Data security in the age of working from home

Intro:
Hello, and welcome to the CPA Australia Podcast. Your weekly source for accounting, education and career, and leadership discussion.

Alan FitzGerald:
Hello, and thank you for joining CPA Australia and me today in a special podcast where I'll be giving some tips to consider when thinking about data security when your team is working from home. This podcast was recorded in April 2020 to provide an insight into key issues around data security in the age of working from home in response to COVID-19. I will discuss topics such as business continuity plan, security and software upgrades, as well as the security of physical hardware, which are relevant to any business at any time, but more relevant to the accounting fraternity.

I'm Alan FitzGerald, and I've spent nearly 21 years in the Australian tax and accounting software market. Four and a half years ago, such as demand from firms, I was encouraged to set up an advisory practise to provide a technology agnostic advisory service. My daily discussions can see me advising sole practitioners, small businesses, national mid-tiers to big four accounting firms, because often they don't know what they don't know. They're seeking typically options for practise management, improving workflow efficiencies, document management. And I also assist multinational corporations that in areas of audit technology, international tax, sometimes transfer pricing, and often more. I've regularly presented accounting technology conferences, and I'm often invited to share advice in forums, podcasts, such as today, written interviews and more. I'm really looking forward to today.

Now, data security can be simply defined as protecting digital data such as those in your practise management or client management database from unauthorised users, particularly from cyber attacks or data breaches. Today, I'm going to be actually telling some real life stories that I've experienced over the past, certainly over the last 12 months, but definitely over the last couple of weeks. And this is one of the reasons that CPA in Australia, and I want to bring some of this real life information to you in a topical manner.

So business continuity plans, many of the firms that I've spoken to over the last couple of weeks do not have a business continuity plan. To me, that's actually quite scary. What is a business continuity plan? And why is it so important? And realities why do so a few businesses that have them? What COVID-19 has done is rapidly uncovered an unforeseen challenge. The jump from the occasional, I think I'll work from home today has suddenly turned into an all staff, literally no longer being hands on deck. And now they have become a distributed workforce. When you have a distributed workforce, challenges result from that. But the thing is business continuity planning is not limited to virus attacks, particularly of what we have now, the worst kind. It could be a fire in your premises. It could be a blackhead. Your server could blow up. If you're a desktop client server. It could be a flood. It's basically anything that could potentially prevent your business from operating.

A business continuity plan gives you an idea of what to do in the event of some of these events happening. It gives you a framework to work with. Over the last few weeks, I have been sadly inundated with firms looking for assistance, and naturally I've helped as best as I can. But depending on how the firm systems have been configured, it has either resulted into two situations. One is business as usual with some minor tweaking along the way, absolutely. To the extreme, and I've had several of these where the partners are now questioning their decision to engage their mates, brother-in-law's son for IT. Because the biggest question they have right now is, where is he? Because we need them right now.

Over the last five to 10 years, probably more 10 years in the accounting industry, sadly I've seen a lot of complacency. I've been working with firms for a long, long time. And resourcing of those firms has always be grudgingly been undertaken. The reality of these though, is that in the last 10 years or so, the dependence on system has become so high that the constant refrain that I hear of "These systems are costing me a fortune" is often the statement rather than these systems have created for me a business that has given me the lifestyle that I have, so I need to ensure that I'm using the tools that are best suited to me and to my business goals.

Unfortunately, no firm that I've come across embraces continuous improvement. And what I mean by that, generally it's a wholesale jump from one thing to another. And the fact that the cloud offering, moving from the client server to the cloud, which if properly implemented are arguably more secure than a client server networks. It's testimony, but to this. The take-up by firms has unfortunately been very, very slow. In one instance, I know where a firm went from a client server to set up to the cloud and then reversed it because the partner did not like the look of the invoices. Now in the working from home climate, the firms that have contacted me are typically the ones that are not in the cloud. What I foresee happening is that the shift to cloud will be faster from now on that an ever has been before. But there are challenges before we can even get to that point.

