IMGCAP(1)]By law, we have a duty to protect our client data. Its important that we understand our physical security risks, know what risk points exist for exposure of client data and enforce a plan to keep key systems properly updated and staff up to date on security best practices.
The truth is a hacker can find out everything they need to know about your domain, spam service, Web site and mail server just through passive and publicly available information lookups. And if you happen to be hosting both your Web site and mail server from your office, this tells a hacker exactly which IP range to attack.
So how do you keep your firm protected? Here are some things to consider
Server Security
If your servers are located in your office, new legislation, like the freshly minted (as of March 1, 2010) Massachusetts 201 CMR 17, requires that they be behind a secure locked door with restricted access and locks on the server cases, cabinets, drive chassis and server console screen. Or if your servers are hosted offsite at a data center, its best to ensure that all of the physical security requirements are being met based on your needs.
Confidential Data
In theory, CPA firms securely shred everything. In practice, someone could likely find a wealth of information they shouldnt have access to just by going dumpster diving. Does your firm actively enforce a confidential data policy that addresses paper copies of confidential data?
Password Security
It is important to educate your firm on the importance of using secure passwords and keeping them secure by not writing them down, telling them to anyone or using the remember my password checkbox at the login prompt. Did you know that adding just one capital letter and one asterisk changes the processing time to crack an eight-character password from 35 minutes to 346 days? We recommend enforcing a password policy that includes forced password changes every 90 days with specific complexity requirements (a minimum of eight characters with a combination of lowercase, uppercase, numbers and symbols). Feel free to use
Microsoft Patches
Staying up to date with Microsoft patches is a critical step in ensuring your firms security. We recommend using automated patch management like GFiLANguard or Windows Server Update Services, which is free. All of the Microsoft server vulnerabilities and their related patches (sometimes called fixes) are published on their
Web Site
Another thing to consider is what information you post on your Web site. CPA firms love to publish everyones name, phone number and e-mail address, which is helpful for the general public, but makes it one step easier for someone to get into your network. If you find this concerning, consider including a contact number and generic e-mail address for each department to add one more layer of protection for your firm.
Voice Mail System
Secure passwords are important here too. You dont want someone calling your office after hours, figuring out how to get a password prompt and then gaining access to someones voice mail because they used something like 1111, 1234, or 0000 as their password. This is another reason not to post everyones number online.
ISP Router
The Internet Service Providers managed router is one of the most overlooked pieces of the network. Its a nondescript box in the closet with blinking lights that few people understand. Somehow ignorance makes way for comfort. Most firms assume that because the ISP set it up, it must be configured correctly. Not true. Weve seen default passwords used on ISP routers many times. Many times. Some of these routers have built-in sniffing tools to allow you to watch all traffic going in and out. This information is very helpful to a hacker. Request that your ISP change the default login password on your router.
Firewall
When is the last time your firewall was updated? Firewalls are found both in the server room and as a piece of software on your PC. We recommend using Cisco for network hardware-based firewalls. Other options include SonicWall or WatchGuard. Just as any other component of technology needs management, hardware firewalls also need to be kept up to date. Your PC-based firewalls found on desktops, laptops and home PCs are generally updated whenever the Windows Updates are installed.
We also recommend using intrusion detection and prevention systems to protect your firm in addition to firewalls. Where firewalls passively block known attacks, these solutions are proactive in nature and will provide reporting on the number and types of attacks that are attempted. There are numerous options out there, including free services like Symantec DeepSight and Snort. Other options include McAfee, VeriSign, IBM ISS and Cisco. This provides an extra layer of protection, as a hacker would have to get through your firewall and intrusion system before getting to your client data.
Wireless Access
WPA2 (Wi-Fi Protected Access) is mandatory for all new devices considered Wi-Fi Certified by the Wi-Fi Alliance. Using Wired Equivalent Privacy is unsecure and opens up the risk of key loggers and Wi-Fi piggybacking. If a hacker were able to get onto your wireless network, they would be able to dig deeper by scanning and mapping your network from the inside. You also want to make sure no one brings a computer from home to plug into your network that isnt Wi-Fi certified.
Remote Access
In this day and age, the convenience of anytime, anywhere access to data poses new security threats that firms need to consider and address. Our duty to keep client data secure now extends far beyond the walls of the office and staff in the field to our employees homes and cell phones as well. Its a good idea to develop a written policy for remote access and transit with things like remote wipe, mobile phone lock, Wi-Fi protocol and password complexity enforcement. Centralized management of anti-virus and personal firewalls is also key to making sure your firm is adequately protected on all fronts.
Encryption
Most states have breach notification laws, and nearly all of them waive the requirement for notification where data has been encrypted. Whole disk and USB-stick encryption are the two most common places where encryption can be used. Imagine all of the free press you could get just by having an auditor lose their USB-memory stick.
Another way to avoid data loss without using device or PC encryption is by using remote access technologies such as Citrix/Terminal Services. In the remote computing environments, data is rarely stored on the device; often it is left on the server where it can be controlled and is generally less likely to be left on a train or stolen from the backseat of your car.
We also recommend using remote laptop security tools like Xtool MobileSecurity and Absolute Software Computrace LoJack, which come with a laptop tracker and recovery guarantee to help protect your firm. Xtool MobileSecurity also includes features like encrypted disk and remote delete, which are helpful in such situations as well. We recommend using IronKey or PGP to encrypt your USB sticks, and PGP or Windows Vista BitLocker for whole disk encryption.
We encourage you to consider this list, as well as additional policies like third-party connection, acceptable use, and incident report, to ensure your firm is adequately protected on all fronts. Above all, make sure your firm actively enforces the policies and standards you establish because, no matter what kind of security you have in place, your firm is only as safe as your weakest line of defense.
Trey James is the co-founder and CEO of Xcentric, which specializes in IT solutions and certified networks for CPA firms. He can be reached at
