It was Friday, March 14, and it had been an extremely bad week for Mr. Hapless of Hapless CPA. Mr. Unforgiving, the largest client at the firm, was sitting in the lobby waiting to meet with him. Mr. Hapless knew why. The whole week had been about disclosures — the disclosure of personal data from Mr. Hapless’ computers and the theft of personal client information. The FBI and State Police had been in the offices most of the week investigating.
“Fortunately, they are gone,” thought Mr. Hapless as he walked down the hall to the front lobby. The news media had moved on to another story in town. He was thankful for the focus shifting from him to someone else. The news media had been camped out in the parking lot waiting to pounce on any customers or employees coming into or leaving the office for comments about the disclosure of data, so Mr. Hapless had given most of the employees the week off. Not that the media could understand the issues facing the firm this time of year. All they wanted to know was how it happened and why the firm had been so careless with client data. No important work had been done this week; most corporate returns had to be extended even though some could have been completed if this issue hadn’t happened. This, by far, had been the worst tax season, and there was still a month left.
Mr. Hapless escorted Mr. Unforgiving into the conference room and asked him how things were going, but he knew full well the answer would not be good. Mr. Unforgiving hardly ever came into the office as he preferred to have his underlings take care of his dealings with Mr. Hapless.
Mr. Unforgiving began: “Happy (Mr. Hapless’s nickname), we have known each other for a long time, and it is a terrible thing happening to your firm right now. I really feel badly for you. You probably don’t know this, but the data thieves that broke into your computer system have not only obtained credit cards in my name, but they have also used the direct deposit information to liberate my bank account of $500,000. I am not happy about this situation, and as of now you are terminated as my accountant. I am taking my business to Able, Able and Kuntz. Fred Able will be contacting you on Monday to get the status on my business and personal tax matters.”
Mr. Hapless tried very hard to stay positive and keep a smile on his face. Mr. Unforgiving was his largest billing client and represented considerable revenue for his small firm. “Bob,” Mr. Hapless said, “is there anything I can do to change your mind?
I know this is bad, but I really thought I was protected; my outside IT person said the firewall I had was sufficient. I didn’t know that it wasn’t. Would you reconsider? We have known each other for a long time and that has to be worth something.”
“No,” said Mr. Unforgiving, “you have cost me considerable time and money already; and from what I have learned about identity theft, it’s going to take me several months to clean all this mess up. You should have been thinking more about your security instead of relying on your outside IT guy. See you around town.” With that, Mr. Unforgiving got up and walked out of the office.
Is the experience of Mr. Hapless typical in our profession? Fortunately, not yet! As accountants, we need to work diligently to keep it that way. While this story is fictitious, it does give us something to think about. How good our protection is at the Internet perimeter and how much vulnerability we have to an outsider’s intent on stealing computer information is a matter all public accountants have to address. The answer resides in how well we protect our networks from both inside and outside threats.
What is Enough Protection?
Risk is the primary issue related to assessing what is enough. How high is an accountant’s risk to data compromise and theft? Well, the threat is ever changing. As accountants, we need to prepare and continue to monitor our networks to threats both existing and new. We must continue to understand what is happening in the connected world of the Internet and make sure we are implementing state-of-the-art components. We must keep our client data safe and secure. Are we 100 percent protected from the professional hacker? Don’t bet the farm!
However, if we implement sufficient security in our firms, we should be able to make our firms less desirable to the professional hacker. Thieves don’t want to work too hard for their money so if you make it too difficult to get into your network without proper credentials, the professionals move on to easier targets. The non-professional will pass by a well-protected network entirely. The script-kiddies (those just learning to hack) do not have the skills to compromise a well-protected network so they pass by fairly quickly.
To reduce our risk, we need to implement good solid commercial firewalls and intrusion protection devices on our networks. The definition of good is a device that provides blocking of unauthorized Internet traffic, scanning of approved Internet traffic to ensure it complies with the protocols for that type of traffic, and monitoring logs of activity from our protection device to ensure that no unwanted activity is being detected.
What is the Proper Firewall?
