The COVID-19 pandemic required accounting firms to go 100% remote virtually overnight. While a good number of firms were either already in the cloud had implemented cloud-enabled applications, or had a structure to support remote workers, there were many personnel that had never actually worked remotely and were simply not prepared to do so. In the rush to get those users connected, some firms took shortcuts which could expose the firm to security threats. Since protecting client data is a fiduciary responsibility for firm owners, management should regroup virtually to ensure that proper remote work protocols are in place. Below we list ten considerations for working securing during this crisis.
Comprehensive Communications: In times of uncertainty, leaders must lead. This includes transparency in communications with both clients and firm personnel. Firm leaders must provide assurance that work will continue to be produced and that security and confidentiality of client information is paramount as people work remotely. Owners should communicate to clients and staff how client information will be protected through the use of secure email/portal solutions and explain processes for delivery of physical documents either through the mail or secure onsite protocols.
Secure Video Calls: Communicating face to face via video conferencing can help firm personnel deal with imposed isolation by adding familiarity to interactions. If your firm utilizes Office365, Microsoft Teams is an effective tool for video conferencing as well as messaging and on-screen document sharing, (as long as everyone has access to a video camera, microphones and speakers). At the start of the pandemic many firms jumped on the free version of Zoom without training, exposing security concerns. Firms can make Zoom somewhat more secure by requiring a password, mandating that all participants be first sent to a virtual lobby to then be admitted by the administrator/host, and only allowing the administrator/host’s screen to be shown. Personnel should also be reminded not to share screenshots of video calls on social media as the meeting access name can be exposed. It is also important to only run application updates directly from the vendor websites as hackers are sending out fake software update links.
Secure Logins: Many firms continue to utilize antiquated rules on passwords (8 alphanumeric/special characters) which today’s hacker tools can compromise. Firms should transition to very complex passwords of at least 12 characters or “pass phrases” (consisting of at least three random words) and also require multi-factor authentication to connect. Passwords should not be utilized on more than one account so using a password wallet such as LastPass, DashLane or Keeper will help keep them secure.
Secure Workstation: Employees should work only on firm-assigned equipment, but we heard of many personnel using their personal home computers. This should not be allowed if any other family members also utilize that device, and definitely not if it is still running Windows 7. Firms should verify any remote computers have automatic updates configured, particularly for the Windows operating system and antivirus/malware.
Secure Workspace Setup: The home workspace should be setup in a private area where client discussions and onscreen information can be kept confidential. Ideally, all work should be done only onscreen with all data and applications residing in the cloud or remotely accessed on the firm’s servers. If a local printer is used, all printouts containing client information should be shredded.
Secure Connection: Firm personnel should utilize a virtual private network (VPN) when connecting to firm resources through the internet and preferably physically connected by Ethernet cable directly to the router in the house or digital cellular network if the speed is adequate. If WiFi access must be utilized, the firm should verify that the employee’s WiFi router is secure by first updating the firmware on the router and changing the password. It is also advisable to segment business access from family/guest use along with “IoT” devices such as smart speakers, doorbells, video cameras, etc.
Secure File Access: All firm personnel should be trained on educating clients to utilize the firm’s secure email, portal and digital signature solutions for the secure transfer of source documents and firms should disallow the use of USB flash drives for any file transfer (preferably disabling the USB ports on firm-owned devices).
Security Policies: The firm should immediately review internal policies to ensure that they have been updated to address remote work requirements including client confidentiality, proper equipment configuration, secure network accessibility, team and client communications, as well as hours of availability when at home.
Security Awareness/Training: Information security is an ever moving, rapidly evolving threat, particularly in an unfamiliar “remote” environment, so it is imperative that firms keep personnel abreast of current threats by having the IT Team do security briefings. Employees should be educated on social engineering practices that hackers are using to get personnel to compromise the firm’s security as well as to be aware of increasingly sophisticated phishing and ransomware scams. Red flag suspicions should be raised whenever a message seems out of character, “urgently” requests financial or personal information, or asks the recipient to click on a link or go to a website, prompting them to contact the alleged sender to verify first.
COVID Scams: Personnel should also be made aware of hackers utilizing COVID schemes to trick staff members into downloading malware through “FREE” tools and resources for government loans, stimulus payments, and summaries of regulations. Accountants should only go to trusted, verified websites for such information and to not download data through email links.
While no one can predict the long- term impact of the pandemic, accounting firms are finding that remote work capabilities are not only a required, but highly viable solution and may well become the new norm as long as it can be done effectively and securely.
Roman H. Kepczyk, CPA.CITP, CGMA is director of firm technology strategy for Right Networks and partners exclusively with accounting firms on production automation, application optimization, and practice transformation. He has been consistently listed as one of INSIDE Public Accounting’s Most Recommenced Consultants, Accounting Today’s Top 100 Most Influential People, and CPA Practice Advisor’s Top Thought Leader.
This article was originally published for the Thomson Reuters Checkpoint PPC Accounting and Auditing Update newsletter. Copying or distribution without the publisher’s permission is prohibited.