How Firms Can Fight Growing Security Threats
As accounting firms of all sizes have become more digital and connected, it has increased their exposure to data security threats. Firewalls and on premises methods of data security are simply not enough to keep up with ever evolving security threats, so what is a small firm to do?
Here, Roman addresses a variety of firm concers and offers a few essential solutions to today’s security concerns.
Q: The security threats that are out there today seem to be changing too rapidly to keep up with. We’re a small practice with limited resources, but want to do our best to protect client data. What are some first steps or best practices you recommend to offer some stability?
Roman: The first step, honestly, is realizing that you are a target whether you’re a sole practitioner or a large regional firm. Realize that hackers have syndicated and become uber-specialized, even down to the different accounting products that they go after. They realize the bigger firms probably have better security processes in place and they’re going to go for the low-hanging fruit, which would be the medium and smaller firms that don’t have IT processes in place.
We find those firms that have an external provider — whether it’s an IT or managed security provider or have their applications in the cloud — tend to do much better from a security perspective than those individuals and small firms that try to do it on their own. We’ve even seen many cases where small and medium-sized firms that have their own IT person basically doing all of their security are actually the ones most at risk.
When I go in to do a security review inside of a firm, I will ask the question: “How much time does your IT person have dedicated to security?” What I often hear [from the IT person] is: “I barely have enough time to keep my end users happy and keep the updates going on the tax applications.” So, what we find, in reality, is that there’s very little time being spent on learning about the current threats as well as making sure all of the updates, the maintenance, and all of the employee training are in place.
What we recommend is that all firms outsource their security management. Going to a cloud provider offers the type of enterprise-level security and capabilities that no small or medium-sized firm could ever afford. Then, make sure you train your personnel. We’re all really good about getting CPE for the tax hours or the auditing hours we need, but the training about phishing, social engineering and remote threats that are out there…very few firms provide training about that for their employees.
Q: What kind of training around data security is out there for my employees? What should we be focused on?
Roman answers this firm’s question in the video below
[embedded content]
Q: What would you say are the biggest security threats to my practice right now?
Roman: After phishing attacks and compromised passwords, I believe one of the bigger threats inside of a firm is the use of older versions of software and operating systems that are not automatically updated. We know for a fact that old versions of Windows 7 and XP were compromised as of January of last year. Microsoft no longer does security updates on those applications, so we strongly encourage first that all firms update all of their work stations to Windows 10 and then do the automatic configuration so it updates not only the operating system, but the antivirus and other applications.
For example, Dell just released five security patches going back to 2009 updates in systems. So, if you aren’t aware of that, know that the hackers are aware of it and they are starting to take advantage of it right away. It is very important that you have automatic updates on Windows 10 set for all of your machines. Also, have an independent third party verify that the configuration was done properly so that your people don’t shut it off by accident and then find out that there are no updates being made anymore.
Q: I’d like to know where you think my firm is most exposed [to security threats or breaches] and what is available to prevent it?
Roman: Probably when it comes to the introduction of malware and things like that, which would start a ransomware attack, some kind of damage or capturing of client data, it is usually the phishing emails.
There are solutions out there such as KnowBe4 that provide very specific training and quarterly reminders of the different threats that are out there. A couple of years ago it may have been an attachment that had a Zipped file or something like that. Today, it’s actually a document that looks like a tax file, a resume or a manual update to one of your applications.
You need to know if your data security is being looked at by an enterprise-level professional. The easiest way to prevent being exposed is proper training and moving your systems and applications to cloud providers that have a SOC 2 certification. At Right Networks we go through a very stringent process to make sure we follow all the best practices as outlined by the AICPA SOC 2 program to make sure all of the data is covered for HIPPA compliance and all of those things. We also have multiple layers of protection.
Two things I would encourage even the smallest firm to do: Make sure that you don’t ever reuse a password between different applications, which I know can be a pain, but use a password wallet that will allow you to keep multiple passwords securely in one place. The other thing we stress, and the IRS mandates for any kind of tax data, is the use of multi-factor authentication. So, if someone tries to log into your tax program as you, it sends a code to your smartphone or smartwatch that you personally have to verify.