Mandatory Firm Security Briefings
Earlier this year, we met with two members of the IRS Criminal Investigations unit who shared that between three and five accounting practitioners are getting hacked every single day. With all the awareness of data breaches, security threats, and ransomware, one would think accountants would make security a priority, but many believe their firm is either not interesting enough to be a target or they assume that they are not at risk because their IT personnel are “taking care of it.”
The latest Verizon Data Breach Investigations Report (DBIR) and Identity Theft Resource Center findings clearly point out that both of those assumptions are wrong. Accounting entities are increasingly being targeted specifically for their access to tax applications and data which can be quickly converted for financial gain and because many accountants have a somewhat lackadaisical attitude towards data security, making them easier targets for hackers. We have found that firms can hire IT resources to successfully secure their networks, maintain system/workstation patches, and provide antivirus updates, but most neglect their greatest exposure, which is the exposure caused by untrained firm personnel.
Most firms will introduce a new hire to the firm’s security policies outlined in the employee handbook, but more often than not, those policies have not been updated in many years and staff have not been reminded about security since their initial onboarding. For this reason, we feel it’s important that firms mandate annual IT security briefings for all personnel to educate them on the latest cyber security threats, the warning signs of being hacked, and how to respond if they suspect a breach.
The 2017 DBIR found that compromised passwords were utilized in 81% of all hacks, which points out the importance of requiring difficult-to-guess passwords and changing them frequently (most providers recommend every 90 days). It’s also important to educate users to not use the same password or similar variations for multiple accounts. Oftentimes, a hacker will break into one website or vendor system and then use each individual’s login/email name and password on similar types of accounts to take control. One solution to minimize the single password risk is to utilize multi-factor authentication, which requires that anyone logging into a website prove they are the intended user by either having the website send a passcode text to their smartphone for them to enter in and verify, or having users also authenticate their identities with biometric information such as facial, fingerprint, or iris recognition. Biometric verification has been slow to roll out on a firmwide level, so dual factor authentication tools such as DUO, RSA Security, and Symantec VIP currently tend to be more viable and cost-effective solutions for accounting firms.
Employees also should be trained to be skeptical of suspicious emails that may have malware attached, which are referred to as phishing emails and are the most common entry point into the majority of firms that have been compromised. Those emails can appear to come from a client, vendor, or even from someone inside the firm and make an “unexpected and urgent” request for your personnel to review an email attachment or click on a link in the email. Cyber criminals have been known to hack travel websites and personal calendars, and even observe social media to know when employees are traveling to send requests to send information or wire funds. Employees should be regularly reminded of such phishing email threats. Services such as KnowBe4, PhishMe, and Wombat Security can be used to test and train personnel to be skeptical and respond more appropriately. Firms would do well to remind employees of phishing emails, particularly around the holidays when fake package deliveries, gift cards, and unrealistic discount scams reach their peak, and during tax season when the tax scams take off.
Personnel should also be made aware of how hackers use social engineering skills to get firm members to divulge information which can be used to compromise the network or create more convincing phishing emails. Staff need to be reminded that Microsoft and the IRS will never call/email your personnel and ask them to login/update their accounts, download a file, make a payment, send W2 information, etc., and personnel should be reminded to be skeptical of any unfamiliar person who asks them to do so. Firm members should also be trained to greet unknown personnel roaming the office and accompanying them to their intended destination to verify they are authorized to be in your office.
Unfortunately, the reality is that employees are human and will inadvertently make mistakes and click on links without realizing they have caused a breach. While some warning signs, such as a ransomware notification that locks the user out, are obvious, other signs are subtle, so it is also important to educate users on the warning signs that their workstation may have been compromised. Since tax application access is a primary financial target, firms should review the status of filed returns daily to see if any were processed without their knowledge or if any bank account changes occurred just prior to electronic filing. Other warning signs can come from changes in their workstation behavior. If firm personnel notice degradation in their computer’s performance or their computer is connecting to the Internet when idle, they should ask their IT personnel to investigate. If they see new tool bars appear in their browser, jump to unexpected website links when on the Internet, or see their cursor move unexpectedly, they should ask their IT person to check it out. Other signs of a workstation breach include passwords that stop working, getting notification of a security/virus warning, or peers contacting them about receiving odd emails. Public websites such as StaySafeOnline.org update listings of current threats and can be utilized by the firm to develop an annual security briefing.
Get Into Action
The final component of an employee security briefing is to make sure firm personnel understand what to do if they suspect a breach. The first step should be to disconnect the workstation from the Internet by unplugging the Ethernet/network patch cable from the computer. If the user is connected to the Internet wirelessly, he or she should be shown how to turn WiFi/Bluetooth connections off. The user should next contact their IT person and write down the series of events that caused concern. It’s also important that users leave their workstation on so that IT personnel can run diagnostics, evaluate the workstation, and back up any files that may possibly be needed at a later time.
