In an era of compliance issues, taking the right steps to secure data could mean more than just meeting standards.
By Teresa Von Fuchs
As an accounting firm to mid-size companies all over the globe, Grant Thornton understands that being a good accountant is about more than just crunching numbers. Part of being one of the top five firms in the United States means understanding what’s behind those numbers.
With the Sarbanes-Oxley Act of 2002 a lot changed in terms of businesses and numbers: Tougher standards were set around accounting practices, and new regulations were imposed to help ensure the independence of auditing firms. All of this was done in the hopes of increasing corporate responsibility and corporate financial disclosure.
And these good ideas, when put into practice, cost many companies more than a pretty penny. The New York Post recently ran a headline “SOX- Feds Choke Wall Street,” making the argument that Sarbanes-Oxley compliance “places an unprecedented burden on public companies.” While much has been written about the hardships of Sarbanes-Oxley compliance, Grant Thornton takes a different view and has published a series of whitepapers explaining Sarbanes-Oxley as an opportunity to improve the bottom line: “While SOX compliance has been costly, there is an upside that gets little press: there are actually a number of companies that have been able to improve the quality and efficiency of not only their financial reporting processes but also their general business operations as a result of their [Sarbanes-Oxley] 404 compliance activities.” Grant Thornton saw a place where it could use this advice at home.
“We’re business consultants, and most of our business is auditing and tax issues,” explains Jim Moore, senior technology manager, “so handling client info is very important to us. We’ve always been way ahead of the game in terms of regulations.”
As more regulations are passing, such as the Graham-Leach-Bliley Act (GLBA) for financial services firms and California’s Information Privacy Act (SB 1386), which requires disclosure of all customer data breaches, Grant Thornton wanted to stay ahead and needed a security and remote access solution that met those demands. “We also didn’t want users to worry about the logistics of one type of access over another,” continues Moore. And to really toughen the challenge, Grant Thornton also does business in 112 countries. “Our workers go all over the world, which already poses a variety of challenges. We needed to make sure that we found a solution that worked the same wherever they went.”
>The everything-and-works-internationally Challenge
For years Grant Thornton had been a WorldCom telecommunications customer for its offices and remote access services via dial-up. However, management began to see the benefits of a more flexible remote access strategy as faster technologies and more networking devices became available. Security, however, was always an issue. As some employees began using broadband or wireless connections, IT was spending more and more time making sure these connections were secure and the network remained virus-free. Also, unregulated connection costs began quickly adding up.
Dave Johnson, director of infrastructure technology at Grant Thornton, echoes Moore’s concerns. “Supporting a diverse mobile workforce can create enormous complexities for IT,” he explains. “Trying to keep up with today’s rapidly changing protocols, incompatible access technologies, complex infrastructures and mounting security threats is like running in quicksand.” When WorldCom went bankrupt, Grant Thornton began the search for a new vendor.
Essentially, the company needed an easy-to-use, comprehensive tool to consolidate and simplify connectivity options across the globe, while guaranteeing that any device connecting to the network is compliant with corporate security and usage policies as well as any regulatory policies around client data. No problem, right?
>Playing the Field
To find the right solution, Moore oversaw the bidding to 12 vendors. After the initial phase, that number dropped to three. One was eliminated because its solution sounded right but was not yet available. Down to two possible vendors, Moore ran a 30-day pilot with 30 heavy users on each solution, and in the end chose Fiberlink’s Extend360.
Extend360 includes a VPN; anytime, anywhere access through a variety of connectivity options; end-to-end encryption of user information; personal firewall and anti-virus software; Persistent Policy Enforcement, which prevents a device from connecting to the Internet until the VPN client is engaged and the firewall and anti-virus solutions are up-to-date; as well as a suite to manage all of these features and user access options.
All of this became available behind one simple user interface (that also provides one-click access to even more useful features and automatically tells users what access options are available). In a report on remote access systems Gartner reported, “Fiberlink has one of the most user-friendly access clients, with good information on connectivity options and performance.”
While Grant Thornton was already using a hardware-based firewall, anti-virus software and a VPN solution, integrating and managing these effectively was a challenge before it rolled out the Fiberlink solution. It now has access to the Extend360 client and so secure, Web-based administration of policy values; it can also offer user-friendly updating with resumable downloads and bandwidth-sensitive updates. Extend360 also provides a comprehensive set of administrative tools that enable IT to push policy and security software updates to mobile workers, no matter where they are in the world.
>Up and Running
Grant Thornton and Fiberlink worked together to tailor and customize the Extend360 client. “We could really leverage [Grant Thornton’s] internal software distribution tool to get the solution built and out to the field quickly,” explains Rick Wentz, Fiberlink VP of global customer services. “Not all customers have such systems in place, and we believe in working on a distribution cycle that makes sense for the customer.” For Grant Thornton that cycle was only a month—within 30 days 3,000 employees were up and running. On Monday employees got an e-mail that said, “Tomorrow you’ll be using a Fiberlink solution.” That night the solution was pushed out and by the next morning the company was completely switched over. Now, almost two years later, over 4,500 employees use the solution daily.
Fiberlink offers Word-based tutorials, but Moore says, “Our users have no patience for tutorials. They just dive right in.” Grant Thornton did create quick-start cards that went out to all employees, listing solution basics, some helpful shortcuts and reminders, but pretty much let the solution speak for itself. Considering the help desk has only received 73 calls in three years, that method seemed to work just fine.
Since going with Fiberlink, Grant Thornton has achieved 100 percent compliance with its network access and protection policies. So far, network security has isolated viruses even before anti-virus vendors sent out alerts. Remote workers—over 60 percent of Grant Thornton employees work away from the office more than 50 percent of the time—have an easier time connecting to the network to check e-mail and input billable hours into the firm’s billing system, ultimately improving cash flow.
Fiberlink’s CostView reporting system has saved Grant Thornton’s IT staff hours each month by generating a summary of each employee’s network access charges so the IT department can accurately track and charge back each user’s costs to their respective office. These reports were previously compiled manually and were prone to error. “We’re a bunch of CPAs,” says Moore, “so we just love being able to do better number crunching like this.”
And with many security concerns at ease, the Fiberlink solution has really opened up a world of mobility for Grant Thornton. “Our tax department now sends tax professionals to client sites the same way we send auditors to client sites. This was inconceivable before, because the tax professionals relied so heavily on the network to access applications and research,” says Moore. “With Fiberlink, we can support them as if they were in the office, without worrying about the security issues associated with working at a client location.”
When the firm recently started working with a major client in a state without a Grant Thornton office, it was no problem for the close to 200 professionals at that site to access the firm’s network. Says Moore, “Having the ability to move hundreds of tax professionals anywhere in the world, at any given time, in order to support the needs of our clients is extremely valuable to us.” //
A former staff editor at Mobile Enterprise magazine, Teresa von Fuchs now writes from Austin, TX.