Secure communication between accountants and their clients: The role of the client portal

Transcription

1 Secure communication between accountants and their clients: The role of the client portal

2 The importance of security An audience poll conducted at a recent ICAEW event revealed that, when it came to cloud software, security was the number one concern for almost a quarter of respondents (24%). 1 How seriously do you take security? The Information Commissioner s Office advises organisations that they should Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen. 2 Much of the information that accountants hold on their clients would fall into this category, for example details of income received and tax paid; pension arrangements; business turnover, profits and future plans. A lot of this sensitive financial information is not merely held in static systems; it s also continually being transferred and transmitted, whether as a spreadsheet on a laptop, data on a memory stick or a set of accounts ed to a client for approval. When it comes to , the Information Commissioner s Office urges organisations to Consider whether the content of the should be encrypted or password protected. 3 How many accounting practices actually do this? How would clients react to the change? Public document exchange As an alternative to , many organisations and individuals are now using public file sharing and document exchange websites, such as Dropbox, Google Drive, Sugarsync and Cubby. At their most basic, these services allow you to back up files from a local PC (or Mac) to your personal online storage area. Most of these sites also allow you to share stored files with others, in a private, one to one arrangement. Although some practices use these public websites to share files with their clients, many accountants have raised concerns over security and other matters. 4 These concerns centre around five main issues: The propensity of high-profile, public systems to attract the attention of hackers (the socalled hacker magnet effect). The security of these public systems, bearing in mind that some have already been compromised. 5 The fact that uploaded files are not automatically encrypted. The confidentiality of information, given that some file sharing websites allow their staff to have access to unencrypted data. 6 The US location of the servers hosting the majority of these services. 7

3 Secure client portals Secure client portals offer an alternative to public file sharing and document exchange websites. Their main point of difference is that, while the likes of Dropbox were designed for file backup and storage and have had file sharing features added as an afterthought, 8 client portals have been designed from the outset to provide an online platform for file sharing and collaboration. A properly designed client portal can therefore offer a lot more than a traditional document exchange system. CCH Portal, for example, allows you to send and receive messages within a totally secure environment a bit like a closed, private system. Personalised communication In a typical accounting practice, there are a multitude of different relationships between partners, staff and clients. One individual may be a personal tax payer, a director of a company and also a partner in another business. For each kind of work that the practice performs on their behalf, a single client may have multiple contacts within the practice; they may also have a variety of relationships to other clients, for example as a spouse, co-director or business partner. By using the contact and relationship information held in the CCH Central client database, CCH Portal allows you to build on these existing relationships. So, for example, you can send a secure, personal message to all the directors of a company and, when a reply is sent, the recipient will be alerted personally while the remaining members of the designated client team will see the message on the client file in CCH Central. Because CCH Portal also uses existing team security settings, any client files published on the Portal will remain confidential within the appropriate practice team. Keeping your client communication secure Client portals certainly have the potential to be more secure than . However, in order to fulfil this potential, the portal provider must take steps to ensure data security on a number of levels. Security is vitally important to all parties. In order to feel comfortable using the system, clients need to feel confident that sensitive, private information is safe; practices are acutely aware that data breaches could have a catastrophic impact on their reputation as a trusted adviser. So in the rest of this paper we ll be looking at the ways in which security is addressed in the CCH Portal.

4 Security in the CCH portal A number of interlocking levels of protection are required to make a system truly secure. On the CCH Portal we ensure security by the following measures: Password complexity Before you even start to invite clients to join, the CCH Portal allows you to set the required level of password complexity, including the overall length of the password, plus: The number of uppercase letters required The number of lowercase letters required The number of numbers required The number (and type) of special characters required, such as %,? and * These can all be set to zero, in which case they will not be required (but are permissible). Password security Importantly, neither the practice nor CCH hold a record of any client s password. If a user forgets their password they can click a forgotten password link to get a new temporary password and trigger a request for them to re-set their permanent password. By allowing clients to self-manage their own access, CCH Portal frees the practice from ongoing admin. Login security When clients have been set up to use the Portal, they are sent an with a link to the activation page. In order to complete the activation process and create their personal password, clients will need to enter their activation ID which, for security purposes should be sent separately, either by or post. Physical security of the hosting servers A system cannot be more secure than the physical platform on which it runs. The data centres which run the CCH Portal servers (on which your own individual client portals run) employ a number of measures to protect them from power failure, physical intrusion and network outages. The hosting site has been awarded ISO/IEC certification, an international information security standard covering policies, controls and processes. 9

5 In 2012 it also achieved SSAE16/ISAE3402 attestation. This required an audit conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) 16, laid out by the Auditing Standards Board of the American Institute of Certified Public Accountants, and the International Standard on Assurance Engagements (ISAE) 3402, laid out by the International Auditing and Assurance Standards Board. 10 Encryption CCH Portal uses 256-bit Advanced Encryption Standard, the highest available military grade encryption. Asymmetric key encryption is undertaken using two encryption keys held in separate locations to maximise security. Certification The site is then secured with an independent Secure Sockets Layer (SSL) certificate provided by security specialists, Symantec. SSL provides your clients with the visible reassurance of the familiar closed padlock and https website address, and is the same kind of security used by banks and other financial institutions. Independent security testing The security measures used to protect the CCH Portal servers have been penetration tested by a third-party specialist to probe for security vulnerabilities and ensure robustness and resistance to malicious attack. While no serious vulnerabilities were discovered during this process, further security enhancements were added following the testing to ensure we meet the highest standards of security. Audit trail A full audit trail is retained in CCH Central showing every transaction on the Portal, including date and time and the IP address of anyone accessing the Portal or reviewing and approving documents. To prevent the risk of compromise, some security details have been omitted from this document. If you have specific questions about security, in the first instance please contact Christa Spencer at christa.spencer@wolterkluwer.co.uk.

6 Conclusion A properly designed client portal offers a viable alternative to insecure and public file sharing websites for the exchange of sensitive financial information. The CCH Portal was designed specifically for accounting practices and offers secure two-way communication between members of a practice and their clients. Because it uses existing information about clients and the teams that support them, CCH Portal helps to support good client relationships. CCH Portal ensures the security of data and documents through a series of interlocking measures, from the physical security of servers and the encryption of data to private passwords and full audit trails.

7 References 1. ICAEW IT Faculty Cloud Event, 17 April 2013 Results reported on the ICAEW website at 2. See the ICO website at 3. As above 4 See, for example, the discussion at 5. As reported in and See also the official Dropbox account of this incident at 6. Reported in 7. For a discussion of the USA PATRIOT Act, see 8. See, for example 9. See See

8 Keep informed CCH Insight CCH Insight provides free, topical information about the challenges and opportunities facing accountants, tax practitioners and finance professionals. It brings together research, commentary and news collected by technical specialists who work across the CCH business on our books, magazines, online reference, software, training and fee protection services. Articles, white papers, surveys and business tools are available in the following topic areas: Tax Insight Our tax specialists write on a wide range of topics such as changes to tax regulations, dealing with HMRC enquiries and plans for tax simplification. Accounting Insight Recent topics have included IFRS and mandatory online ixbrl filing. Audit Insight Our specialists provide information and commentary on matters of topical interest to auditors such as Clarified ISAs. Practice Development Insight Experts from across CCH use their knowledge and experience of accountancy, business and marketing to identify emerging opportunities for practice efficiency, business development and new services. Bookmark CCH Insight at