Monday, May 11, 2015

Hey CPA: Should I get anti-virus for my home network?

Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.

Then it struck me: would a CPA be able to lead this sort of discussion?

The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.

Coincidentally, the WSJ published a review of the Bit Defender BOX around the same time I had this discussion. For what it is, see Amazon's Video Review.

As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:
  • If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
  • Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
  • Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm. 
  • Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic.  More generally, it talks about the overall (lack of) reliability and 
  • Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords. 
But that's not all. WSJ also published this article detailing five key corporate security practices, including:
  • Patching, i.e. installing software updates to plug security holes in the software,
  • Limiting connectivity of devices on a "need to do basis",
  • Encrypting data that is confidential or highly confidential (e.g. credit card data)
  • Use of physical security devices instead of just passwords
  • Independently assessing vendor compliance with security. 
The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point. 

But, again, does the current competency map train CPAs sufficiently to spot that? 

We should keep in mind a couple of things.

Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally. 

Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection. 

Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level. 

Okay so we all know the kids are tech savvy. 

But we need a competency map that would be relevant to the future generation that will be entering the profession.  Furthermore, if the CPA profession wants to achieve its vision of being the  "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond. 

No comments: