2014 was a banner year for hackers. Credit card numbers, Social Security numbers, and other personal data points were stolen by the millions. Identity theft was rampant, and Sony Pictures suffered both embarrassment and financial loss from having unreleased films posted on the Internet and many of its internal e-mails, thought to be private, publically displayed.
Sure, it's certainly unlikely that your practice could suffer that kind of attack or intrusion, but could your firm survive if it did? How would your clients react if their privacy was breached? Regardless of the legal implications, could your practice's reputation survive a cyberattack?
As banks, Home Depot, Target, Sony and others have found out, there's no way to make your practice's critical data impenetrable. One unhappy employee with unrestricted access can do unimaginable damage, as the National Security Agency learned with Edward Snowden. The best you can do is make it as difficult as possible for unauthorized individuals to gain access to your and your clients' information.
HALT ... WHO GOES THERE?
Passwords are an obvious security measure. They've been used, not always successfully, for thousands of years to verify identity. Accounting software has been password-protected to one level or another since its inception. Today's accounting and other financial software often contains multiple password capabilities so that individual staff members can be allowed access, or barred from access, to specific operations.
The use of passwords is only a first step, but in order to follow this line of security further, you have to start with actually using them. That means on every device you have that offers password protection. Every staff member should have their phones, tablets and laptops password-protected and locked when they aren't actually using them. Both Windows and OS X offer sign-on passwords and can be set to require a password when returning from a screen saver or sleep mode.
When available for applications and services, use multiple layers of passwords or two-factor authentication. This last method is most often used by banks and other financial institutions such as credit card companies, and requires a password and then an answer to a security question that you've provided when setting up the account, like "What was your first dog's middle name?" Two-factor authentication is not usually something that you can set up on your own applications, but if it's offered by a vendor -- use it.
Current thinking is that you should have individual, different complex passwords consisting of letters, numbers and symbols for every account and application that requires one. Considering how many passwords that would require most of us to generate, it's completely unrealistic unless you have some way of generating them, and then managing them. In reality, you'll need a password manager. There are lots of them available for Windows, Android, Mac OS X and iOS. AgileBits' 1Password 4 can generate a unique complex password for every account you have that requires password protection, keep track of them, and automatically sign you onto an account with the correct password. LastPass Premium 3.0 and Dashlane 3.0 are other good password generators/managers. You'll still have to memorize at least one complex password, but that's better than a dozen.
Obviously, the standard warnings about passwords apply -- don't use birthdays, children's or partner's names, and the like. And as poor as your memory may be, don't write down your password and paste it underneath your keyboard!
SORRY, I CAN'T UNDERSTAND YOU
Encryption is another security approach to consider. This is a large step up from password protection in that the data is not only secured by a key, but the key that you choose is used to encode the data so that if the media falls into the wrong hands, it's highly unlikely that whoever has it will be able to unscramble the files. The same key is used to decode the files so that you and your staff have access to the data when you need to add, delete or edit it.
Encryption comes in two forms -- software and hardware. With software encryption, all of the operations are performed in software in the PC, server or laptop that contains the encrypted material. Hardware encryption requires that the drive or USB flash drive contain a specialized controller that provides encode/decode functionality that is performed on the controller itself. Examples of hardware-encrypted devices are the Aegis Padlock USB 3.0 hard drives, and USB flash drives from Apricorn, and Kingston Technology's Data Traveler Vault Privacy 3.0 USB drive. These require that you enter a PIN or, if the drive is biometric, a fingerprint swipe, to make the drive even visible to the PC it's attached to.
For internal drives, software encryption is more commonly used. In fact, many versions of Windows from Vista onward have the ability to perform data encryption embedded in the operating system using the BitLocker utility. Other open-source and proprietary encryption applications are also available.
While data encryption provides a great deal of security if a drive falls into the wrong hands, or if someone gains physical access to the drives in your offices, it's a two-edged sword. If you misplace the encryption key used with hardware and software encryption, or the hardware encryption controller becomes damaged (if you use hardware encryption), it's very unlikely that the data on the drive will be recoverable. Microsoft's BitLocker, and possibly others, provides a way to get around this if you use the USB Key startup mode, which requires that a coded USB drive be inserted before booting the machine. If this mode is being used, BitLocker can be configured with an optional recovery key that's held in escrow.
Apple has a similar utility included with Mac OS X called FileVault2. And disk encryption software is available commercially from companies such as Symantec (Symantec Endpoint Encryption and PGP Whole Disk Encryption), or with freeware such as AxCrypt. AxCrypt lets you encrypt individual files, right-clicking them in Windows Explorer, or even encrypt files that you e-mail that can self-decrypt at the receiving end (so they are protected in transit).
E-MAIL IS NOT TWITTER
Another area where security is often overlooked, or given only cursory attention, is e-mail. Encrypting e-mail with software such as AxCrypt provides protection if the e-mail is intercepted in transit, but it's more likely that e-mails will be uncovered by a hacker browsing through your or your recipient's computers after entrance has been gained.
There are a number of ways to bolster security in this area. The first is to simply be careful of what you put in an e-mail. While e-mail is a vital part of most accounting practices' operations, it shouldn't be used for making offhand comments. If you want to be clever or profound, do it on social media. If it's not something that you would feel comfortable posting on your Web site, or tweeting, then you might want to rethink the wisdom of "saying" it at all.
Even given that, there are always going to be times when e-mail is the most expedient way to transmit or receive sensitive client data. Authenticating e-mail is a good idea when you have clients with whom you exchange sensitive information. There are a number of techniques used in e-mail authentication, including digital signatures or checking that the e-mail is from an authorized IP address. Authentication is something that should be used on both sides of the communication-you and your clients should both be set up to use it.