While there is no 100% effective way to protect a firm from a cyber-breach, having a proactive IT team managing system security updates and requiring that all personnel be trained on current cyber security threats will go a long way in reducing the odds of that firm becoming an unfortunate statistic.
This article was originally published in Thomson Reuters Checkpoint: The PPC Accounting and Auditing Update. Copying or distribution without the publisher’s permission is prohibited.
Xcentric Security Stack (Part 2)
*Read Part 1 here.
The next layer of security that protects the Xcentric Cloud exists at the data center and in the data center firewall. Enterprise level firewall devices regulate the flow of data in and out of the network. Advanced physical security measures are also employed to ensure that only verified personal have access to the servers. These features include a single point of entry, around-the-clock security guards, biometric scanners, and closed-circuit cameras. High levels of physical security make it virtually impossible for a criminal to steal a physical copy of a firm’s data from the data center. You can read more about the Xcentric data center here. (more…)
Xcentric Security Stack (Part 1)
Enterprise Multilayered Defense
In the threat-filled environment that CPA firms operate in, what is the best way for a firm to protect its network? It would be great if there was a single easy answer or a single software solution to ensure that firms never have to worry about data security again. Unfortunately, it’s not usually that simple.
Secure data in a secure network is the single desired outcome that everyone can agree on, but the best way to arrive there is not often clear. This can be a complicated question to answer because there are many different ways that networks can be compromised. If every attack was carried out in the exact same way, cyber defense would be easy. Unfortunately, criminals are both motivated, and smart, and are constantly looking for new and innovative ways to break in and take what is not theirs. (more…)
New Resource: CPA Cyber Security Video
Earlier this month, our Director of Consulting, Roman Kepczyk, presented a webinar on CPA Cyber Security. We know that there are several resources right now around this topic, but this resource is specific to CPA firms within the U.S. Roman works with major accounting associations and has consulted for hundreds of CPA firms for decades, so he really knows the industry and has seen it all. (more…)
CryptoLocker 101: What You Should Know About Ransomware
*Note: CryptoLocker is a category of ransomware. It is the most well-known form.
Although you may have anti-virus software on your workstation (by “workstation” I mean your local machine), this doesn’t always protect you from CryptoLocker. In this article, you’ll find what you need to know to help keep your machine, data, and firm secure.
How do firms get CryptoLocker on their workstations?
CryptoLocker is a software that users are tricked into installing onto their machines. Typically, this harmful software is sent through an email attachment or a website link. For example, an attacker might send a mass email to “Bank of America customers” (since so many people have accounts with them) prompting them to click on a link to update some information. In the worst cases, all it take is a user opening an email attachment or clicking on a link within an email to install malware. In some cases, the user is prompted to do something, i.e. install an update for a known software, when actually, the user is installing the malware onto his/her computer. Once it’s been installed, CryptoLocker starts to encrypt files found on the local hard drive as well as files on the network. (more…)
CPA Technology Disrupters
The rate of technological change within accounting firms over the past three decades has been astounding. Each new wave of hardware and applications was initially met with skepticism until pioneering firms proved those tools were more effective and made their firms more profitable, raising the bar to new standards in optimizing CPA firm production. While many firms are still transitioning to today’s standard of integrated tax and audit suites running securely in the cloud, the next waves of technology disruption are already in play. Along with the influx of foreign applications, new methods of data ingestion and big data analytics, the concepts of artificial intelligence, cognitive computing and blockchain/distributed ledgers are already proving successful in commercial business, meaning that CPAs need to explore them not only to service clients, but to understand how they can be used to improve their own productivity. Below we discuss a handful of technology disrupters that accountants should be aware of today. (more…)
Are you doing background checks on your vendors and/or their owners?
Many of us are stringent when it comes to hiring people. We all want good people! We all make certain assumptions on what “good people” equals, but we use a background check to make sure our gut about these people match what their records show. As a firm dealing with sensitive data, it’s important to look at credit reports and run background checks on employees. This is not a hot take, and I am sure you agree with me. Yes, in some cases people definitely have learned lessons and deserve a second chance; this is your firm’s call. (more…)
Your Firm’s Weak Link – You and Your Co-workers
The greatest security threat to your firm is not on the outside but on the inside. You know this by now – it’s been preached ad nauseam over the last few years, but what are you doing about it?!
You have technology in place to help you curb threats from the outside world (firewalls, dual authentication, etc.) but ultimately, the people of the firm are the last line of defense for anything that gets through.
Are you training? Are you running background checks? Do you have a process for hiring/firing employees when it comes to technology? (more…)
New Security Webinar Available for Cloud Clients
Hey Xcentric Cloud clients, check out this new training video in our knowledge base and learning platform (Xcentric Learn), exclusively for our clients. Watch this thirty-minute video as our Director of Consulting, Roman Kepczyk, walks through security threats to your firm and how to prevent a breach/attack. (more…)