PracticeAccounting FirmsInterlocking security

Interlocking security

Encryption alone is not enough to keep business data safe

If ever a case highlighted the need for a systematic approach to information
security, it was the theft from the car of an Ernst & Young auditor’s laptop
containing the credit card details and addresses of more than a quarter of a
million customers of hotels.com in the US. Sure, he should never have left the
laptop in his car, but even if he had taken it with him there was always a risk
of theft or loss.

The incident demonstrates that encrypting data is important, but encryption
alone is not enough. Users still put passwords like ‘password’ or ‘Dell’ under
the lid of the laptop or on the battery pack.

Data security requires a holistic approach. It’s as much about mindset as
about the need for passwords, secure ID tokens and encryption.

Security should be considered from all angles: physical, personnel,
procedural, technical, policy and regulatory. Most companies rely on the
physical and technical alone.

A good starting point for accountancy firms reviewing security is the ISO/IEC
27001 international standard. For example, checks should always be carried out
on potential new recruits. According to the DTI, a quarter of companies don’t
carry out any background checks when recruiting and one in eight does nothing to
educate staff about their security responsibilities.

It’s not good enough to give a laptop to someone who is always on the road
and tell them never to leave it in their hotel room. This sort of ‘no choice’
edict simply brings a security policy into disrepute. Everyone will have to
ignore it in order to do their jobs. If an auditor regularly has to leave a
laptop in a car for good reason, the company should provide a secure storage
box.

Ignoring security can have expensive consequences. Loss of sensitive personal
information counts as a breach of the Data Protection Act (1998) and can result
in a hefty fine. Quite apart from that, the damage to the reputation of a
company can be enormous.

All aspects of security should be considered together, so controls support
and mitigate each other and a failure of one does not invalidate the others.
That way, if an employee leaves a laptop in their car – against company policy –
its theft will not be disastrous if, say, the computer is protected by a
token-based two-factor authentication and encryption system, with the token
always in the user’s possession.

Kerry Davies is managing director of Echelon Consulting

Related Articles

PwC’s five strategic priorities for becoming ‘the leading professional services firm’

Accounting Firms PwC’s five strategic priorities for becoming ‘the leading professional services firm’

4d Emma Smith, Managing Editor
Mazars appoints new partner to accounting and outsourcing team

Accounting Firms Mazars appoints new partner to accounting and outsourcing team

4d Emma Smith, Managing Editor
FRC closes KPMG HBOS audit investigation, Treasury Committee expects ‘full explanation’

Accounting Firms FRC closes KPMG HBOS audit investigation, Treasury Committee expects ‘full explanation’

6d Emma Smith, Managing Editor
KPMG’s apprenticeship intake jumps to 181 in 2017

Accounting Firms KPMG’s apprenticeship intake jumps to 181 in 2017

2w Emma Smith, Managing Editor
284 new trainees join BDO

Accounting Firms 284 new trainees join BDO

2w Alia Shoaib, Reporter
PwC publishes 12.8% BAME pay gap

Accounting Firms PwC publishes 12.8% BAME pay gap

1w Emma Smith, Managing Editor
RSM recruits 288 trainees

Accounting Firms RSM recruits 288 trainees

1w Emma Smith, Managing Editor
Deloitte global revenues hit record $38.8bn

Accounting Firms Deloitte global revenues hit record $38.8bn

2w Emma Smith, Managing Editor