile Broadband Wireless Router and the XCom Global MiFi. These mobile hotspots allow multiple mobile devices to connect to the internet. This could prove useful for accounting teams in the field.

To lower the risk of employees’ losing their mobile devices—especially smartphones, which easily can slip out of a pocket—Cieslak recommends a technology called Bluetooth leashing. Here are a couple of examples:

• The $89 Zomm Wireless Leash creates a Bluetooth connection between a smartphone and the Zomm device, which often is carried on a keychain. An alarm sounds when the phone and leash are separated. Zomm also offers concierge assistance and one-touch 911 service.
• The $60 Cobra Tag sensor can be attached to keys, purses, computer bags, or any other item you don’t want to lose. The sensor communicates with a free app that you can download to your Android or BlackBerry smartphone (Cobra Tag is not available for Apple devices). Cobra Tag alerts you if you leave your phone or tagged valuable behind. Also, Cobra Tag can act as a two-way finder. Press the button on the Cobra Tag to cause your smartphone to ring, or use the smartphone app to make the Cobra Tag ring. You also can download an application called Phone Halo, which can be set to automatically lock your phone when it is out of range of the Cobra Tag.

Geotracking offers another option for finding, locking, and even remotely wiping misplaced mobile devices. Apple, for example, provides a Find My iPad service on the iPad and a Find My iPhone app for the iPhone, which can be used to find, wipe, lock, or make a sound with another iOS device (iOS is the operating system on iPhones and iPads). While the service is free, it must be enabled on the device, and the user has to know the Apple iCloud account and password for the device. Cieslak encourages caution in choosing geotracking technology because it also can enable geo-stalking, which refers to unwanted tracking using GPS apps on mobile devices.

THE CLOUD FRONT

Perhaps no topic at the PS/Tech conference generated more chatter than cloud computing. While numerous speakers asserted that the top-tier cloud providers can offer much better data security and availability than small businesses could afford on their own, conversations with conference attendees uncovered an undercurrent of concerns about cloud security, particularly in the wake of highly publicized data breaches at LinkedIn, eHarmony, the Sony PlayStation Network, and others.

Accounting firms and other organizations should run through a long list of questions and requirements before shifting any services or data, especially confidential client information, to the cloud, Cieslak said. First, these organizations must decide which services and/or data they would like to move to the cloud. They then must determine whether any of that data—including personally identifiable information, personal health information, or corporate finance-related information—falls under compliance-related regulations or requirements. If the answer is yes, the next question is: What controls must be in place to meet the compliance requirements?

Once organizations have established the data parameters of the move, they need to decide whether to set up a private cloud (on-premise servers that can be accessed remotely), go to a public cloud (servers provided and maintained by a third-party provider), or try a hybrid model (see the CPA Insider article “Private, Public or Hybrid Cloud”).

Once those decisions have been made, organizations can begin to assess various cloud providers. This process involves asking detailed questions about the cloud service providers’ security policies and practices (see Exhibit 1, “Security Questions for Cloud Vendors”).

The answers to those questions should form the basis of a service-level agreement (SLA) between the cloud provider and the CPA firm, or another organization outsourcing to the cloud. The SLA plays a vital role in creating a successful relationship between the outsourcing organization and the cloud vendor. Every SLA should include the following, Cieslak said:

• A service summary or description with details on the hardware and software being used.
• Service-availability guarantees. What guarantees does the cloud provider make for data availability (uptime)? Don’t settle for anything less than 99.5% uptime, and make sure that the agreement defines downtime. Is it one minute, one hour, or one day? The downtime definition makes a huge difference.
• Security. Will your data be housed in a Tier 1 data center? What encryption technologies will be used for data transfer, processing, and storage? Does anyone working for the vendor have access to the data? Where is the physical location of the servers that would house, transmit, and process the data? Some laws and regulations prohibit the moving of certain information to overseas locations.
• Disaster-recovery expectations. What happens in the case of a catastrophic failure of the vendor’s infrastructure? Does the vendor have redundant hardware and networking?
• Service-request parameters. Is service available 24/7? Is there a cost? Are there any limits on the number of service requests? Are there different service response standards for emergencies as opposed to routine requests? What constitutes an emergency?

There are many more issues that the SLA should address (see Exhibit 2, “Service-Level Agreement Objectives,” and the April 23 CPA Insider article “How to Avoid Storms in the Cloud”).

CONCLUSION

The goals of IT security haven’t changed, Cieslak said. Everyone—individuals and organizations—should continue to take steps to minimize the risk of computer system and data breaches. Everyone should use passwords with capital and lowercase letters, numerals, and special characters, as opposed to simple passwords, which can be compromised by malware. Everyone should use anti-virus software and apply security patches to their operating systems. Everyone should take great care to avoid clicking on infected links in emails.

In the end, Cieslak recommends following a rule he has long touted: “Security first, convenience second.”

Jeff Drew is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at jdrew@aicpa.org or 919-402-4056.