Overlaying today's discussion will be basically the Notifiable Data Breache Act or the equivalent such as GDPR in Europe, fundamentally the protection of client data. Now I'm not going to go into the ins and outs, but it's about not taking appropriate measures opens up your business and everything that you've worked for to severe penalties. Common things that I get to find is, the questions that I get asked is, what is the problem with not having a plan in place? We've all heard the, "Failing to plan is planning to fail." Benjamin Franklin was one of the first to espouse that. That were the impacts of this crisis predictable? Of course they weren't. But as I mentioned earlier, if your office went up in smoke or there was a fire and all, everything was flooded, your staff would still need to work. So are some firms managing better than now than others? Yes they are.

So you have to then question, well, why are some firms managing better than other firms? Why are some firms able to rapidly allocate work to distributed workforce with minimal impacts where everyone is affected? Compared to those that are reliant on, say the older style legacy client server setups, the cloud-based environments, they will generally be better off. Now, before you can fix the problem, you have to actually understand what the problem is or what the challenges are.

How should you determine your level of risk and develop a plan? Now is probably the wrong time to do it. You're obviously helping your clients, which is great, but you need to think about this from a future planning perspective. And the best way to approach it is to think about how you would like another organisation to manage your data. We think about organisations such as the bank, and the old joke is we trust banks with our money, but they don't trust us with their pens. It's about what level of trust can you have in an organisation when you give them your information? A very simple way to do this across all facets of your business is to use a simple weighted scoring system. If you have for argument's sake, no plan, give yourself a zero.

If it's ad hoc, give yourself a one. If processes can be repeated, but they're not necessarily repeated, give yourself a two. If you've got a bit of a plan and it's reasonably defined, give yourself a three. If it's managed by someone, give yourself a four. And if it's well defined, and if it's well-managed and even better, if it's automated, give yourself a five. Now the opportunity here is to try and aim for three or better. But you have to not be too hard on yourself because you will not meet every score at every time. But aim again to think about an organisation with your data, how would you want them to manage it?

Now, the important thing is if you are using a legacy system, when I refer to legacy systems, I obviously think about where you've got a server on premise. Think about it as well from a whole of business perspective. A good example is, I lock my bicycle. I do a lot of cycling. I lock my bicycle with two locks. I've got one on F on my front wheel. And I got, I have one on the rear wheel as well, because I want to make my bicycle less of a target compared to the bicycle that's only got one lock. If you look around the city, the number of bicycles that don't have front wheels, because people have made it easy for someone to take the front wheel. You need to think about making your business less of a target. We're going to take a short break. Once we're back, I'll discuss the importance of security and software updates. Speaker 3: The Public Practise Conference will be going virtual this year on Thursday the 8th of October. This one day flexible programme is designed to provide you with the tools and knowledge to navigate today's challenges and build your firm for the future. Confirmed speakers include Alan FitzGerald. Registrations are now open. Go to cpaaustralia.com.au/apc, or look for the link in the show notes.

Thanks for joining us again. We're now going to head off into the exciting topic of security and software updates. why can employees working from home lead to an increased risk of viruses and securities issues? Well, in my view the current rush to working from home has left many businesses, unaware that they're increasing the risks of exposing their data. We've all heard of the incredibly popular Zoom platform, but that platform has in turn been criticised for security holes in its product. Now, once these are being addressed, the risks still exist. Depending on your office set off, staff may also be using home computers. I'm dealing with a number of firms where they have the big boxes in the office rather than laptops, so that if the staff haven't taken those boxes home, because they need to connect to the network, they're actually using the home PC.

Now, many home PC's don't necessarily have the appropriate software that are compliant with safe office practises. Most home PC's, or certainly a large percentage don't necessarily have antivirus software, and at best are not overly secure. Connecting these back to your office network can run the risk of opening up your network to attack. I've just mentioned the antivirus software, so there's a lot of phrases going around at the moment. Let's delve into some of them. What is the difference between topics like malware or ransomware and antivirus? Antivirus virus should be considered your first offence. Now, the name is a bit of a misnomer because originally it was to capture and eliminate viruses, but most suites have now evolved to include capabilities of capturing a wide range of nasties. The key thing about antivirus is that it must be updated regularly and it must be a comprehensive solution to capture as many areas of risk as possible.

This leads into the next one, which is malware. That's M-A-L ware. It's a collective term, basically for any software that intentionally is designed to cause damage to a computer, or a server, or a computer network. You might've heard of phrases such as viruses, worms, Trojan horses, ransomware, spyware, et cetera. Ransomware is particularly nasty, and can I say conniving? There are several ways that this can get into your computer's network. And it a heightened risk right now and has been well-documented in the media that in the COVID-19 and in working from home, there are people out there, like them or not, they are going to try and get into your systems. And the most common avenue for this is through spam email. Obviously we're all familiar with spam, I get thousands of emails a week from various spam thing. It's an unsolicited email that looks authentic, but is used to deliver a bad piece of code or a nasty piece of code.

