Checklist: Protect your firm in 10 steps.
By Hitendra R. Patil and Jeffrey Lush
Jeffrey Lush is CEO and Co-founder, BAP Solution, a cybersecurity firm Lush is known widely as a passionate technologist with more than 34 years of IT experience. Before serving as CEO for BAP, he worked as the CTO for both HPE and Dell Federal. Lush’s US federal experience includes serving as the Executive Chief Technology Officer for the US Department of Veterans Affairs. He has served on US Presidential workgroups focused on cyber and has extensive knowledge of cybersecurity standards and policies throughout the globe, with a focus on US Federal policies to include NIST, FISMA, FedRAMP, DFARS, PCI, and HIPAA.
It is no secret that cybersecurity continues to top the list of business concerns for businesses of all sizes. Small independent business, mid-size business and large organizations can all be impacted by a cyber attack.
Why accountants need to recognize cybersecurity as a daily “to-do”
The Ponemon Institute, the well-respected creators of the “Cost of a Data-Breach” annual report, says that the biggest threat is that cyber threats keep evolving. If IT teams don’t know what to expect, how are accounting professionals supposed to help cyber threats? In addition to a possible business impact, many organizations that touch personal identifiable information or other sensitive data are often subject to government regulations. Failure to comply is costly and embarrassing.
It is even more critical for accountants and accounting firms, simply because it is not just your own data and information that you want to protect from cyber threats but because you manage your data and information of your clients – and possibly of their employees, their vendors, their customers, etc. Therefore, for hackers, your firm can be that “master-key” that can open many doors.
The first and fundamental preventive measure you can take to protecting critical data, reducing the risk of a cyber attack, and complying with federal mandates is to start thinking about security and to begin today with tested steps. Many of the steps may feel simple, but the improvement in security is substantial.
What is cybersecurity
First, let’s recap what we mean by cybersecurity. Cybersecurity is a blanket term that encompasses a number of different ways to protect from the attack vectors that a hacker can utilize to access proprietary information. Their typical goal is to acquire sensitive data to sell on the dark web for profit. Your data has big value. Let’s review some of the most common types of attacks.
- Ransomware – as the name implies, ransomware occurs when malware is unleashed on your system to block access to your data until a ransom is paid to get back. This method is often distributed through email that might include an attachment carrying the malware payload. Or the email contains links to websites that contain links to malicious sites. The FBI discourages payment of ransom, because paying your ransom does not mean you get your files back. It also means that the hacker was successful, and will strike again.
- Phishing – Phishing is also done through email. These emails are often doctored to look like they are sent from a trusted contact or company to trick recipients into revealing personal information. A form of phishing focused on executives is called Whaling. The types of data they are “fishing” for is often passwords, banking details, credit card numbers. Spear phishing takes place with the attackers spend the time to research their intended target and personalize their messages. For obvious reasons, these attacks can be very difficult to detect.
- Distributed Denial of Service (DDoS) - DDoS consist of attacks against a system's resources to overwhelm service and shut it down. There may not be a financial benefit to a hacker, aside from the satisfaction of interrupting service. However, competitive companies have been known to launch DDoS attacks to interrupt competitors business for financial gain.
- Spoofing – sometimes called Man-in-the-Middle. Just as both names imply, this happens when your communications between a client and trusted servers are hijacked. Often times the attackers send a packet which mimics the intended host and disperses malware on your system.
- Insider Threats – this is when digital information is stolen from someone or something inside of your environment. Often a trusted insider will make copies of key company details ranging from product specifications, financial details, or other valuable information that may cause financial damage. Insiders could be employees, former employees, contractors, or anyone else that may have access inside of your firewall, antivirus, and endpoint protection.
How you can ensure cybersecurity
There are numerous other kinds of cyber threats. These may feel daunting and make you wonder how you as the accounting professional can make any difference. The answer is that you can make a difference. Making basic adjustments to the way you go about business may thwart countless attacks.