Exhibit 1: Security questions for cloud vendors

Here is a list of security-related questions CPA firms and other organizations should ask potential cloud service providers:

1. What encryption mechanisms do you use for customers’ data?
2. In how many locations do you store customer data?
3. What safeguards do you employ to ensure that different customers’ data in a multitenant cloud is kept separate?
4. How is your data center physically protected?
5. Which of your employees have access to customers’ data?
6. How do you authenticate users?
7. What tracking, reporting, and auditing capabilities do you offer?
8. Do you comply with all relevant government and industry laws and regulations?
9. Have you undergone a Service Organization Control audit? Can you provide a SOC 3 report? (For more on SOC reports, see the CPA Insider article, “Explaining SOC: Easy as 1-2-3,” tinyurl.com/brgk47p).
10. What happens to data when you “delete” it? Is it completely removed from the system? What about backup copies?
11. Who owns the rights to the data?
12. How many and what types of security breaches have you experienced in the last 12 months? If there has been a breach, what new protections have you put into place?
13. How precisely can you specify the degree of access that individual users have to data?
14. What disaster recovery protections do you have in place?
15. What are your security scenarios? Why should I trust you?
16. What happens if we decide we want to discontinue using your services?

Source: David Cieslak, Arxis Technology.

Exhibit 2: Service-level agreement objectives

Here are a few of the goals you should accomplish in any service-level agreement with a cloud vendor. The SLA should clearly establish and ensure that:

• You own your data.
• You can get your data back if you ever decide to leave the vendor.
• The payment terms and conditions are understood and agreed to by both parties. There should be no questions about how pricing is set (by number of users or services, for example) and changed (the addition of users, the passage of a certain period of time).
• The vendor will help you migrate your data back to you or to another vendor if you decide to take your data somewhere else. The SLA should establish the costs, data format, and time frame for this service.
• You can retain your data on the vendor’s servers for a reasonable fee.
• Both sides understand what happens if a privacy breach occurs.
• There are money-back guarantees in the event the vendor fails to live up to its obligations under the SLA. Also, the SLA should spell out whether, in the event of a failure that affects you, the vendor automatically will issue you a credit or you must ask for one.
• You understand whether continual and material violations of the SLA requirements by the vendor will release you from the contract.
• The vendor guarantees transparency and proactive notification of system availability, production issues, scheduled downtime, and pending updates.

Source: David Cieslak, Arxis Technology.

The malware offensive

Hackers have responded to the surging popularity of smartphones and tablets by furiously developing malicious applications (malware) designed to attack those devices. Anti-virus software-maker F-Secure reports that the number of mobile threats more than doubled in 2011, while competitor Kaspersky Lab says that more mobile malware was discovered in December 2011 than in the entire seven-year period from 2004 through 2010.

The criminals’ top target is Google’s Android, the most widely used operating system in the smartphone space. Devices running on Android accounted for 51% of all U.S. smartphones in the first quarter, according to research firm comScore, while McAfee Labs reports that more than 80% of mobile malware that quarter was written for Android. Lookout Mobile Security’s Mobile Threat Report predicts that 30% of Android owners will find a web-based threat on their device this year.

Apple’s iOS, which comScore credits with running nearly 31% of U.S. smartphones, has avoided malware infections for the most part, though Kaspersky Lab and research firm Juniper issued warnings earlier this year that iOS could be at risk.

CPAs and other users of mobile devices can reduce their vulnerability to malware by installing mobile security software, which is available from makers including AVG, BullGuard, Lookout, McAfee, and Webroot, said accounting-technology expert David Cieslak, CPA/CITP, CGMA. Mobile device owners also should be on guard against social engineering schemes designed to trick them into clicking on infected links in emails or texts. Hackers often disguise their malware as apps, so mobile users should verify the veracity of apps before downloading them. It’s also advisable to avoid unfamiliar websites and web networks, where mobile devices can become infected.

AICPA RESOURCES

JofA articles

• “What’s Your Fraud IQ?” May 2012, page 44
• “CPAs Prioritize Tech Security,” May 2012, page 50
• “Technology Q&A,” April 2012, page 68
• “Heads in the Cloud: Part 1,” Feb. 2012, page 20, and “Heads in the Cloud: Part 2,” March 2012, page 34
• “Technology 2012 Preview: Part 1,” Nov. 2011, page 46, and “Technology 2012 Preview: Part 2,” Dec. 2011, page 30

JofA videos

• “Managing Controls, Risk in the Cloud”
• “The Cloud: Security and Opportunities”

Publication

Internet Fraud Casebook: The World Wide Web of Deceit (#WI643631)

CPE self-study

IT: Risks and Controls in Traditional and Emerging Environments (#733520)

Conference

Digital CPA: 2012 CPA2Biz Cloud User Conference, Oct. 28–30, Washington

For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.

Websites

• Information Technology Resources, tinyurl.com/c83v8bl
• Fraud Resource Center, aicpa.org/fraudcenter

FVS Section and CFF credential

Membership in the Forensic and Valuation Services (FVS) Section provides access to numerous specialized resources in the forensic and valuation services discipline areas, including practice guides, and exclusive member discounts for products and events. Visit the FVS Center at aicpa.org/FVS. Members with a specialization in financial forensics may be interested in applying for the Certified in Financial Forensics (CFF) credential. Information about the CFF credential is available at aicpa.org/CFF.

IT Division and CITP credential

The AICPA Information Technology (IT) Division serves members of the IT Membership Section (ITMS), CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and others who want to maximize information technology to provide risk, fraud, internal control, audit, and/or information management services within their firms or for their employers. The division aims to support members and credential holders who leverage technology to provide assurance or business insight about financial-related information (direct and indirect financial data, processes, or reporting) to support their clients and/or employers. To learn about the IT Division, visit aicpa.org/infotech.