check your own system first, then help others.
by penny breslin
it’s not just the numbers
in 2020, like many businesses, we went remote. my remote team of excellent ladies in chennai, india, had to go even more remote than they already were. when india shut down, i figured i was out of business. we promise our cybersecurity is job number one to our accounting and financial firms. we have a highly controlled work environment, except for the day care and under 3’s occasionally looking for mum. i did not think sending our employees home would work.
more: how to safeguard client information | how to create effective communication systems | set expectations with an anticipatory set | four steps for controlling source documents | how to use onenote to create a firm playbook | how to develop procedures for bos | top tech tools for building your new bos business
exclusively for pro members. log in here or 2022世界杯足球排名 today.
but thank the universe, many of our clients had no problem as long as we could figure out the security. they had been working with the same team of ladies. they saw them on zoom and communicated daily on slack. so, in 48 hours we went through an internal change to allow that to happen.
but what of our security? did i do it correctly? was everyone going to be as safe from the standpoint of data as we were making them safe from covid-19? i had faith in my long-term relationship with our hosting company, coaxis, but this was something i needed to have checked from one end to another and coaxis was just part of the whole.
we hired rush tech for a third-party test of our systems, process and procedures for keeping client data safe. whew, we passed and coaxis got a aaa rating from rush tech. getting our office opened back up has been nice but those months in the late winter, spring and summer of 2020, well, we made it. thank you rush tech, coaxis and our clients.
i wondered how many of the clients – whose data we made sure was secure – were secure themselves. that led to many conversations with our own firm clients. and in turn they with their clients. another service offering that was helpful and timely for the small business owner.
here are some of the salient points my friend andrew lassise at tech 4 accountants has graciously offered. he and tech 4 accountants have been named one of the top 100 value-added resellers by accounting today and is a member of the aicpa.
cybersecurity
by andrew lassise, chief dorkestrator at tech 4 accountants
“hacking” once started out as a sport among nerds. it was just a badge of honor and a way to show who could get into things they weren’t supposed to. it wasn’t used for nefarious reasons; it was just nerds being nerds. fast forward to this day and age, and cybercrime is projected to have $6 trillion in damages by 2021.
the main targets of cybercrime are those who handle financial information: accountants, banks and people in the financial industry. once they have infiltrated the system, it is open season for whatever information they want from whomever they want. the information found on a 1040 alone is enough to open bank accounts and credit cards, and commit identity theft, and that is what they are after.
so often when rush tech does it audits for accountants, we see instances of people having way too much access for their job and not enough barriers to protect financial data. there have been times where we type in the search box “passwords” and can immediately have access to a word document without password protection giving access to every location in the company and their clients’ data. there are tons of free password managers, like lastpass, which will manage the data for you in a central secured spot. you can then set up a fort knox security on that one single spot to make sure that everything is protected instead of trying to remember where everything is.
another way around this, for the less tech-savvy, is simply using a cryptic name for your passwords document. simply changing the name to any non-identifying word makes accessing the sensitive information that much better. so instead of “passwords” or “pws” or some variation, use something bland that you’ll remember like “articles from 2015” where nobody would actually guess that the contents of the document is something of interest. be sure to password-protect that document, regardless of the naming convention. security by obscurity is not a silver bullet.
we also see a lot of the network equipment using default passwords that one can simply google “netgear default login” and the snippet will actually give access to the company’s internet. from here, you can change passwords, open ports and put the company in a really bad spot. you could also simply turn off the internet, and there are very few companies that can operate without the internet being on. most troubleshooting steps would also miss this as it would require someone willingly turning it off.
one of the easiest things to do is to change the password on the networking equipment and not use default logins when possible. so instead of user “admin” with password “password,” you use user alassise (the name of your network administrator) and a strong password like getout0fhere12#@ and disable the admin/password original login so nobody can get access.
covid-19 and the work-from-home movement has made the mobile workforce a normal part of most businesses’ infrastructure. where in the past, a company could get away with having an on-premises server and the computers in the office would be on lockdown, we are in a new era. with an ever-increasing number of saas products, many people think that having a strong password and a personal computer is adequate protection because <saas vendor> handles all the security and we just use the platform, which is not accurate.
security awareness training is paramount these days. the best defense is the knowledge to not get tricked by the bad guys and knowing what methods are used to get your passwords. if an employee opens a phishing email, and gets their passwords stolen, or if they reuse a password that appears on the dark web in your company, you now have put the entire database in jeopardy. with the simple policy of “trust nobody unless i asked for it,” accounting firms can avoid some of the issues that have happened in the past few years.
