Skip to main content

Accounting

Security Issues That Stop You in Your Tracks

Someone in your firm needs to be literate on security and managing your risk. The number of security risks are increasing.

risk-management-framework1_10982353

From the August 2013 digital issue.

Someone in your firm needs to be literate on security and managing your risk. The number of security risks are increasing. This article won’t be a comprehensive list of risks, but a good reminder of fundamentals that need to be done by all firms. Being realistic about mitigating security risks will notably reduce your exposure and prevent unnecessary expenses.

You will probably need to get some professional help to implement some of the ideas that we discuss, and others simply will take good procedures, diligence and consistency. Again, the intent is not to name all risks, but to provide a reasonable checklist that you can use to improve your firm’s safety.

When you reflect on your risks, think through the security issues like you might be working a business continuity or disaster (BC/DR) plan. Frankly, many security risks should have responses as part of your BC/DR plan, but we’re betting most of you don’t have an active, updated BC/DR plan.

What are some risks? What can we do about it?

Let’s consider the impact of some risks in your office. Don’t take this table as comprehensive, but as an example of what can happen. This list only contains items that we know happened to CPA firms in the past twelve months. For that matter, update this list to fit your own view of the risks. Add risks that keep you up at night. Note also that this list is focusing primarily on security items, not other elements of a BC/DR plan, such as losing power, weather impacts or having a hard drive crash.

Recall that breach reporting rules are in force in almost all states. Our standard rule to eliminate breach reporting is to encrypt all devices everywhere and have passwords or pin codes on them. However, if you have an incident, you should contact your legal counsel, followed closely by legal authorities and your insurance company. Consider the following:

Risk

Response

Impact

Reportable?

Firewall doesn’t block intruders

Power down

No internet access until repaired

Yes

Wireless access compromised

Reinstall with proper security

Network resources used by unauthorized people

Yes

Cleaning crew uses your network

Change services

Maintenance personnel might have accessed client records

Yes

Partner loses tablet or smartphone

Remotely wipe the entire device

Possible loss of data not copied yet

Yes

Office Break in and computers are stolen

Call legal counsel and insurance provider

Loss of data, productivity, loss of image

Yes, if hard drives not encrypted

PDF sent via email that is not encrypted

Review procedures with team member

Data of that client is compromised.

Yes, if it has SS# or Fed ID involved.

Virus infection

Power off all equipment, disconnect all network cables. Run clean-up software.

Probable extended outage involving a day or more. Strong likelihood that some computers will need to be wiped clean and reinstalled.

No

Key logger malware makes it through your defenses

Network will run slower, and you may not notice it for a while. Clean as soon as found.

High probability that much client and banking information has been stolen.

Yes

Social network site infects a computer

Power off computer, disconnect all network cables. Run clean-up software.

Possible loss of data on computer. Some infections access network data.

Maybe. Discern if the infection had access to your network. If not, no. If you are not sure, yes.

Cloud provider is attacked with a Distributed Denial of Service attack

Data center is shut down

You’ll be unable to use your normal cloud services until service resumes. Have manual process ready.

Maybe, but that’s the data center’s financial responsibility in most cases, not yours.

Email account is compromised

Change password. Consider if this needs reported to legal authorities.

Client information could have been sent, or the email could have been used for illegal or illicit purposes

Maybe. Assess if emails had access to client info. If so, yes.

Your domain name is stolen

Contact domain registrar to resolve.

Web site, email and other internet services won’t be available for up to 72 hours after resolved.

No.

Social Engineering Attack

Contact legal counsel. Instruct team members on how to respond to requests.

Client information is likely breached.

Yes.

Infected PDF file received

Power off computer, disconnect all network cables. Run clean-up software.

May take one computer or your entire network down.

Maybe. Determine the type of virus and discern if client information was accessible.

End user clicks through a link and installs a fake anti-virus

Power off computer, disconnect all network cables. Run clean-up software.

May take one computer or your entire network down.

Maybe. Determine the type of virus and discern if client information was accessible.

The firm’s web site is taken over and offensive content is placed on your site

Shut down the web site. Repair the content. Try to determine how the compromise occurred.

Professional image damage.

No, unless the web site granted access to your portals or other client information. If so, yes.

Bank account of the firm is compromised and a large transfer out is made

Contact bank to resolve. Be prepared to contact legal counsel.

Money may be permanently gone.

No.

Client confidential data is compromised by team member.

Instruct on appropriate procedures, contact legal counsel.

Possible loss of client and/or reputation.

Yes, to client.

Vendor loses control during a breach of debit cards that you use for your payroll service

Request new cards and distribute along with instructions to end-users

Possible loss of client and/or reputation.

Yes, to payroll clients.

Shooting occurs inside your firm

Call emergency personnel and police.

Possible loss of life and reputation.

No.

Patches not installed on Microsoft software

Update patches.

Possible security compromises and infections.

Yes, if client information was compromised.

Anti-virus update keeps applications from running

Try using a prior restore point. Otherwise reload machine.

Loss of productivity.

No.

Client transfers files via the portal that has viruses

Clean infected machines/network. Teach team member the appropriate transfer methodology. Discuss issue with client

Lost time.

No

Again, this table was not intended to be comprehensive, but simply examples. We have to put our firms in a position to protect against common security problems.

So, What Should You Do About This?

First, you can solve some of these issues by better procedures and training. Many security breaches could have been avoided if team members had just not clicked through a link, read a message or copied a file. Consider your policies related to BYOD technologies, using public or client network connections or copying files from USB, hard drive or cloud sources.

Second, you can solve some issues with the appropriate software. Open license Microsoft Windows so you can use BitLocker encryption. Alternatively consider encryption products like PGP or Tru-Crypt. Make sure that your software providers have great security. For example, ShareFile and SmartVault are portal and file transfer products that have strong encryption in motion and at rest. Consider an email encryption product like Zixmail or Secured Accountant.

Third, remember that the best security is physical security. Even though you may be practicing in a safe, small town, consider what physical security makes sense. Many firms have chosen to lock all doors from their lobbies back into the practitioner’s office spaces. Others have implemented automatic lock systems on certain doors. Everyone should have their computer server room locked. Motion sensing, night vision cameras can be installed over all doors and the lobby waiting area.

Finally, recognize that most security issues have at least some level of soft cost and lost productivity. When reportable breaches occur, it costs money to notify and monitor the losses. Some firms have purchased CyberSecurity insurance for this purpose. What can you do to mitigate the risk of a security issue in your firm?

 

 

See inside August 2013

Tremendous Growth Spurs Future-Focused Firm to Up their Technology Ante

How the firm of Knutson CPA, PLLC handled a growth explosion with tech-savvy confidence

Previous

Change Management Doesn’t Work – Change Leadership Does

So the question for you is not about how you manage, but how you lead your firm and your clients to better success. Missing from all the talk about moving to the cloud are two key questions: What is the vision, and what is the roadmap?

Next