Protecting Your BYOD Exposure

Published October 20, 2014

Bring your own device (BYOD) is becoming the standard in accounting firms as we not only allow our personnel to connect to firm data from their home computers, but also access email and other firm applications on personal tablets and smartphones. When one of these devices gets lost or stolen, or if an employee is terminated, it is the responsibility of the firm to remove all firm and client data. Not all firms have implemented a BYOD policy and their plan to deal with errant devices is to remotely wipe them in their entirety. Unfortunately, this can lead to erasing the employee’s personal data, music, and pictures which can have unintended consequences if those files are not backed up. In a recent INSIDE Public Accounting article, a scenario was shared where an employee could have Bitcoin “digital currency” on their smartphone that would disappear with all their other personal data if the smartphone were remotely wiped (which again is the most common resolution firms have in place). This has led larger businesses to implement COPE policies (corporate owned, personally enabled) which allows the company to control the device but at significant expense in equipment and data plans, which we have not seen trending as a standard within accounting firms, where BYOD is more prevalent. So in addition to educating employees about the firm’s BYOD policy, reminding them to back up their personal data, and sharing the possible consequences, firms are starting to implement Mobile Device Management (MDM) applications which will further minimize BYOD exposure by just erasing firm data.

Today there are more than 30 MDM vendors, but the key is to select from those that support the various platforms of devices you have. Gone are the days when the BlackBerry Enterprise server was the only supported device and today firms must not only support Android and iOS, but also Microsoft as our accounting vendors are so Microsoft-centric, which could have a growing impact in the future. MDM tools should inventory the equipment attached to the infrastructure so the firm is aware of everyone connecting to it and to turn those devices off at employee termination or device loss. Remarkably, even today when we inventory firms we find active logins for previous employees that have long ago left the firm so this is a change in culture that needs to be prioritized! MDM tools should also have features to allow employees to locate their devices if misplaced and make it easy for the device to be updated, reported, and secured through self-maintenance with the MDM. MDM tools should include local encryption and mandating strong passwords that are changed according to the firm’s password schedule and requirements. Most MDM tools also have the option to automatically erase a device after a set number of incorrect attempts and will automatically lock the screen after a certain period of inactivity (1-5 minutes). For managing the MDM application the firm will want to consider if they want to be responsible for managing the application and upgrades locally themselves on their own servers or using an external cloud provider that will provide the infrastructure and experience to manage (which we think will be the most likely scenario). A final consideration for implementing an MDM tool is its ability to also manage content access and log access to files to ensure that any unusual activity is tagged and file access is logged to ensure compliance with regulations (HIPAA and other privacy considerations).

As mentioned above, there are a fairly long list of MDM vendors so firms will want to partner with an experienced integrator or cloud provider that has successfully implemented MDM within CPA firms and other professional services environments. The top mentioned products within accounting firms in the past year have been AirWatch, MaaS360, Good Technology, MobileIron, Citrix XenMobile, and Google Divide to provide you with a starting point. Getting references from other Association for Accounting Administration member firms that have already done the due diligence will dramatically reduce the research time and help build confidence in the solution selection.

Roman H. Kepczyk, CPA.CITP and Lean Six Sigma Black Belt is Director of Consulting for Xcentric, LLC and works exclusively with accounting firms to optimize their internal production workflows within their tax, audit, client services and administrative areas. His Quantum of Paperless Guide (Amazon.com) has been updated for 2014 and outlines 32 digital best practices all accounting firm partners need to understand today as well as the latest AAA paperless benchmarks.