Free Ransomware Webinar This Month
*This webinar is most beneficial for Xcentric Cloud users.
Are you concerned about ransomware and spear-phishing attacks on your firm? Attend this free webinar hosted by our trusted partner, Mimecast.
In this session, you will learn:
- The impact of spear phishing: Just how serious a threat is it?
- How could ransomware get into your organization?
- Why is ransomware happening more now than ever before?
- How can you best defend against an attack?
Considerations for a Data Breach Response Plan
Virtually every day there is another headline of a business security breach; what would you do if your firm’s name was in that headline? Developing a data breach response is a lot like developing a disaster recovery plan in that you hope you never need it, but having one can help tremendously in the event of a breach by minimizing additional losses and damage to the firm’s reputation. Even if your firm outsources your IT and/or applications to external vendors or cloud providers, you should have a basic incident response plan in place in the event firm data is breached via a third party. Below, we outline seven considerations to help you begin to organize your firm’s breach response plan.
Identify Your Response Team
Firms should have a list of internal personnel and external resources readily available including designating a primary Incident Response Officer (IRO) whom is at the senior management level. They will act as liaison between the C-suite and the other incidence response team members. The IRO will preferably not be the IT Director as the IT team will be engaged in the technical aspects of remediation. It is important to also have a backup person designated in the event the lead person is not available. Other team members may include existing internal IT personnel, external vendors that provide cybersecurity services, as well as vendor contacts within cloud hosted applications, and legal counsel familiar with cyber security issues.
Incident Notification Process
Anyone noticing suspicious activity should be regularly reminded of whom to contact (IT/Security personnel) and whether to do so in person, instant messaging, or on the phone (as email may be compromised) so the appropriate person can assess the situation and determine if there was the possibility of a security or privacy breach. If the initial responder has concerns of a security breach they would notify the Incident Response Officer (IRO) to oversee an investigation and remediation efforts.
Your IRO will work with the IT team to investigate the event to determine if it is an actual security incident, which the National Institute of Standards and Technology (NIST*) defines as “a violation of or imminent threat of violation of the firm’s computer security policies, acceptable use policies, or standard security practices.” It is important that the response team also document what has transpired including the dates and times of suspicious events and all communications with outside parties regarding the incident. This information should be captured in a written/digitally recorded format to get other response team members quickly up to speed, and with the understanding that it may be important in any future legal or criminal proceedings.
The IT Team should have written policies to monitor suspicious activities, disconnect, contain and block services, confiscate impacted workstations/devices, and physically secure the premises to minimize further damage. Remediation efforts would also include specific external cyber security resources and contacts at the firm’s Internet Service Provider (ISP), whom can help trace the origin of an attack and/or block it.
Determine External Remediation Resources Needed
An important aspect of the incident response is to identify Forensic and Cybersecurity firms that can assist with remediation, eradication of threats, and the any clean-up, which should have specific vendor contacts documented in the plan. With the rapid evolution in cyberattacks, it is not likely that the firm’s internal IT personnel will be able to remediate every situation, so identifying external resources is critical. Please note that remediation resources should also include the firm’s legal counsel as well as specific Federal and State law enforcement agencies (FBI/U.S. Secret Service) to address any criminal issues.
Internal Communications Plan
If it has been determined a breach occurred, the incident response team should quietly notify firm management and explain what is being done to remediate the issue. Firms should delay notifying all staff until it is determined that the breach has been evaluated (and it is confirmed that no internal personnel were involved). Once the response team is convinced they have remediated the issue, a firm-wide communication outlining the facts and firm response should be sent to all staff including whom is authorized to respond to any public inquiries. This communication should explain what happened, what the firm has done to fix the situation and what the firm will do in the future to minimize the risk of a breach occurring again. The communications plan may also need to notify impacted clients and what the firm will provide such as Identity Theft Protection Services.
Public Notification of Breach
The firm should establish a primary (and backup) point of contact to handle all public communications with the media. If the breach is in a very large firm, this could also entail setting up a website/webpage with FAQs and invoking additional resources to deal with large volumes of phone calls, emails, and physical mail. The firm should also identify which incident reporting organizations they want to work worth. Verizon and the Identity Theft Resource Center are both organizations that consolidate and report on privacy/data breach incidents for firms.
Should a security/privacy breach occur in your firm, it is not likely to unfold in a neat, organized fashion so it is important to have resources organized beforehand and to be flexible in responding to the specific situation. Discussing and documenting these considerations will help minimize the negative impact of a breach and speed up the process to get the firm back to normal operations.
*FIRM RESOURCE: For the development of this article we reviewed the National Institute of Standards and Technology (NIST) Publication 800-61: Computer Security Incident Handling Guide, which we suggest firms refer to for more comprehensive guidance on developing an incident response plan, in particular Table 3-5: Incident Handling Checklist and Appendix A-Incident Handling Scenarios.
