Cybersecurity 101: Understanding the threat levels and taking action
As the owner of a small-to-midsized accounting firm, you may think a cybersecurity breach won’t happen to you. Think again. Whether you’re a one- or two-person shop or a thousand-person company, the risk of being hacked is about the same. Accounting firms are prime targets because you deal with critically important data and personal information — your own and your clients.
With the explosion of connected mobile devices, cyber-intruders now have multiple points of access. So it’s essential to know who is accessing your network, lock out any intruders, and restrict access to sensitive company and client information.
Most common threats
For small and midsized businesses, e-mail is the most likely attack route. Phishing e-mails, for example, attempt to obtain sensitive company and client information by masquerading as a trustworthy individual or entity.
Another common threat occurs when employees visit an external website that has been hacked. Even when it’s not obvious, these malicious sites download a payload that compromises your computer. Because the malware now resides on your computer, it can infect the entire network.
Where to start?
First, understand your network. What data is there and where is it located? If your workforce is distributed, do employees have sensitive company or client information on laptops? Inventory all network hardware and software assets and make sure you keep these assets up to date. And when you acquire new assets or update existing ones, always change the default passwords; “admin” or “administrator” are the first user names a hacker tries.
If you haven’t started talking about cybersecurity with your firm’s board and partners, put it on the agenda at your next strategy meeting. Once executive leadership understands and supports the need for cyber protection, cybersecurity training should begin for all staff. Employees should understand that their vigilance ensures the first line of defense.
Cybersecurity 101: A checklist
Security practices should be easy to use but difficult to circumvent for your employees, clients, and partners. Consider this five-point checklist of cybersecurity best practices for small-to-midsized accounting firms.
1. Make your passwords hacker-resistant:
- Choose a string that is eight to 30 characters long. The string should contain at least one number, one symbol (e.g., $, !, &), one lowercase letter, and one uppercase letter.
- Don’t use dictionary words in any language, your license plate number, address, pet name, Social Security number, birth date, phone number, or any word related to family, hobbies, vehicle, or work.
2. Establish multi-factor authentication, which goes deeper than password protection. MFA requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. It combines two or more independent credentials: what the user knows (password), what the user has (security token) and/or who the user is (biometric verification).
3. Use attachment protection for incoming e-mails. An attachment protection tool opens e-mails in a “sandbox” area and examines them behind the scenes to make sure attachments are clean.
4. Implement a spam protection solution with anti-spoofing technology, which identifies and drops data packets with a false source address. In a spoofing attack, the source address of an incoming packet is changed to make it appear it’s coming from a known, trusted source. For example, you receive an e-mail from Sam saying, “Look what I found.” You know and trust Sam, but you don’t know that his e-mail has been spoofed. If you open the attachment you could infect the company’s network with malicious software.
5. Ensure 24x7x365 monitoring and alerting capability, since hackers don’t work business hours. Tech support able to take immediate action should always be available.
Intrusion prevention: Beyond firewalls
Accounting firm executives wouldn’t let a stranger enter the office, walk through the halls, grab a file from a desk, and leave without being asked some questions. Network security requires the same care and attention.
Almost every type of business protects its network with a firewall. Firewalls are good at blocking known traffic, but more sophisticated threats are coming in on data ports not necessarily deemed malicious by firewalls. An intrusion prevention system analyzes data packets and detects harmful bits and bytes hidden within.
How does intrusion detection work? When hackers infiltrate a network, they fish around for what they want. Once located, the desired information is packaged into a payload and sent back to the hacker’s command-and-control computer. An intrusion prevention device ensures that the payload is automatically blocked or alerts the network administrator to take the payload off the network and scan it.
Intrusion prevention systems can also blacklist computers in certain countries or even entire continents by blocking any Internet protocol address located outside the United States. While this protection capability may seem to be unnecessary or too far-reaching, it can be particularly valuable for an accounting firm with no need to talk to computers outside the United States.
If an accounting firm’s computer system goes down, the organization can recover. But compromised client information can put your company out of business. Clients expect the double-barreled protection of a firewall and intrusion prevention.
If you haven’t started talking about cybersecurity in your accounting firm, start now. Make sure every person realizes their vigilance is the first line of defense.
Cybersecurity protection doesn’t have to be expensive or have a negative impact on the bottom line. In many cases, cybersecurity protection can cost as little as a couple of dollars per employee per month. For the most affordable solution, look to cloud-based network services providers — but vet their processes closely and ask questions. Make sure that you understand the level of security available, what providers specifically target, their technical support processes and responsiveness, and who is responsible for each solution.
Accounting firms that make cybersecurity an integral part of their business practices are more likely to avoid harmful IT surprises. Start now!