Now, a good example of this was about a year or so ago where people were sent information from the website, ato.com.eu. Now ato.com.eu doesn't exist because we all know it's ato.gov.eu. But the emails were designed in such a way that they looked almost exactly like an ATO official email and had links within there as well. This type of attack is called email spam. And it's basically to trick people into opening attachments or clicking on links that appear to be legitimate. It's based around social programming. If you get 15 emails from the ATO on any one given day, and another email comes in the 16th email, and instead of ato.gov, it comes from ato.com.au, you're used to, and you're familiar to clicking on the emails. So when an email seems to be from a trusted institution or even a friend, that's the opportunity for the hacker and that's when they get into your system.

Now, the challenge with these is that these may include what they're called booby-trapped attachments. So PDF's or word documents, or even links through to malicious websites. But if downloaded, it basically locks up your computer or your network with the goal of forcing you to pay a ransom to have it freed up. Now, the ransom, because there aren't, I'm going to tell an example of this, but the ransom is demanded in cryptocurrencies. Think of things like Bitcoin. It basically makes the hostage taker untraceable. There are only a few options to be able to use in this type of scenario. One is not paying and that's fair enough. And I think it's probably the best way because it dissuades future attacks. The challenge is that if you restore from your backup, you have to ensure that your backup has been done properly.

Now, I am actually working with a firm here in Melbourne that last about six weeks of whip, because they were held to ransom by a ransomware attack. This is a legacy system, but 25 staff, they lost six weeks of whips. They were actually getting invoices payments coming through, but they had no way of actually reconciling those accounts, because the best backup that they had was from six weeks prior to the infection. They had lost all of that information. Now that costs them several hundreds of thousands of dollars. I do also know of other firms that have, and this is anecdotally that have just paid the ransom to the hostage taker.

That challenge then is, do you hope that you go back to your old backup and fingers crossed that it's a good backup and you don't lose too much time, or do you talk to the government or talk to the insurance companies who then say, "Look, pay the ransom, or we'll try some other processes within there." To avoid getting hacked or getting attacked by some of these viruses or ransomware, what are some of the things that public practitioners should put in place? I've talked a little bit about antivirus software, again ensure that your antivirus software is the best that you can buy, basically and that will definitely minimise your exposure.

You should also consider VPNs or virtual private networks when the staff are connecting back to your network. We hear about VPNs all the time, but really simply what it is, is that because you're using the public network, so when you think about all of your staff being in the office, you're on your own isolated network. When you're using or working from home, you're using the public network, be the Telstra, or Optus or iiNet, or whomever to connect the home office back to the central office, a VPN creates a private network within the public network. It allows users and everybody within that firm to share data through a public network by encrypting that information. They're obviously very popular with businesses who want to secure private data while also making it accessible to be able to work remotely. If you have a legacy software that runs on servers in your office, it is imperative that your IT teams patch those servers with the latest software's on those servers and then in any laptops that are taken home, but also any desktops that are managed within the office.

Now for clients that are not using cloud software and again, using on the server that you must ensure particularly for the areas such as Microsoft, and Microsoft I have to say to their credit has become more and more secure over in the past couple of years, but you must ensure that the latest updates are on there. You also have to control within your practise who can download what pieces of software and when? A properly set up network will have centralised management over who can download the software. Now I've been around the traps long enough where I've seen the staff have been given carte-blanche to download software wherever they want. And frankly, that's not good enough. A system needs to be put into play and maybe go back to that weighted measure, the zero to five checklist and think about, do we give the staff the freedom to download software? Because it might not necessarily be business related software. It could be software that they're looking to use themselves.

