COVID-19 Means CPA Firms Must Create Bring Your Own Device Remote Work Policy

The ongoing coronavirus pandemic has forced companies of all sizes and in all industries to pivot to a telework environment to remain operational while keeping employees healthy and safe. CPA firms large and small have had to enhance their existing remote work setups while firms behind the tech curve have had to make even more drastic changes to how their teams can collaborate, share information and remain productive during COVID-19.

More staff working from home means that more personal devices will be used on home networks for CPA firm business, which increases the risk for security issues, cyberattacks and data breaches. Providing your team the right tools to work remotely is very important during this COVID-19 “New Normal” — it is equally important, however, that CPA firms also develop and communicate a clear, executable policy for Bring Your Own Device (BYOD) security to its remote employees.

As we’ve noted before, cybersecurity is not just about tech; your people must play a proactive role in keeping your CPA firm’s data and IT infrastructure secure. The human influence on cybersecurity is more important than ever before because so many staff are operating on their own devices and networks due to COVID-19.

Cetrom can help you transition to a strong remote work environment while also providing guidance around creating a sound and practical BYOD policy. Here are some tips for keeping your data safe in the age of increased BYOD work activity during the coronavirus pandemic.

Educate Your Staff on the Why Behind the BYOD Policy

To avoid a negative reaction from staff, take time to explain why it is necessary to create a personal device policy during this work from the home period. You can build out the best BYOD policy in the world, but if your staff, which is likely already stressed, feels put-upon by this policy, they will be less likely to follow the rules.

• CPA firms need to help their staff understand that as a company they cannot control home networks or what is on personal devices so protocols and rules need to be established to protect individual staff and the company.
• CPA firms need to deploy a constant educational communication plan around personal device use during COVID-19; this means active, consistent communication about the BYOD policy, accountability and even a summary of the latest threats like COVID-19-themed phishing and email scams.
• CPA firms need to emphasize that the BYOD policy is not punitive; rather, it’s for the protection of the staff, the company and its clients

Under normal circumstances, it would be advisable to recruit department leads and other staff to help build your BYOD policy. This would help create a sense of collective ownership of the BYOD program and prevent any animosity or negative backlash. However, if your CPA firm doesn’t have a BYOD already in place, this is not feasible since you have to act now to mitigate risks as soon as possible.

What Should Go Into Your BYOD Policy

If your CPA firm doesn’t have a current BYOD policy or an IT emergency response protocol in place already, your BYOD program needs to focus on the basics and low-hanging fruit. However, it’s important to think of the future as you build this BYOD set of rules and employee requirements — whatever policies you build out now in response to COVID-19 should serve as the foundation for a more comprehensive IT security and emergency preparedness model to be built out in the near future. 

Here are some BYOD policy actions you can take relatively quickly to better protect your network and data:

• Create a reference list of information types that are sensitive and need to be protected that your team can keep handy. This could include client personal information, intellectual property content and a host of other critical data types.
• Define the acceptable forms of personal devices and remote access methods that can be used for work-related matters
• Use encryption tools whenever sending sensitive information from a personal device
• Provide tips and ongoing staff training on how to identify email scams, phishing emails and other threats that attempt to exploit human error
• Mandate that staff working remotely only access CPA information via the company’s Virtual Desktop (VD) to make sure information is encrypted
• Require that antivirus and malware protections are installed on personal devices and updated to cybersecurity best practice standards
• Execute multi-factor authentication (MFA) immediately
• Prohibit the downloading of company information to any staff personal devices, including laptop computers, tablets or personal cloud storage systems
• Stratify employee remote access to only information necessary to complete their specific job functions
• The National Institute of Standards and Technology (NIST) recommends “considering a tiered approach for remote access that allows the most controlled device types [e.g., organization-owned laptop computers] to have the most access and the least controlled device types [e.g., BYOD personal mobile devices] to have minimal access.”      

It’s important to note that every CPA firm’s BYOD policy will have its own nuances; there is no one-size-fits-all approach that will work. The aforementioned recommendations are intended to provide guidance around what CPA firms can more rapidly deploy to plug any security gaps created by the crisis-driven transition to near 100% work-from-home work ecosystems. 

The key takeaway is that every CPA firm, regardless of size, location or industry focus, has to do one of two things immediately: (1) Reassess and augment its existing IT emergency and BYOD protocols; or (2) Create a BYOD policy that can be implemented quickly and effectively and with the build-out of a future, comprehensive security plan in mind. 

Cetrom is here to help CPA firms navigate COVID-19 and better position their IT networks for the future by enhancing existing security policies and IT infrastructure or via the build-out of an effective, efficient and secure IT environment from the ground up.