Bad week for CPA firms
Deloitte and Touche suffered a bit of an image hit when one of their auditors left a CD that held the stock holding information for thousands of McAfee current and former employees. The data was not encrypted. Staffers were offered a two-year membership to a credit monitoring program offered by Experian.
A PriceWaterhouseCoopers employee had a laptop with data from 4000 patients of University of Texas M.D. Anderson Cancer Center. PWC says that the data was encrypted using a 'sophisticated encryption software'. (*Probably an Excel spreadsheet with a password on it-jj)
From personal experience, after having worked for a CPA firm, it's regular practice to have gigabytes of client information on a laptop and not have that data encrypted. This isn't just something that's happened at the firm I worked, but at several firms that I had interaction with during my tenure there. Data was frequently shared between the internal auditors and external auditors, and when I would send it encrypted, was told on a regular basis by clients and other auditors as well "Why do you encrypt it, no one else at your firm, outside of your security group does?", or "We don't encrypt stuff we send to you, just send it to me unencrypted (other firms)".
If you look over the news in the last several years, there are a multitude of cases where data has been stolen from CPA firms or lost by them, thanks to their poor security practices. If hackers were smart, they'd start targeting the REAL sources of information storage. You hack one company, you get their data. You hack a CPA firm, you get hundreds or thousands of companies data. And no amount of compliance with PCAOB will change that. Talk about your inmates running the asylum.....
A PriceWaterhouseCoopers employee had a laptop with data from 4000 patients of University of Texas M.D. Anderson Cancer Center. PWC says that the data was encrypted using a 'sophisticated encryption software'. (*Probably an Excel spreadsheet with a password on it-jj)
From personal experience, after having worked for a CPA firm, it's regular practice to have gigabytes of client information on a laptop and not have that data encrypted. This isn't just something that's happened at the firm I worked, but at several firms that I had interaction with during my tenure there. Data was frequently shared between the internal auditors and external auditors, and when I would send it encrypted, was told on a regular basis by clients and other auditors as well "Why do you encrypt it, no one else at your firm, outside of your security group does?", or "We don't encrypt stuff we send to you, just send it to me unencrypted (other firms)".
If you look over the news in the last several years, there are a multitude of cases where data has been stolen from CPA firms or lost by them, thanks to their poor security practices. If hackers were smart, they'd start targeting the REAL sources of information storage. You hack one company, you get their data. You hack a CPA firm, you get hundreds or thousands of companies data. And no amount of compliance with PCAOB will change that. Talk about your inmates running the asylum.....
posted by Webproze at 11:10 AM
0 Comments:
Post a Comment
<< Home