Data security vulnerabilities due to remote or hybrid work

By Jessica Barboza, OSCPA marketing and communications intern     

With remote work reshaping professional norms, firms must remain aware of the data security risks associated with external work environments. 

“When you're outside of your firm’s physical space and its IT environment, data security risk can be higher. You may have weaker home security and home WiFi. You may use personal devices that are outside of the control of your firm's IT security policies,” said Sarah Ference, CPA and risk control director at CNA, the underwriter for the AICPA Accountants Professional Liability Insurance Program. “You may have a bit of a more relaxed attitude towards security than if you were in the office.” 

When using external WiFi, whether that be at home or in a coffee shop, it’s important to always use a VPN to connect to the firm’s network to allow for a secure channel, she said.  

When speaking with Sarah, she advised that some firms prohibit the use of personal devices for business purposes unless they are under the control of the firm and its security policies.  

“Since remote employees are in a less controlled environment, it takes extra diligence to make sure they’re aware of and adhering to the firm’s data security policies and maintain the same mindset that they would have as if they were in the firm’s physical space.”  

“Anytime you have a policy, you need to make sure you're testing compliance with it,” she said. “Unless you actually evaluate compliance with the policy, you’ll never know how effective it is.” 

“Consider regular phishing awareness trainings and constantly remind firm personnel –whether it's through emails, screen savers, training, etc.– about the risk of data security and the importance of everyone's individual role of protecting the firm’s data,” she said. “Phishing is still one of the most common ways that attackers use to infiltrate an organization.” 

Any request for sensitive information or transfer of money, a sense of urgency, minor errors in the email address, and an uncharacteristic tone of voice are classic red flags to look out for when deciphering if an email is legitimate, Ference said.  

“Even if an email looks like it's coming from a client, their email address may have been compromised,” she said. “If it's something that you're not expecting to receive or if something doesn't feel right, the best thing to do is to pick up the phone and call the sender at a number that you know to be right. Always.” 

If the potentially fraudulent email is from a third party, open a browser and go to that company's website to verify that the email is a legitimate email or request, she said. Pausing and taking a breath before you take action on an email is one of the best controls you can employ. 

Oftentimes, the good phishing emails will latch onto a world event to get the reader’s attention, she said. 

“Maybe it's a call to donate funds for hurricane victims,” she said. “They'll use manipulation and topics that you might be drawn to trick you into taking the bait.” 

It’s on every individual, as an employee or partner at a firm, to protect the firm's information and make sure that they are making good choices to help protect the firm, she said. 

“A firm's number one client is the firm,” she said. “When you go about your day-to-day work and make decisions, be sure to keep service to your number one client in mind.”