It seems like not a day goes by without news of networks being breached and data hacked. One of the most recent, the SolarWinds hack, led to breaches within multiple areas of our government, while individual ransomware attacks on vital parts of our economy, including entire towns and hospitals, are being reported more and more frequently.
Given the chaos that the COVID-19 pandemic has caused through 2020, and with no quick resolution in sight, the last thing you need is for your practice to be hacked or held for ransom. But the plain truth of the matter is that the need to work remotely, fueled by the coronavirus, has made your practice and your clients more vulnerable than they were in the past.
“The rash of lucrative ransomware attacks over the past year pointed to organized hacker groups specifically targeting medical, legal and accounting businesses where they could not only invoke the ransom but also steal a treasure trove of client/business information,” said Roman Kepczyk, director of firm technology strategy at Right Networks. “This allowed the hackers to threaten to release confidential client information or intellectual property if the ransom was not paid. In addition to using the personally identifiable information to fraudulently file tax returns and instigate identity theft, in some instances the hackers contacted clients of the firms for further extortion, threatening to release confidential, compromising or embarrassing information.”
Obviously, protecting your systems and data from outside intrusion is important. But even more important is protecting your clients’ systems and data. And the fact that many of us are working from home, and will likely continue to do so, at least part-time, for the foreseeable future, only increases the risk of exposure.
The steps you can take range from very basic to ultra-sophisticated. Your first lines of defense are great backup procedures and using a good anti-malware application. But these are just the beginning. You need to take active measures to protect your systems, whether they are in your physical office, or your office on the kitchen table.
It takes two
Two of the most common and easiest security measures to implement are two-factor authentication and encryption. While two-factor authentication can be a bit annoying, having to enter both a password and a verification code sent to an email account or messaged to a mobile account significantly reduces the chances of a breach if someone is able to get hold of your password.
Stronger passwords with greater security are also a must. Too many are still using weak passwords such as the names of their spouses, children or dogs, or even “Password123.” Many remote applications are now insisting on stronger passwords containing upper- and lower-case letters, numbers and special symbols. But keeping track of these, especially when they are different for every application, is a major concern for many users. If this is the case with your practice, there are several ways you can use difficult-to-guess passwords and still not have to write them down to remember what they are for each application.
The most common of these is to use a password manager that tracks your passwords and inserts the proper difficult-to-remember password into the appropriate application. Popular password managers include 1Password and LastPass, but there are plenty of similar applications for PCs, Macs, smartphones and tablets.
Another alternative is to use a hardware authentication key that plugs into a USB-A oe USB-C port or provides NFC (near field connectivity — the technology used in tap-and-pay credit cards and some phones) to work with mobile devices that incorporate this feature. One popular key is offered by Yubico, though they are far from the only vendor.
“The YubiKey provides users with a hardware-backed strong multifactor authentication solution that has a proven track record for protecting accounts,” Chad Thunberg, chief information security officer at Yubico, told us. “Not every service provider or application — including some of the popular accounting software suites — have yet adopted the FIDO [Fast IDentity Online] authentication standards that we use for the YubiKey. However, many of these applications support using a single sign-on [SSO] identity provider that does support the use of YubiKeys. To get started, users can enroll their YubiKey with their favorite identity provider (e.g., Google, Apple or Microsoft) and then use that identity provider to log onto their accounting software. I took a brief look at some of the popular offerings, and FreshBooks, QuickBooks Online and Sage Accounting all support SSO.”
Most hardware authentication keys support the major security standards including one-time passwords (OTP), Smart Card, OpenPGP, FIDO U2F (universal second factor), and FIDO2.
Encryption is yet another option that you should be aware of. Richard Kanadjian, encrypted USB business manager at Kingston Technology, pointed out that, “Encryption basically means that if you encrypt the data on that USB drive and you lose it, the probability that somebody can actually retrieve that data is actually infinitesimal. It’s actually almost zero. And the reason is we have password controls. For example, you have a password or a pin for your USB drive and our encrypted drive will only let you enter the password 10 times. So, if you enter it more times and if somebody’s guessing, the drive will literally wipe its contents and erase the data. You will actually not have any data to be exposed to a breach.”
Keeping the data for your applications on an encrypted drive is a usable approach, but keep in mind that the data on an encrypted drive should be backed up to a secure location, be it the cloud or a second encrypted drive, just in case the encrypted drive containing important data is lost or stolen.
You should also be very aware of where you are using your laptop. Too many people go down to the local coffee shop or library, where the internet is freely available, and don’t take reasonable precautions against infections and intrusions. Infecting the routers at these locations with malware is becoming very common, and the compromised internet at these locations can infect hundreds or even thousands of the systems being used there, as well as any networks that the infected systems are then attached to.