set up a virtual office instead of individual logins to saas products
this begs the question of company-owned or employee-owned computers, which is better? the answer is – it depends. if your work force already has computers that are sufficient in power, then it may make sense to let them use a personal computer that can remote into a virtual office. this way, your company doesn’t depend on the employee taking care of your equipment and you can make sure that they have the proper access and restrictions. this is very different from letting them log into saas products on their own computers, which is a disaster waiting to happen. setting up cloud offices and virtual environments is a common practice these days and a great way to not have to hunt down employee devices, ship out, reconfigure and maintain an effective mobile workforce.
this strategy also scales very well because you can effectively “copy / paste” the startup configuration from an employee’s computer and not have to reinvent the wheel every time you hire someone new. the new employee simply logs into the computer you want them to have and you’re good to go. this saves hours of administrative and tech time and ensures that the proper protection and protocol is on every single computer, without an endless checklist or trying to remember what every computer needs.
this strategy also works in the reverse, as many firms are seasonal, so owning 20 computers when only 10 get used for most of the year isn’t necessary anymore. with cloud infrastructure, an organization can change computers from capital expenditures to operational expenditures and get billed similar to electricity, so you pay for what you use. then when you need to downsize after busy season, you don’t have wasted expenses on computers that were only used for a few months; your usage goes down, and so does your bill.
this also makes firing employees and removing access literally the click of a button. if they need to log in to the cloud server in order to access all client data, and you suspend that account – the end. there isn’t the lingering fear of what if they do <insert malicious thing> because they can’t. gone are the days of removing every single account and having to remember who has access to what, it’s just one spot to turn off – and access is gone!
a holistic approach is best
when it comes to products around cybersecurity, there isn’t a “buy this and you’re safe forever” solution. it needs to be a holistic approach. at a minimum, you need employee awareness training, restricted permissions on an as-needed basis, antivirus, vpn, complex passwords, two-factor authentication and encryption. that is just scratching the surface.
working with a company that understands and puts cybersecurity into a whole package is always going to be the best route for small business owners. with the data breaches happening every single day and the millions of dollars in lawsuits, fines and penalties being dished out, now it is more important than ever to make sure that your company has the proper protection. just because you haven’t been hacked or had a data breach yet doesn’t mean you are immune; it just means you are lucky.
besides the obvious threats of viruses, malware and the like, many do not know how to tell if they have had a data breach because they aren’t involved in technology. it’s like asking a plumber to audit his tax return for any discrepancies; while he may be familiar with what is happening, he will not know the nuances that an expert would recognize. this lack of understanding may end up costing him his entire business if taxes are done incorrectly. same goes with cybersecurity, if it is done incorrectly, you will only find out after it is too late!
data breaches can set off a chain reaction
a cpa firm in ny had a data breach. one of their clients was a medical center that got hacked as well through the cpa firm, which resulted in exposure of confidential patient information. the patients of the medical center filed a class action lawsuit against the cpa firm that had the initial data breach, not the medical center. unfortunately, what people miss in this story is that the cpa firm was a victim. that firm lost tons of revenue and reputation as a result of being a victim of a cybercrime.
bundle cybersecurity with your services
firms can add to their portfolio products that ensure cybersecurity for their clients as well. they can use products like shared encrypted portals instead of using regular email. they can use multifactor authentication to make sure that even if a reused password appears on the dark web, the hacker can’t get into someone’s financials because it has an extra layer of protection. having extra security like this can be bundled in as part of your package. this lets your clients know that you take cybersecurity seriously and that it isn’t just smoke and mirrors.
one bad email is all it takes
you do not want to ever be in a position where it is convenient for someone to hack you. many cybercriminals are looking for low-hanging fruit, and a phishing email, just like the name implies, is similar to fishing in a lake. the fisherman puts bait on the line, drops it in the water and waits for a bite. the phishing campaign is also sent to the masses and waits for a bite. it can appear to be from a fortune 500 or from a solopreneur. simply clicking a bad link is enough for the bad guys to do serious damage – damage that no antivirus, firewall or any sort of software can protect against because the human is the one electing to perform these actions. once they are in, there can be a ransom put on your information. municipalities have ended up paying hundreds of thousands of dollars to get their data decrypted.