Compliance

Complianceby Konrad Martin

Enacted to protect both employers and employees, compliance might be one of the most complained about requirements of any industry.  But compliance isn’t optional, and can do a lot of good, including preventing cybercrime.  Rather than grumble about it, CPA firms need to recognize that compliance,  correctly implemented and truly followed, provides needed policies and procedures as well as enhancing cyberprotection for the firm – and the firm’s clients.

Today, every State in the Union has some form of Personal Data Breach Law.  The State of New York places it emphasis on the actual breach of personal information (PI) “The Act requires that State entities and persons or businesses conducting business in New York who own or licenses computerized data which includes private information must disclose any breach of data… whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.”

The implementation of Compliance Laws be The State of New York, was originally met with a lot of resistance.  Most people felt that the new laws were nothing more than an inconvenience.  However, employers are now realizing that to comply with the State compliance laws means that the firm will be implementing Best Business Practices as they relate to Cybersecurity and this is now seen as a win for most companies.

More recently, compliance law was updated to focus on corporate compliance in the aftermath of highly publicized and questionable accounting procedures that brought down companies like Enron and WorldCom, through the Sarbanes Oxley Act (enacted on July 30, 2002).  This act later contributed to the creation of an “Effective Compliance and Ethics Program,” a framework for compliance that is still referred to today.

WISPs,  and business continuity plans are integral components of a compliance framework.  A WISP, or written information security program, is required to be implemented by most, if not all, compliance laws, both Federal and State.  Although the State of New York’s law only identifies what to do if you have a breach, a WISP will help you to also avoid the breach by implementing Good Business Practices such as the use of Portals, Encrypted Email, Encrypted Hard drives and training of Staff.  By implementing Data Breach policies in your business through the WISP you help to: “(a) Ensure the security and confidentiality of personal information; (b) Protect against any anticipated threats or hazards to the security or integrity of such information; (c) Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.”  In short, WISPs can help firms protect against cybersecurity breaches, and help them recognize when they do encounter a breach, and what to do in that situation.

Due to  their own personal experiences, most people are better aware of HIPAA, or the Health Insurance Portability and Accountability Act of 1996, which was created to help protect the privacy and security of certain health information.  According to www.HHS.gov, “Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems….While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.”  HIPAA sets standard that are designed to contain these risks, while still encouraging the acceptance of new technologies that improve overall healthcare outcomes.  Once again, the way that HIPAA is helping to contain these risks is to require some type of WISP.

Finally, although government regulations don’t require every industry to create a Disaster and Business Continuity Plan (CPA firms are only required to have one if they’re subject to SEC rules), just like all the fire drills you participated in as a kid, writing a Disaster and Business Continuity Plan is a great way to prepare your business – and your employees – in the case of an emergency.  Business continuity refers to maintaining business functions or getting those functions back up and running in the event of a major disruption; situations considered can comprise certain weather events (determined based on where the company and employees are located) as well as natural disasters, terrorist disruptions, or some other unexpected situation.  Business Continuity Plans are far more complicated and detailed than their WISP counterpart but they are a good idea for businesses to have.   The Business Continuity Plan details what you and your employees are to do in the case of a disaster or other event that may have an impact on you company.  The plan answers questions such as: who will let our clients know we are still in operation, what should we tell employees, who will answer emails, return faxes and tell delivery services where to forward packages and the Mail.  Since we rarely get a warning when a disaster is ready to strike, having this plan in place ensures that your employees know what they need to do to even if they can’t get into the office.

Of course, while compliance tools like WISPs, and business continuity plans are all important pieces of the cyberprotection puzzle, education remains The Key!  The weakest part of any companies Security are the people.  They need to be educated on how to use the Network and what attachements are ok to click on and what attachments are not ok to click.  This may sound easy, click only on emails that come from people you know, but wait, what if they were hacked and never knew they had sent you an email? –  In fact, most hackers are no longer trying to use brute force to break through a firewall; instead, they’re figuring out sophisticated and subversive ways to trick users into giving them access, either by having the user click on something that opens the network or using the personal information about an employee which they’ve easily gleaned from social media to create imposter accounts.

In one example of what’s referred to as “spear phishing” at a financial company, a hacker broke into the mail account of Heather, an administrator.  So, when someone emailed Heather to say they were going to stop by later to drop off a deposit, the hacker, responding as Heather, instead suggested that “Heather” was going to be on vacation, and asked the person to wire the deposit to a specific bank account instead.  This was all done without Heather’s knowledge – hackers can send emails and then delete the record of them right away or move emails to a mailbox the intended user doesn’t see or can’t access.  By the time the true reality of this situation was realized, it was too late to ask the bank to reverse the transaction, and the money – in this case, $250,000 – was gone for good.

I saw this demonstrated firsthand at a cybercrime seminar I attended, which featured a presentation by the FBI.  The presenter was clicking through his PowerPoint slides when he came to the picture of a house.  He asked if anyone recognized the picture, and one of the attendees declared that it was, in fact, his house.  The presenter then went through a laundry list of additional information he knew about the homeowner, including the names and ages of his children, his job, his spouse, his pets, and where he went to school.  The FBI Agent did not get this information using tools available to him at the FBI, he gathered all that information from the homeowners Social Media Accounts.

All companies and especially CPA firms must be vigilant in their cybersecurity efforts.  Why CPA Firms specifically, because they have what the thieves are looking for.  CPA firms understand that compliance is law, and it’s required.  In addition to avoiding hefty fines per incident, firms that maintain their compliance requirements are takingadvantage of the best practices when it comes to cyberprotection.  Partnering with a provider that can offer both the technical security of something like a Cloud 4 Data Security Center, combined with the ability to offer and/or encourage the type of training and education necessary, will ensure that a CPA firm is best positioned for long, trusted client relationships.  In this effort, embracing compliance, instead of grumbling about it, can go a long way toward keeping information safe and thwarting a hacker attack.

Konrad Martin is co-founder and principal of Tech Advisors (www.tech-adv.com), a leading technology solution provider for small to mid-size businesses.  He can be reached at konradm@tech-adv.com or 508-359-4028.