This article was originally published for the American Institute of Certified Public Accountants (AICPA). Copying or distribution without the publisher’s permission is prohibited.
New Resource: The Essential Guide to Securing Remote Access
We have recently partnered with Duo Security, because we truly believe they are the best as it relates to security for our clients. Our Cloud users now benefit from a newer process every time they log into the Xcentric Cloud, which makes it next to impossible to hack into someone else’s account. That being said, the people at Duo Security know what they’re doing.
Take a look at this free resource to understand what threats exist for cloud users, such as phishing, brute-force attacks and password-stealing malware, and learn how to mitigate these risks. This guide is most helpful to IT administrators and other professionals concerned with information security as it relates to remote access within your firm. (more…)
Xcentric Partners with Duo for Heightened Security
We are always trying to find new and improved ways to make our Cloud more secure. With advancing technology, there are increasingly more options for security as well as more threats. After doing some research and looking at our options, partnering with Duo Security was a no-brainer. Duo combines modern two-factor authentication with advanced endpoint security solutions to protect your users from account takeovers and data breaches.
What does this mean for Xcentric Cloud users? There won’t be much noticeable difference to users except when logging into the Cloud. Duo adds one more step to the login process, but these extra few seconds a day adds a second form of confirmation before logging into users’ Cloud accounts, making it highly improbable for someone to hack into the Cloud.
IT Partner Security Webinar Next Week
This is a reminder that the second installment of Xcentric’s IT Partner webinar series is happening next week. It’s not too late to sign up! Our Director of Consulting and a well-respected industry consultant, Roman Kepczyk, will thoroughly explain how firms are mitigating their risk and educating their people to be more savvy and safer users of technology.
This 3-part series focuses on helping IT Partners be better IT Partners to their firms. We have found in our years of serving accounting firms that often times the partner in charge of technology didn’t necessarily volunteer for the role and/or are distracted by their ‘day job.’ This series will better position people for success in their role and, in relatively short order, will catch them up to speed on the trending and important topics in the industry. (more…)
Five Auditor Security Tips
Verizon’s 2016 Data Breach Investigations Report was recently released and the findings point to security risks and data breaches once again increasing in the year ahead. While this is bad news for those firms choosing to ignore or trivialize security, the report identified the key threats that account for the majority of breaches. Accountants can drastically reduce the risk of their firm becoming a breach statistic by following five guidelines:
Knowing specifically where client data resides allows firms to put data protection in place. When data is on local C:Drives, USB flash, and data backup drives, security is dependent on the auditor complying with the guidelines, including using data encryption which is notoriously painful for the accountants to adhere to IT department requirements. In addition, most accountants are not good about physically locking up their computer screens or securing them when they need to leave the working area to ask the client a question. So what is the solution? While automatic screensavers will block out peering eyes and cable locks will physically secure the laptop, not having any data on the local machine is the optimum protection. These means having all client data and applications stored centrally and accessing it remotely. This can be done either by the firm building or outsourcing to a private cloud (Citrix, Microsoft RDS), or using the audit vendor’s cloud servers (Thomson Reuters AdvanceFlow, Virtual Office) so that no data resides on the local workstation. The added benefit is that all audit staff can access the secured data regardless of their location which improves collaboration on assurance engagements while protecting the client’s data. (more…)
Xcentric Partners with Netwrix to Pass SOC 2 Audit
In preparation for our SOC 2 audit, we decided to partner with Netwrix (the first to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments) not only to pass the audit but also to better secure our clients’ data.
Netwrix Auditor is a visibility and governance platform that enables control over changes, configurations and access in hybrid cloud IT environments to protect data at rest regardless of its location.
Phishing and Hacked Passwords: Top Causes for Last Year’s Security Breaches
Verizon released their ninth annual Data Breach Investigations Report (2016DBIR) last month, which reports on the major security breaches and methods used by hackers to compromise businesses and governmental organizations. When it comes to hacking, organized crime syndicates lead the way with phishing email schemes that are culpable in 89% of security breaches, followed by “state-affiliated actors” which accounted for another 9% of attacks.
Phishing has transitioned from the “good ole” days when clicking on the link would take you to an obviously fake bank site to capture your login credentials. The 2016DBIR study found that 70% to 90% of malware hitting an organization is “unique” to that organization, meaning that the hackers slightly modified the malware signature hashtags so it would look like a NEW virus, even though the malware impact was the same (loading ransomware, capturing login credentials, etc.). This means that today’s stealthier version is usually customized to each company and tricks more victims into downloading a viable looking invoice or RFP request.
New Resources: Mimecast Whitepapers!
Our Infrastructure team has been working hard on integrating Mimecast into our Xcentric Cloud offerings. Mimecast tremendously increases email security, making it extremely difficult to attack. We’ve gathered a few resources to help clients and prospects better understand what Mimecast does and how it works.
These whitepapers are all free and ready to download. Check them out! (more…)