1. One of the first things that you should do, especially if you are an independent or small business accounting firm, is to ensure that you have an updated antivirus on your computer and that it is activated. If you don’t have one, then get one right away. In terms of cyber protection, antivirus apps are very inexpensive. Antivirus apps are often compared to the fence around a yard. Its job is to create the first barrier to keep the majority of threat out. There a number of organizations that routinely test most of the antivirus options out there, such as PCMag and AV Comparatives are both widely respected as independent reviewers. They compare side by side so you can find the product that best meets your need.
2. Basic cybersecurity-hygiene – There are some simple steps you should be incorporating into your everyday workload. The key is to be vigilant. If something feels off or wrong, it likely is. Implement the steps below to improve your cybersecurity.
3. Lock your computer screen when you are not at your desk. When I first started working for a technology company our IT team would routinely change passwords for anyone not locking their screen. It was an unpleasant reminder that if they can change your password, anyone has access to your files. You would never want to give a burglar the keys to your house. Leaving your computer unlocked and unattended is doing just that.
4. Physical security: Secure physical files. While in the office, do you have a process for locking up any files that have personally identifiable information or sensitive information? Whether this is a clients tax returns, quarterly financial details, or bank information, you are likely touching very sensitive information. The best thing to do is lock it up. In compliance with your company policy, excise proprietary information when you can. In addition, what are your policies for public access to your workspace? If you are in an environment that does not have access control (badge system) to admit people to your office, you may need to implement even stricter procedures.
Are there times you may work remotely? Will you be carrying sensitive data between work and home? The best practice here is to keep that data with you or secure in a safe place at home, this could include a locking safe. A few years ago there was the story of a state government worker who had a laptop stolen out of their car. Or another who had contracts stolen from a briefcase stolen from their car.
In addition, never insert into your computer an unknown device, such as an USB. Social engineers for years have strategically dropped USB drives hoping an unsuspecting person will pick it up and insert into their computer, thus unleashing rogue malware.
5. Email – do not open any links from people you do not know, especially unsolicited. As we saw when describing the types of cyber attacks, email is a popular vehicle for distributing malicious malware. In general, you will not receive an email from the IRS, law enforcement or you cousin who has money for you but needs you to first send money to get them to where they can send you money. If an email feels strange, don’t open or click. Hover over the sender’s address to ensure it is the right email. Or give them a call to ensure they sent you something to open.
6. Social media – similar to email, don’t open something from someone you don’t know. Also, accepting connections requests from someone you do not know, without doing any sort of preliminary due-diligence, can risk you as well as your existing connections - because when you connect with them, inadvertently you are giving the new connection a shield of legitimacy. It is common to hear “I connected with that person because some of my friends/connections were our mutual connections."
7. Internet searches – plain and simple, don’t search where you shouldn’t on a work computer. Avoid celebrity sites, pornographic or other kinds of like searches. These sites often are riddled with malvertising or other types of malware that can infiltrate your system and have an impact well beyond your internet. The right antivirus will have internet security included.
8. Continuously Monitor – in conjunction with your IT team, they should have technology in place to always be watching your system.
9. Back Up, Back Up, Back Up – if you are ever victim to a cyber attack you may not be able to retrieve your files. It is good policy to regularly back up your hard drive to ensure that if something does ever happen you have access to your files. Backing up always gives you an option out if you are hit by an advanced cyber attack, such as with ransomware.
10. Get Trained – If you have an in-house IT team, ask them to train you and your department on best practices. Or if you are independent, choose from resources found from the following non-profits. Check out additional free resources from these groups:
Resources – Stop, Look, Think campaign by ISC2 – https://www.isc2.org/
Center for Internet Security – https://www.cisecurity.org/
Center for Cyber Safety and Education – https://iamcybersafe.org/
11. Cybersecurity is not a one-time thing - It is also important to frequently review your processes and determine what can be improved to secure your environment.
You, truly, can be the difference between a major breach and security. By being aware and vigilant, you may thwart a cyber attack on your environment. Following these steps will give you peace of mind and help to combat.