PracticeAccounting FirmsInterlocking security

Interlocking security

Encryption alone is not enough to keep business data safe

If ever a case highlighted the need for a systematic approach to information
security, it was the theft from the car of an Ernst & Young auditor’s laptop
containing the credit card details and addresses of more than a quarter of a
million customers of hotels.com in the US. Sure, he should never have left the
laptop in his car, but even if he had taken it with him there was always a risk
of theft or loss.

The incident demonstrates that encrypting data is important, but encryption
alone is not enough. Users still put passwords like ‘password’ or ‘Dell’ under
the lid of the laptop or on the battery pack.

Data security requires a holistic approach. It’s as much about mindset as
about the need for passwords, secure ID tokens and encryption.

Security should be considered from all angles: physical, personnel,
procedural, technical, policy and regulatory. Most companies rely on the
physical and technical alone.

A good starting point for accountancy firms reviewing security is the ISO/IEC
27001 international standard. For example, checks should always be carried out
on potential new recruits. According to the DTI, a quarter of companies don’t
carry out any background checks when recruiting and one in eight does nothing to
educate staff about their security responsibilities.

It’s not good enough to give a laptop to someone who is always on the road
and tell them never to leave it in their hotel room. This sort of ‘no choice’
edict simply brings a security policy into disrepute. Everyone will have to
ignore it in order to do their jobs. If an auditor regularly has to leave a
laptop in a car for good reason, the company should provide a secure storage
box.

Ignoring security can have expensive consequences. Loss of sensitive personal
information counts as a breach of the Data Protection Act (1998) and can result
in a hefty fine. Quite apart from that, the damage to the reputation of a
company can be enormous.

All aspects of security should be considered together, so controls support
and mitigate each other and a failure of one does not invalidate the others.
That way, if an employee leaves a laptop in their car – against company policy –
its theft will not be disastrous if, say, the computer is protected by a
token-based two-factor authentication and encryption system, with the token
always in the user’s possession.

Kerry Davies is managing director of Echelon Consulting

Related Articles

Productive accountancy firms lead the way

Accounting Firms Productive accountancy firms lead the way

2d Simon Adcock, HSBC
LLPs in Top 50+50: Will LLPs continue to be the preferred set-up?

Accounting Firms LLPs in Top 50+50: Will LLPs continue to be the preferred set-up?

3d Fergus Payne, Lewis Silkin
BDO’s global revenues pass $8bn

Accounting Firms BDO’s global revenues pass $8bn

1w Alia Shoaib, Reporter
Top 40 International Networks, Associations and Alliances: Finding growth amid uncertainty

Accounting Firms Top 40 International Networks, Associations and Alliances: Finding growth amid uncertainty

2w Philip Smith, Reporter
Top 40 International Networks, Associations and Alliances 2017: Big Four tussle for top spot

Accounting Firms Top 40 International Networks, Associations and Alliances 2017: Big Four tussle for top spot

2w Emma Smith, Managing Editor
BDO reports revenue growth of 5.7%

Accounting Firms BDO reports revenue growth of 5.7%

2w Alia Shoaib, Reporter
Taylorcocks announces merger with Surrey firm

Accounting Firms Taylorcocks announces merger with Surrey firm

3w Emma Smith, Managing Editor
Kingston Smith reports 7% gender pay gap

Accounting Firms Kingston Smith reports 7% gender pay gap

3w Emma Smith, Managing Editor