Switch off your laptops. Ensure that they're password locked. Some amazing things can happen when people leave their software opened. Review your passwords. You will be amazed at how quickly the passwords can be broken. You can use a centralised password locker for password generation, and they can also capture all of those passwords. I'd actually suggest, and basically impossible to crack software codes. You need to think about accessibility errors, which can also be controlled with software. There's a product called practise protect, which is very popular in the accounting industry in Australia. They lower the chances of hackers in different times zones to hacking your network. Two-factor authentication, you would all be familiar with that. Any application that you can use that has two-factor authentication, please use that system. Physical access to your office. Who has got physical access to the office? Who's got access to the login protocols? Offshoring teams, they should only have access to limited files, preferably in a secure location and you can tie this in with the accessibility softwares that are available within there.

You can also consider at a future stage probably now is not the right time, but to think about what's known as ethical hacking or penetration testing. And this is where you contract a third party and basically say to them, "Look, we think we've got it right. Can you please try and break into our systems?" These are some of the simple things that you can do within there. Having employees working from home also presents some hardware considerations. As I mentioned before, sometimes employees will be using their own computers or devices, so what considerations do you need to be aware of to manage these risks? Now there's a difference between supplied company equipment versus what's known as the industry as BYOD or bring your own device. The challenge is when you think about this is you have to understand or question who implemented either the piece of hardware or the software? And frankly, whose credit card is being used to pay for the subscription?

And is the software approved for use, or is it just being used as a quick fix? If you travel overseas? Not that many of us are travelling overseas these days. You need to also be cognizant of travelling to certain jurisdictions because many jurisdictions overseas, particularly if you consider China, as soon as you land in that country, they softwares will pretty much automatically be put onto your software. Even connecting your telephone, as soon as you connect to the Chinese network, a software is downloaded onto your telephone. But also simple day-to-day things. What is the plan if something gets lost? If you leave your laptop in a cab, or if you've dropped your phone, or if it's broken or you lose it, can you erase the data from that machine so that it doesn't necessarily fall into the wrong hands.

Are things like antivirus, the anti-malware, are these scans happening on a regular basis on your laptops that are connected into your network? When we move from our around particularly laptops, we're often connecting into WiFi networks that are not part of the firm's infrastructure. Consider free WiFi networks, for example. Free WiFi's as fantastic as they are, can actually be a risk when travelling. If you do have people out in the field, you need to understand what network that they're actually connecting to. Now, some firms supply dongles, laptops these days often have a SIM card built-in, and in a worst case scenario connect through a mobile phone. They are generally more secure than connecting through to a free WiFi network.

Now, this next one is a bit of a controversial one, which is about letting parents, kids use the company laptops. Unfortunately, that is a really bad idea because kids games tend to have very, very lax security, and they can really open up your business to risks within there. Because it's basically a gateway or a hole that that can be used. My favourite one is really, if no one is in your office and you have a client server set up, who's actually looking after the backups? So when was the lack of last backup on restore? Now, I had a situation a number of years ago, where the firm regularly did test backups and restores, but the IT guy, unfortunately only backed up a small section of the data to test. When their server collapsed, they thought comfortably, "Oh, well, we've got everything backed up." But they actually had only backed up a small file and they had lost all of their information.

I've seen many, many instances of data losses where the incorrect backup routines have been set. Double-check, triple-check every time, often if you have the opportunity, take a complete backup routine and just make sure that your data is there when you need it. I'm going to wrap up now with a couple of points. The key consideration from this podcast that I'd like you to take account of is to ensure that your antivirus is up-to-date and comprehensive. This is probably your number one defence against data breaches. Make sure your passwords are robust. They contain symbols numbers, uppercase, lowercase. Do not under any circumstances, and I know it's a joke, but I've actually seen it happen in an accounting firm who got hacked. The partner had the password, password one. That has happened. Thirdly, accountants are anxiety transfer specialists, especially now. Whilst the challenge of managing your client's affairs that naturally takes the priority, don't let your guard down with the systems that contain your client's data.

Thank you so much for joining me in CPA Australia today, please feel free to connect with me via LinkedIn or my website, which is practiceconnections.com.au. You'll find the links in the show notes. Later this year, CPA Australia, and I will be curating and facilitating an event on the topic of cybersecurity, where we will have guest speakers from a variety of vendors, and also hopefully the ATO to discuss all things cyber and public practise. Thank you again. Good bye.

Outro:
Thanks for listening to the CPA Australia Podcast. For more information on today's episode, please visit the show notes at www.cpaaustralia.com.au/podcast. Never miss an episode by subscribing to our podcast on Apple Podcasts, Spotify, or Stitcher.