Commercial firewalls are not the devices you find in the local Best Buy or Circuit City; those devices are designed for the consumer market and aim to minimize user support calls. This means that such devices are configured at the factory with settings that allow for more openings than what is desirable for a business. As a practitioner, it is unwise to use such consumer devices in your business because consumers have less risk of attack to their home computers. The consumer items are great for consumers, but not great for businesses.
Leading commercial firewall makers include Cisco, SonicWall and Microsoft. Cisco (excluding Linksys) and SonicWall make physical devices that act as a gate between the Internet and the internal corporate network by placing their device between the two network connections (WAN for the Internet and LAN for the internal network).
Microsoft’s firewall product, ISA Server 20xx (where xx is the year of issue), is a software firewall that will run on a standard Windows Server operating system. The last release was 2006, and a new release is expected this year. ISA server works in much the same way as a physical hardware firewall, but instead of a device you use a server purchased from a server manufacturer and install ISA on top of the Windows Server operating system. ISA Server is called a software firewall because it is independent of a physical piece of hardware. ISA server, when set up properly, separates the Internet (WAN) from the internal network (LAN) in the same way as a hardware firewall; it uses two network cards — one connected directly to the Internet provider’s link and the other connected to the Internal Network. This provides the same separation as the physical hardware firewall.
Why are these firewalls better than Linksys, D-Link, NetGear and all the other consumer-based firewalls on the market? While the consumer firewalls are more open, the SonicWall, Cisco and Microsoft ISA Server require specific configuration to allow the internal network to communicate with the Internet. This difference is the exact reason that commercial firewalls are better; they require the user to specifically allow the types of communication needed. Consumer firewalls are inexpensive and designed to be very much plug-and-play. Many of the more common communications protocols from the Internet are pre-configured to allow the communication whether the user has a need for that particular communication protocol or not.
This pre-configuring, while easy for the consumer, does little to provide significant protection for the business user. And finding and using an open communication protocol is an easy task for hackers. It’s even easier to do this on a computer infected with some type of malware such as a Trojan or spyware because most consumer firewalls allow an outgoing connection to create a reciprocal incoming connection. The commercial firewalls will not allow an incoming connection to be created unless it is specifically allowed in the firewall policies. This difference in allowing incoming connections is what separates the commercial firewalls from consumer firewalls.
What Should You Do?
If you are running a consumer-based firewall, you should seriously consider upgrading this device to a commercial firewall because you are barely protected. With the valuable data you hold, you are a sitting duck for someone to pluck out the information and sell it. If you are running a commercial firewall that happens to be several years old, you might consider an upgrade this year. If you are running a commercial firewall and it is less than 18 months old, you are right where you should be in terms of security.
Not sure where you are? Armed with this article, you need to talk with your IT person and ask them some pointed questions about the type of firewall installed, how old it is and when it was last checked for updates. It you find a consumer-grade firewall, you need to have a discussion with your IT person about why they are using a consumer device in a business that needs a commercial device to protect its data.
Deep-Penetration was never caught for compromising the systems of Hapless CPA and selling the information to other hackers. She made over $400,000 selling all of Hapless CPA’s client data to ID-Me. As for Hapless CPA, after his largest client left, several others followed. Mr. Hapless ended up selling his firm to Abel, Able and Kuntz for one-third the price he would have received had his data not been stolen.
While the events described in the hacking incident have fortunately not yet happened to a public accounting firm, the scenario is something that could happen if firms do not take proper precautions to protect their data. Every day, criminals use the Internet to obtain stolen credit cards, social security numbers, ACH information, and other personal information that they, in turn, sell to other criminals via the Internet or use for their own benefit to obtain money from the unsuspecting.
Protect yourself with a commercial firewall, and don’t let what happened to Mr. Hapless happen to your firm. If you are using a consumer-grade firewall, work with the technical people who help your firm to implement a commercial-grade firewall. It is important to lock and deadbolt the door to your house, so make sure you do the same for the data stored on your network. Not securing your data is an invitation to identify thieves and hackers to break into your network and steal information. Don’t become a victim.