Page 18 - Journal Layout-Dec 18

Page 18 - Journal Layout-Dec 18_Neat

P. 18

PIPFA Journal IFAC Article

USB sticks? With the Cloud there’s so that are asking for an action or personal risk management framework.
much more security and much more information. • Hardware
process.” Drew Fenton agrees: “At the Here are factors to consider in order to Keep a log of hardware (including
end of the day if you are not in the keeping your data, and your clients, laptops and phones). Maintenance
Cloud you are not protected.” safe. contracts should be sustained with
So what are the risks of this so called Tips on Keeping Data Safe: hardware suppliers so that hard-
more secure digital data storage? They • Technology Risk Management ware failures can be quickly
boil down to the same old issue: keep- Framework rectified. Ban staff from using free
ing track of your data. IT security expert Wi-Fi -- on company or personal
Dr Michael Axelsen says, “Losing USB The first step firms should take is to hardware -- to access sensitive
sticks used to be the greatest risk, but build and maintain a technology risk data.
today the risk occurs when you go from management framework. This • Software
one Cloud provider to another.” Using includes policies and procedures on Keep an updated tracking system of
numerous Cloud providers may how a firm assesses and identifies current, past, and potentially future
increase your security risk. Why? risks associated with the use, software subscriptions. Regularly
Because cloud providers have the right ownership, operation, and adoption upgrade software to current levels
to edit and modify your inputted of IT.
information. Cloud providers don’t • The Cloud and allow time for system patching
agree on or maintain the same security Today’s cloud is safer than in-house before shutting down your devices.
agreements and – due to tough compe- servers, but data management is • Insurance
tition, potential cost issues, and key. Know who your providers are Adequate insurance for the firm
outsourcing overseas - your sensitive and where they are storing your must be maintained and cover the
data can potentially become compro- data. Consider security solutions cost of replacing infrastructure, and
mised. such as two-factor authentication. labor costs to rebuild systems and
“Practitioners need to make sure when • Disaster Recovery and Business restore data. Also, consider insur-
they change Cloud providers that their Continuity Plans ance for the loss of productivity
data is taken off the backup systems - It is too late to build a disaster recov- resulting from a major system
otherwise they could end up with a ery plan after an attack. Failure to failure or catastrophic event.
patchwork quilt of different service build and maintain an effective IFAC has recently launched an updated
providers” notes Axelsen, who argues business disaster recovery system the Guide to Practice Management for
that the Cloud is still far better than the can be catastrophic. Firms need a Small- and Medium-Sized Practices,
alternative. proactive risk management plan which includes a new chapter on Lever-
But what is the easiest way to get that covers system and software aging Technology and covers Develop-
hacked? It’s not the Cloud, Fenton back-ups; off-site storage; and trial ing a Technology Strategy, Hardware
says, the easiest way to get hacked is restores. and Software Options, Technology
by opening the wrong email. ‘Innocent • Cybersecurity Risks and New & Emerging Technolo-
emails’ asking you to click on attach- It is important to have system gies.
ments is an open door for hackers to utilities to protect the firm from Peter Docherty is the General Manager
access your system.” malicious attacks. Systems that can of Public Practice at CPA Australia,
Axelsen says firms can counter these proactively combat cybersec\rity responsible for strategic oversight of
events by initiating a “data respect attacks include, firewalls, virus issues impacting public practice mem-
culture” which involves making staff protection, malware/spyware bers globally, developing member
hyper-aware of data security. “That’s programs, and anti-spam and services and advocacy. Peter is a regu-
probably your best line of defense. Your phishing software. lar speaker in Australia and overseas
data might be encrypted and relatively • Policies and Procedures on regulatory oversight and practice
management. He facilitated the devel-
secure, but hackers can get something Installing good IT governance opment of the IFAC Guide to Practice
from your firm by social engineering procedures within a firm is critical. Management for Small to Medium
methods or phishing.” He recommends Policies should include guidelines Practices, CPA Australia’s Firm of the
having a strict risk policy and email that ensure that systems are not Future Report and Practice Manage-
protocols in place. Businesses are misused, with practices to ensure ment Portal.
increasingly testing their staff through that applicable policies are continu-
“phishing tests”, which are test emails ally reviewed and updated to reflect Copyright This article originally appeared on the
sent to staff emails asking them to click current risks. Ongoing education to IFAC Global Knowledge Gateway: www.if-
on a variety of requests. People need to all employees of the firm on technol- ac.org/Gateway. Visit the Gateway to find
change their mindset to constantly be ogy risks should be part of the firms additional content on a variety of topics related
on guard and suspicious of all emails to the accountancy profession
16 January-June, 2018

13 14 15 16 17 18 19 20 21 22 23