So how safe is your data?
I have a CPA firm that I have done some break/fix for, and they brought up the question of “How secure is our Accounting Data”. They use Lacerte and Quickbooks. They are using SBS 2003 Standard and have a SonicWall firewall as well as SBS in a 2 NIC configuration.
I looked at you earlier blog back in March of ’06 about regarding Intuit wanting to increase security. But what can be done for the current (or now previous) versions? The question of encryption came up – encrypting the \Accounting folder on the server – encrypting emails that have quickbooks files attached etc….do you have a best practices for Accounting firms FAQ ?
Dear Accounting Industry:
I want you to do me a favor.. I want you to go to your network and open up the Lacerte or CCH tax software program data directory. Are you there yet? Okay now drill down to the client data folder. There? Okay now pick any sample tax client you have and open up the data file in notepad. In that somewhat hard to read raw file that you are looking at do you see the obvious stuff? A name. An Address. And the best one of all? A social security number? And if the client has efiled and placed in the file the bank account deposit info for automatic deposit, you’ll see that too.
Now keep in mind.. you are in NOTEPAD. We’re not talking SSL, Diffie whatevered encrypted version of a notepad mind you …just raw data file open. While the tax software vendors will tell you “oh yes we use encryption” …all they are talking about is the transmission for efiling up to the IRS. Your data files are not encrypted while sitting on the server.
At the present time I am not willing to go on record (nor was I when I was the Technology Chairman for the California CPA Society a few years back) and state that you MUST encrypt those data files because at the present time no tax vendor has gone on record as supporting a network based encryption. I personally don’t feel comfortable taking that position….. yet.
While Intuit has majorly stepped up to the plate by supporting non administrator rights in Quickbooks, all Accounting vendors (from last I checked anyway, and I will go back and recheck) did not provide whitepapers on how to do network encryption.
Now then, that doesn’t mean you are sitting there as a sitting duck. Look at the current risk and take appropriate actions.
1. Emails. NEVER EVER EVER EVER email a tax return in pdf format without taking some ….what I consider…… basic security protection. The easiest way I have found to email sensitive information is to ensure that you have done pdf password/encryption on it. That to me is the lowest bar standard. The industry has yet to embrace digital certs and we won’t be running Exchange 2007 in any quantity that does an auto encryption to another 2007 server to be a viable option as well. The swapping by “Alice and Bob” of digital certs is seemingly beyond the capability of most firms… so encrypt the document at a bare minimum.
2. Employee awareness. Ensuring that the staff… especially those in the support roles understand that when they see a document that has PII (social security number) on it, that they need to stop, and ask the person giving the task to them if the document has been appropriately protected. Ensuring that the person sending the info out the door is the one that stops and thinks “what am I doing? Am I protecting it enough” goes a long way to protect client data.
3. Confidentiality agreement with External consultant. Since the question was brought up by a Var/Vap, I’d hope there is an engagement letter understanding between that client and the var/vap.
4. Acceptable use policy and Admin rights. The biggest risk to my network is not my SBS box. It’s any user running a default setup of XP. That means local admin rights. If they have admin rights and can surf anywhere on the web… they are a risk to that data. Start moving folks to non admin. If you don’t feel comfortable with that yet (Vista will push the vendors more), then ensure you have a/v that updates every hour on the hour, an anti spam, Outlook 2003 that better protects emails, and IE 7 on the desktops. Maybe you aren’t ready to move all of your workstations to nonadmin rights… but start with some. Start with the Secretary that surfs to myspace.com during the lunch hour. Or the one that you’ve had historical problems with as they’ve installed every Outlook signature icons and ended up with malware before. Baby steps. Start with some. I think you’ll find that most folks that do basic computing don’t even know that they don’t have admin rights if you are the ones pushing the updates.
If they remote in from home, you demand that they sign a document that states that they have up to date a/v, anti spyware and you have the right to review their home setup. In my office we buy the a/v for all remote users. Educate folks as to what blind surfing can do. Block Myspace and other non essential, non business web sites if necessary.
This is possibly where I differ from some in my paranoia philosophy…. the data encryption…while it’s your last line of defense… it truly is your last line of defense. If you are relying on that to protect your clients data, I would hope that you would have had a heart attack way before that time as someone got past your layers of defense (and yes, even in SBS networks we have layers). It’s like someone once was commenting about the risk of the Administrator username and password in using it on the desktop when launching “RUNAS” to give elevated rights to an application, that during the elevation, that keyloggers could capture that username/password… and my thoughts are … if a keylogger is there on the desktop capturing that…. I’ve got a bigger problem…. something got through my shields.
5. Mobile data. This is where the manner in which you use your laptops and Smart phones and Pocket PC devices will help you decide the tools you need to protect remote devices. If that remote device has sensitive data on it, remember Law number 3 of computer security… once that device is out of your possession, it’s no longer your device. So have a way to either never store data on there in the first place, encrypt the data on there when it’s on there, and/or wipe it when it’s no longer in your possesion….. so for mobile devices its:
*
Windows Mobile 5 and remote wipe technology
*
Laptops that have http://www.pgpdrive.com to store sensitive data
*
Consider Vista and bitlocker (in Enterprise and Ultimate versions)
*
Remote wipe technology for laptops
*
Bottom line, plan on losing that laptop and the necessary steps you’ll take to ensure data on that device is gone.
And think about setting up a security incident plan. If the firm is small enough, it doesn’t have to be a formal plan, as I was watching last night on the Discovery channel about how the FAA landed all airlines in a 3 hour period, during the first and only time they’ve ever grounded all air traffic in the USA after 9/11, and upon reviewing of what happened that day and to better document the ‘best practices’ learned, they ended up deciding afterwards that formal written policies would only hamper and not help. But having general guidelines and education was a better way to handle the unexpected. Trusting in the FAA controllers to make appropriate decisions, rather than straight jacket them into policies and processes that might not work the next time was the best practice they came up with. Inform your employees that the MINUTE they lose something, they need to inform you. Use the Technology Assessment toolkit time to discuss this with them.
Bottom line… look at the data. Do an inventory of where that sensitive data is. Educate the employees, as they, truly are, your best security tool you have. Build in technology, layers and tools. Push vendors for better protection. Ask the tough questions. And know that we are on a journey… and what we say today is good enough…. won’t be tomorrow.
I’m not ready to tell you to set up EFS on your network…… yet. Ask me again next tax season… 😉