Firms are increasingly transitioning employees from traditional desktops to laptops as their only workstation to connect to the firm’s information resources and production applications. This has a variety of benefits, including increasing mobility of staff, providing secured remote access through a firm managed laptop, and allowing the employee to have a workstation in the event of a disaster (as highlighted by the recent series of hurricanes).
However, with this added mobility also comes additional responsibility to make sure the laptop is protected both physically and digitally. When issuing laptops to employees it is important that the firm and personnel are both cognizant of the increased risks and responsibilities involved, and that the appropriate measures are being taken to protect the firm’s resources.
Laptops are easy targets for thieves, so employees must be reminded that it is their responsibility to:
- Physically secure their laptop by locking the door of the office where it is being utilized or securing it via a physical cable lock if they have to leave.
- Maintain proximity awareness of their laptop when in transit, meaning either visually having it in their line-of-sight by carrying it on their shoulder, or by always touching their computer bag (i.e. with their leg if it is placed on the floor).
- Either place laptops in the trunk or hidden from view within the car when getting in and not on arrival. Thieves have been known to monitor parking areas watching specifically for personnel placing their laptops in their trunks after they park.
Encrypted Hard Drives
Unfortunately, data is still being downloaded onto laptops either because the employee wanted the convenience of saving and working locally or they are concerned that they will not have Internet access where they are going and need to work on certain files. Be sure that employees:
- Encrypt all data drives to protect the firm in the event the laptop is lost or stolen.
Any access to a firm workstation and network:
- Must require a complex password that is changed on schedule, and whenever there is any concern that an employee’s password could have been compromised.
- Should require multi-factor authentication meaning that in addition to entering their password, the employee’s identity would be verified biometrically (thumb print, facial recognition) or by inputting a secure code sent to the employee through their smartphone or via a call back phone number.
Employees must be reminded that client confidentiality rules extend to wherever they may be working. They should:
- Utilize a screen privacy filter when accessing confidential data when in transit or in public places.
- Have automatic screen savers set for a shorter period on laptops, rather than the 30 or 60 minute settings used on desktops.
Secure Operating Systems
Employees should be reminded that:
- Checking social media and non-work email accounts can expose workstations to a broader range of malware and viruses so it is also important for:
- The IT team to ensure the anti-virus/malware applications and operating systems are automatically updated.
- Regularly shutting down and rebooting their laptops will allow updates and background maintenance to occur.
- The risks of using public WiFi and USB thumbdrives can introduce malware to the laptop. Instead they could use mobile hotspots for internet connectivity, and web-based portals and secure email for file transfers.
Updated Policies/Reminder Training
As firms transition to more mobile computing it is important that the firm’s policies on remote usage are updated to reflect how and when laptops are utilized.
- IT and HR personnel should review all technology related policies together and then provide training to staff.
- Firms should present mandatory annual security training for all personnel that would include the use of laptops.
Digital security has never been more important than it is today. When going through the checklist of threats that firms are dealing with, it is important not to assume that everyone is aware of mobile computing standards, particularly those that are transitioning to a laptop environment.
Roman H. Kepczyk, CPA.CITP, CGMA, LSS BB is the Director of Consulting for Xcentric, LLC and works exclusively with CPA firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of the 2017 Edition of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which is available to members of the PCPS section.