“One of the biggest concerns that we are seeing is so many employees were forced to work from home and all of a sudden they’re sitting on networks that are outside of the control of corporate IT,” Stephen Lawton, special projects editorial director at SC Media, pointed out. “If you let the employee simply use their home systems and their home networks without any IP control, quite frankly what you’re going to get is BYOD — not ‘Bring your own device,’ but ‘Bring your own disaster.’ The lack of security controls on most home networks is really quite astounding. Many people have never updated the firmware and their routers. They’ve never put any kind of security controls or software on their systems. If you’re going to have your workers working from home, the practice really needs to invest in laptops specifically for that purpose, that have security controls built into them. At the minimum you need some enterprise-class antivirus, anti-malware anti-ransomware software. You should also have the systems going over a virtual private network back to a home base. VPNs are certainly not foolproof, but they’re better than not having anything at all, or just going through the employee’s personal network.”
Your face and your printer
Biometrics as a password substitute are also becoming increasingly common. No, you don’t have to have a retina scanner mounted on your PC or laptop, though it would hardly be surprising to see something along those lines using the almost-ubiquitous webcam in the near future. But while retinal scanners have been around for years, along with the handprint readers often seen in movies, they are pretty much relegated to very high security installations with equally high security budgets and resources.
But real, usable, biometric roadblocks to unauthorized network and device penetration have been available for years. Fingerprint readers, especially in laptops, are common these days. And both the iOS and Windows operating systems have facial recognition capabilities that can not only serve as an alternative to system passwords, but in many cases can also be used as passwords to sensitive applications such as bank and credit card accounts.
This is a handy inroad to your sensitive systems and applications, but is somewhat blunted by the fact that most of the facial recognition capabilities at the entry level, such as those included in the operating system, require that the entire face be visible to provide authentication. Wearing a mask, a necessity out in public or in your office these days, often defeats this handy sign-in method.
One area of vulnerability that’s been getting more attention recently are devices connected to the Internet of Things — components, such as printers and multifunction printers, that are connected to your network and also have their own pathways into the internet. Most of us are familiar with threats such as phishing and embedded malware, but there is another route into your network that you may have not considered.
“A lot of times the network perimeter has, in the past, been used as a way to secure devices.” Shivaun Albright, chief technologist of print security at HP, pointed out. “And in this day and age, with email, phishing attacks, clicking on something, any type of email or link, you cannot guarantee that your interior perimeter network is secured. You just can’t. And one of the things that we’ve seen, in fact last year, was an article from Microsoft in August of 2019. They had highlighted that they had caught Russian state hackers using IoT’s breached networks. And, by the way, they found that devices that had been hacked were Voice over IP phones and office printers.”
Clients are targets, too
There’s obviously a lot more to look at security-wise than what is covered here. And, as with many aspects of technology, IT security is a moving target — what’s true and secure today might be vulnerable tomorrow. Developing the expertise and knowledge to deal with the new threats that emerge every day is not only an ongoing process, but one that can be difficult to maintain and expand, which is yet another good reason to examine the practices and protocols in place in your practice and at your clients’.
Protecting your and your clients’ data is not only a fiduciary responsibility, it’s also good business practice. “Firms that have been breached will not only have to deal with a damaged reputation, but can expect to see client churn and having to deal with ongoing litigation from clients that were impacted,” warned Kepczyk.
It takes time and money to build expertise in this area. And even after an extensive immersion in security, it’s likely that you still might not have the experience to know just how to determine where your practice’s vulnerabilities are and how to address them when you do discover them.
One approach suggested by Randy Johnston, executive vice president of K2 Enterprises, that is especially applicable if you outsource some or all of your IT support, is to “choose reputable IT providers that understand and implement best practices for security to help your internal IT staff. While security risks morph over time, the provider must actively respond to new threats and continuously adjust their security protocols and technical setup to protect your firm.”
And Kepczyk added, “Employee training is critical, particularly in regards to phishing threats, which account for the entry of the vast majority of breaches, so we suggest you outsource that to third parties such as KnowBe4, PhishMe, Wombat Security, etc., that will do phishing testing and employee training.”
If you’re thinking of expanding your practice into this growing area of concern, or just want to better educate yourself, Jim Bourke, a partner and managing director of advisory services at Top 100 Firm WithumSmith+Brown, has a few suggestions on getting started. To start, “I would highly recommend getting your hands on the AICPA cybersecurity risk management reporting framework.”
Bourke added, “I would discuss the AICPA’s ‘SOC for Cybersecurity’ engagement with your clients. At Withum, we are all over that space. As CPAs, only we can issue a ‘SOC for Cybersecurity’ report! There is huge demand for this type of deliverable today. The AICPA has classes and workshops in this space, allowing any CPA to gain the knowledge and expertise that they need to perform these services.”
But whether or not you decide to add security consulting to your practice or partner with a company that has expertise and reputation in that area, keep in mind that the very last thing you want to tell a client is that you had a data breach, were hacked, or that your system is locked due to ransomware. A good backup strategy is a necessary first step, but where you go from there is going to determine just how secure your ongoing livelihood is going to be. And while there is no such thing as perfect security, you need to be aware of where you are vulnerable, and take steps to strengthen those areas of your procedures and practices.