Those working remotely while traveling or on-site with a client may wonder if the data and work on their laptop are as safe and secure as when in the office.
In many cases, the answer is no.
Almost anytime you work outside the office, you're open to invasions from hackers if your device or the Wi-Fi network you're on is not secure, said Jerry Ravi, CPA, a partner specializing in technology solutions for EisnerAmper in Iselin, N.J.
Risks can come from connecting to a compromised internet resource or contracting malware from a client-supplied USB device, said Roman Kepczyk, CPA/CITP, CGMA, director of firm technology strategy for Right Networks. And, of course, the risks go up if your whole device is stolen or lost, he said.
"If these devices are not secured properly, they could give thieves access to confidential data on the device or even allow access to the firm's network," Kepczyk said.
Complacency about security can lead to problems as well, said Michael Dickson, CPA/CITP, director of information technology services at GBQ Partners LLC in Columbus, Ohio.
"A lot of people say, 'Why would they target me? I'm boring,'" he said. "The truth is, every person has attributes that represent money to a hacker."
Hackers can sell lists of names, addresses, and phone numbers, Dickson said. They can capture your login credentials or access directories on your computer as well, he said. And it can mean big trouble from regulators — as, for example, the 2017 Equifax data breach, which led to a hefty fine in the UK, as TechCrunch reported.
There are ways to protect your devices outside the office, however, and following this advice from Dickson, Kepczyk, and Ravi can help:
- Don't trust public or "guest" networks. The best practice while on-site with a client would be to access the internet through a secure guest network connection, Dickson said. "However, unless your client has a top-notch security team, there is really no way for a traveling CPA to know how secure the guest network is," he said. CPAs out in the field should protect their clients' data by connecting to firm servers only through secure virtual private networks (VPNs), he said. (More on VPNs in the tip below.)
- Implement mandatory security measures. An organization can set up a secure VPN through which employees must log in when they work remotely, Ravi said. It's now possible for even the smallest organizations to do this because basic anti-virus software that most organizations purchase comes with a VPN component, he said. If the employer is responsible for configuring, managing, and enforcing the VPN, then employees won't have any choice but to connect to that secure network, Dickson added.
- Use your cellphone as a mobile hotspot. If you suspect that a client's guest network is not secure or you are working in public places such as coffee shops and airport terminals, another option is to use your own cellphone to create a secure connection to the internet, a function known as a mobile hotspot that only requires connectivity to your cellular network. "I know it's a lot harder for someone to get into my personal hotspot because it has a password attached to it," Ravi said.
- Use cloud-based file-sharing services. If you're working in a client's office, it could seem simple to transfer files between computers using a USB device, but this poses a risk, Kepczyk said. If the client's device has malware, that can be transferred through the USB to your computer, he said. Instead, cloud-based file-sharing applications can be used, Ravi said. Citrix ShareFile and Microsoft SharePoint are two examples where files can be stored securely via cloud-based software and accessed by both you and your clients through a secure internet connection, rather than sharing them via USB or sending files via email, he said.
- Be aware of your surroundings. Thieves can pose a physical risk to your laptop, tablet, or phone as well, Kepczyk said. It's important to password-protect your devices and encrypt your hard drives to make them more difficult for thieves to access should they steal your device, he said. Also, simply securing your device is important as well; don't leave devices where a thief could pick them up and walk away with them. And finally, beware of lurkers around you. Someone nearby in a coffee shop, for example, could simply capture the information displayed on your screen. A computer screen privacy filter (like the 3M privacy filter) can prevent that, Kepczyk said.
- Offer ongoing cybersecurity training to your employees. Organizations should offer training that includes an annual review of the firm's security policies, discusses new IT threats, and offers reminders on good security habits, Kepczyk said. "Ongoing education is critical, as I have found that the more people do work remotely, the more lax they get on firm policies and security," he said.
If the client has a guest network with a weak password, a hacker could get into that network to access your files, he said. Be aware, too, that if the client has a guest network that doesn't have a password, it's possible for someone sitting outside the building to infiltrate the system and, by extension, your files, he said.
Essentially, when employees start up computers and initiate the VPN connection, they can securely connect to all of the resources they would in their own office, even if using private or public Wi-Fi networks, Dickson said. "All of the security precautions are in effect as if they were at the office," he said.
Lea Hart is a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Chris Baysden, associate director – content development, at Chris.Baysden@aicpa-cima.com.