Mobile information security concerns.

• Author: Holub, Steven F.

CPAs operate in an increasingly connected environment, carrying with them numerous devices that constantly interact with the internet over various connections. These devices also contain more data than most CPAs would have been able to store on all of their firms' servers just a few years ago.

These devices allow CPAs to more effectively and efficiently serve their clients and are designed to be easy to use. However, their nature of constantly communicating over the web and the amounts of sensitive data they contain mean they also pose significant security risks that some CPAs may not have fully considered.

It is simply not practical to stop using these devices, so CPAs must instead understand the security issues involved and some of the steps they can take to control and minimize these risks. This item highlights some of the issues that should he considered.

Loss of Device

A portable device's small size and ease of transport are key factors in providing for efficient and convenient access to information, key factors that make them invaluable to a CPA in practice. But the small size carries the inherent risk of losing the device, either accidentally or through theft.

CPAs should consider ensuring that all portable devices, including laptops and USB thumb drives, as well as smartphones and tablets, have their data encrypted, with a strong password or similar high-level security authentication required to decrypt the device's data. Similarly, the devices should be set to lock themselves (Auto-Lock) after a relatively short period of inactivity, requiring authentication (a password) to be given to regain access to the device.

Smartphones and, to a lesser degree, tablets provide a unique problem with security, since inputting a long password may be tedious on a small touchscreen. Users may be tempted to turn off the security. A "secure" password is a balancing act. Requiring a 12-character password with digits, upper- and lowercase letters, and special characters may be secure, but users will almost certainly severely compromise security in other ways if faced with those stringent requirements.

Devices that run on Apple's iOS offer a useful compromise. Originally, iOS's security was limited to a four-digit password (see screenshot at top right). This was rightfully criticized as being far too short and pulling from a far too limited set of characters to be sufficiently secure (there are, at most, 10,000 possibilities--not many for an automated system to work through). But the password is easy to enter and not terribly obtrusive.

Eventually, Apple implemented two options. First, the devices now allow a "complex" password to be set. However, these passwords are still difficult to enter, and firms requiring them will almost certainly find users creatively solving this difficulty with methods that compromise security.

[ILLUSTRATION OMITTED]

However, another option is available. The device can be set to wipe all data on the device after 10 failed attempts to enter either the password or the four-digit code (see screenshot below). When a user has only 10 attempts to get the code right, suddenly having 10,000 possible codes presents a much bigger problem.

All...