The Insecurities of Email

What you need to know about maintaining the privacy and security of your clients’ data.

Email has been around a long time and has evolved into a mission-critical resource to deliver documents and communicate with clients. It’s the default for most businesses — convenient, easy and mature — and has all but replaced time-consuming faxing and manual delivery of documents. However, while email has been a trusted delivery tool for year, you should ask yourself, “Is it safe?”

Security v. Privacy

Security and Privacy have significant importance in the accounting profession. Unlike the recent trending topics, such as paperless and workflow, the measure in which firms assure data security and privacy has been a focus for accountants for decades. And now with new state and federal mandates hitting the profession at warp speed, ensuring the security of data and the privacy of client information has a renewed significance and has elevated to Job 1.

First, it’s important to understand the difference between security and privacy if firms are to comply with mandates geared toward client data protection. Consider each separately:

Security is comprised of three primary elements: authentication, authorization and audit.

Authentication refers to the ability to authenticate the person signing on. In other words, making sure an individual is who she says she is, typically via a unique user name and password.

Authorization determines a user’s access to various resources, based on the user’s identity. This has to do with setting permissions — what an individual can and cannot access. In a document management system, a user would be granted ‘rights’ to access certain documents.

Audit refers to the mechanism for tracking access and activity of a system or service — in short, who did what and when. In a document management system, an audit log would allow you to generate security and compliance reports of which users uploaded, accessed or changed the properties of a document, and when.

Privacy is really a subset of Authorization. It centers on ensuring that an individual’s privacy is protected during the course of sharing data with others, whether that data is shared online or stored in file cabinets in the office (who has access to those files?). When we are talking about sharing and collaborating over the Internet, it’s easiest to think of security as the padlock — no one gets in without the right combination. Privacy is the shield that protects a person’s identity while actively sharing information via the Web.

Second, it’s critical that firms understand why they should care about security and privacy.

The Internet is the foundation of communication in most businesses, including accounting firms. Accountants send hundreds of emails every week. Without worry, financial statements, tax returns, and other common reports and forms are attached and sent. A few may send email links to documents, which are secure, but don’t require the user to have an email and password to access the document. And without user authentication, there is no way to verify that the person accessing the document is the intended recipient.

Some firms have advanced to using encryption as a means to protect documents, which can add a lot of complexity to managing hundreds of passwords for the documents encrypted. You also have to think about how you are getting the password to the recipient. If you are emailing it, that could be a security risk. And if the password is lost or expires, the document is effectively “dead” and unable to be opened by the sender or the recipient. The result is that you end up duplicating your efforts in order to recreate and send the information again.

The bottom line: Most firms are riding on the hope that email is safe.