In the Face of Terrorism and Natural Disasters

How does your firmís business disaster recovery plan hold up?

July 8, 2010
by Sukanya Mitra

Andrew was then. Now we have Katrina, tsunamis and terrorism. You never know when any of these will strike your city or hit a town near you. The last thing you want is a security breach of your clients’ information because of a lack of a good disaster recovery plan (DRP).

Interestingly, according to Hartford Financial Services Group, of those businesses that experience disaster, nearly half (43%) have no emergency plan in place. And of those that do, only one in four (29%) are still in business.

Armando D’Accordo, president of Merrick, NY-based CMIT Solutions of South Nassau, revealed how to diffuse some of the myths about disaster recovery plans at the recent Accounting Technology New York Show. D’Accordo pointed out that data loss can hurt you in more ways than you probably realize:

  • Loss of data can lead to litigation especially when it involves personally identifiable information (PII) and
  • Productivity is affected and can be costly.

Even with extensive safeguards, D’Accordo warned that data loss is inevitable. While CPA firms often protect their servers, they rarely protect the data on employees’ desktops and laptops. D’Accordo pointed out that “six percent to 10 percent of desktops have a yearly issue, while almost 20 percent of laptops suffer data loss within the first three years.”

Do You Dunk Your Cookies?

Like your Oreos®, you ought to also dunk the cookies on your computer … in the trash. Though many apps require using cookies to help identify users, Bourke strongly advised deleting them as  they “often contain information specific to the user and past events, including sites visited and a user’s history. Most good anti-spyware products will prevent and/or warn users of a site’s request for a cookie.”

Accounting and finance professionals often save documentation on their local drive, expecting it to be saved if disaster hits including laptop or desktop meltdown. THIS IS A MYTH!!! Unless you save your documents on your firm’s server, there is no backup.

Protect all your files on your firm’s server and use your firm’s anti-virus and anti-spyware programs that update and scan often in an automated fashion. Use encryption technology, limit and secure access to the system on which your files are stored and frequently back up all data contained on your local drive (C).

Automatic Updates

How often do you get those automatic pop-up reminders asking you to update the systems on your computer? Shouldn’t your IT team be liable and responsible for these updates? How do you know whether you should accept all the updates or just a few? Are these updates safe anyway?

While Bourke believes that all updates should be considered “critical” and should be updated immediately, he pointed out that if the update came directly from the vendor, you can consider it safe. “There are higher security risks that a firm would be exposed to by not applying updates,” he added.

Disaster Recovery Plans

Disaster Recovery Plans (DRPs) allow “CPA firms to restore computer and office systems, including all essential software and connections to full functionality under a variety of damaging or catastrophic external conditions,” said D’Accordo. There is no one-size-fits-all plan. Large CPA firms should have a continuous continuity plan to prevent disasters even during down times advised D’Accordo.

A comprehensive DRP includes a “host” site that can house your firm’s team[s] and systems in a moment’s notice. D’Accordo noted that while there is no need to create elaborate DRPs, you should “always, always, always [ensure that] your data resides in three places: on the PC or server, on an external media (not tape!) and stored offsite in an encrypted and secured manner.”

Employee Training

Employees need to be as much a part of DRPs as the firm itself.

Employees often make the mistake of saving data on their C drives. While all firms automatically back-up files on the server, which includes shared drives, employees don’t realize this does not include anything they save only on their C drives. To ensure that this data is also saved, it is imperative that employees also take the extra step to save data on their shared drives.

“All employees need some base-level training on Disaster Recovery and Business Continuity. The training should be repeated yearly on a grand scale and tips should be sent regularly in newsletters,” said D’Accordo. “I also encourage employers to develop a Systems Use and Policy Guide that explains the dos and don'ts of using business systems and all employees should discuss it at a group session, sign it and re-sign it yearly after training,” he added.

James C. Bourke, CPA.CITP, CFF, partner and director of firm technology, at Red Bank, NJ-based WithumSmith+Brown, PC, agreed, “The training should be done in conjunction with new employee orientation and then done on a recurring basis (at least annually) as a reminder to all existing employees.” He also encouraged mandatory training across all ranks because every employee plays a different role in DR and therefore has a different vested interest. He also pointed out that all employees should continuously be updated on DR policy changes “and since a plan is “living” and changes frequently, employees should be made aware of the location of the written plan for continued reference.”

Server Images

Many CPA firms are now using server images in lieu of the traditional methods of file documentation. Server images are software generated in which you have a complete copy of your PC or server, which needs to be saved on an external hard drive. Two of today’s popular solution providers are Acronis and Norton Ghost Server. Since the software does not affect day-to-day processes they seamlessly integrate into your system.

“If a CPA wants to recover from an issue quickly, then an image is essential,” said D’Accordo. “Think of it this way: If you back up your data but do not have an image of your server your path to recovery includes getting new hardware or parts, re-installing the operating system, setting up user accounts, patching the operating system with the latest security patches, installing anti-virus, anti-spyware and all tax-related applications, re-creating group policy and perhaps routing tables, etc. With an image, all those items are restored when the image is restored to the new equipment or hard drive.”

Safety in the Cloud

There has been much talk about cloud computing and data security in the cloud. Should you raise your DRP to that level? Like most IT experts, Bourke believes the cloud is a lot safer than any internal server you may have in place.

Good to know, but how can CPAs ensure that their data is secure in the cloud? “Since most ‘cloud-based’ systems store data on their servers, inquire as to replication and backups of that data and also request (if possible) frequent backups on media that you can also store internally in the event something tragic happens with the vendor,” advised Bourke.

While there are many cloud-solution providers, Bourke suggested the following cloud-based disaster-recovery sites:

You should also review carefully, the contract terms and service-level agreements that the vendor offers. This will help provide some additional assurance that the vendor will try to meet your firmís DR needs appropriately. While prices and solutions vary with vendors, as Bourke noted, “In the event of data loss, one would argue that such service is priceless!”

 Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Sukanya Mitra is Managing Editor of the Insider™ e-newsletter group.