For the most part, e-mail authentication is accomplished using a service that acts as a middleman, authorizing both sides of the communication as legitimate users. Some vendors that offer this service include Penango, Cisco and Barracuda.
Sean Leonard, chief executive officer of Panango Inc., explained: "Authenticated e-mail acts like a virtual driver's license that confirms the identity of a person in the context of the message. Even if someone spoofs your or your client's e-mail address and pretends to be your client (or vice versa), the recipient will know that the e-mail is fraudulent because the original authenticated message does not line up."
DON'T OVERLOOK THE OBVIOUS
The old cliché about not seeing the forest for the trees applies here as well. While this article has concentrated on various technological ways of protecting your practice's and your clients' data, denying physical access to the devices that contain or can easily access this data has an important place in your security planning. Here are several situations to consider.
The first is to never leave client (or sensitive) firm information up on your monitor if you are not working with it. Make a conscious effort to close out the application that's using the information, or at the very least, minimize it to the toolbar or bring up a screen saver.
Putting 3M Privacy Filters on all monitors and laptop screens is another good idea. This limits viewing the screen to being directly in front of the display, blocking visibility from the side.
And while it may seem like a no-brainer, don't leave mobile devices such as smartphones, tablets or even laptops just lying on a table or desktop if you aren't always present. Put them in a drawer where they aren't visible or accessible to people walking into your office. Most laptops also have sockets for cable locks such as those from Kensington. Consider installing a lock on each desk where a laptop usually resides, including conference room tables. It's better if a client considers you overly cautious than lax about securing their information.
Finally, without being totally paranoid about it, limit visitor access to your office. Don't leave service or outside workers alone and make sure that they have adequate identification. It may be inhospitable, but don't permit strangers to use your washrooms or phones. And if you don't have locks on private offices, install them and make sure that offices are locked when not occupied.
A LITTLE PARANOIA ISN'T BAD
Reading the above, it's easy to get the feeling that "they" are out to get you. We don't mean to alarm you with a Chicken Little attitude. The sky isn't falling, and there aren't bad guys lurking around every Web page. But as recent events have shown, there are vulnerabilities that come along with increasing use of technology, especially remote technology.
On top of everything else, you have to protect yourself from viruses, Trojans and other malware. Good anti-virus software is everywhere, and much of it is available in both free and paid versions. Malwarebytes, AVG, Norton (Symantec), and Bitdefender are just a few of the many available offerings. One thing to keep in mind is that viruses can not only infect desktops and laptops: Newer malware can also attack your smartphone and tablet.
Some protection applications, like Symantec Mobil, are targeted towards protecting these devices. Others, such as Bitdefender, have applications that offer protection for your PCs, Macs, and Android devices. Keep in mind that cloud servers that you operate and virtual machines may need malware protection as well.
You might also consider adding a hardware firewall, which can provide antivirus protection, as well as restrict access to your practice's servers to specific registered hardware. There are numerous vendors, such as Endian and Barracuda Networks, who will sell you the hardware and software, or just the software, which you can install and configure on a spare server that will serve as a gateway and router.
Biometrics, such as fingerprint readers, are becoming more common, especially on smartphones and laptops. If they are available, use them, but remember that they are far from infallible and almost always have a back-door password so that you can get into the device or application if the finger swipe doesn't work. And many smartphones now offer a kill-switch feature or application that will wipe the contents of the device if it is lost or stolen. If your portable devices usually contain sensitive information, this is a good idea. Just make sure that you back up the device frequently so you don't lose too much important data if you find you have to nuke the phone, tablet or laptop.
Finally, look at your practice and try to determine where it's most vulnerable. Then take reasonable measures, such as the ones detailed here, to reduce those vulnerabilities to the extent that's reasonable, cost-effective and doable. Candid Wueest, a threat researcher on Symantec's Security Response Team, advised, "Have a layered defense that is information-centric. This starts with proper classification of the data and strict access controls, to network protection."
It's unlikely that you can implement each and every security measure available. And even if you did, Wikileaks and other such Web sites prove that even the most secure organizations can suffer security failures. But if you don't make the effort to protect your practice and your clients, then it's just a matter of time before your exposure takes its toll.
SECURITY TOOLS
1Password 4
Agilebits
www.agilebits.com
3M Privacy Filter
3M Corp.
www.solutions.3m.com
Aegis Padlock USB drives, Aegis Secure Key 3.0 USB drives, Padlock biometric drives
Apricorn
www.apricorn.com
Anti-Malware
Malwarebytes
www.malwarebytes.org
AVG Antivirus 2015
AVG
www.avg.com
AxCrypt
Axamtum Software
www.axamtum.com
Barracuda Spam Firewall
Barracuda Networks Inc.
www.barracuda.com/landing/pages/spamfirewall/e-mail-content-security
Bitdefender Total Security, Bitdefender Small Office Security
Bitdefender
www.bitdefender.com
BitLocker
Microsoft Corp.
www.microsoft.com
Cisco e-mail Security
Cisco Systems Inc.
www.cisco.com/c/en/us/products/security/e-mail-security/index.html
Dashlane 3.0
Dashlane Inc.
www.dashlane.com
Data Traveler Vault Privacy 3.0 USB Drive
Kingston Technology
www.kingston.com
Endian UTM
Endian US
www.endian.com
(Sold through resellers)
FileVault 2
Apple Computer
www.apple.com
Kensington Locks
Kensington (a division of ACCO)
www.kensington.com
LastPass Premium 3.0
LastPass
www.lastpass.com
Penango for Google apps, Gmail and Zimbra
Penango Inc.
www.penango.com
Norton Antivirus, Symantec Mobil, Symantec Endpoint Encryption, Symantec PGP Whole Disk Encryption
Symantec Corp.
www.symantec.com
