Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/146073
FROM THE TRENCHES By Randy Johnston Security Issues That Stop You S omeone in your frm needs to be literate on security and managing your risk, because the number of security risks are increasing. Tis article won't be a comprehensive list, but a good reminder of fundamentals that need to be done by all frms. Being realistic about mitigating security risks will notably reduce your exposure and prevent unnecessary expenses. You will probably need to get some professional help to implement some of the ideas that we discuss, and others simply will take good procedures, diligence and consistency. Again, the intent is not to name all risks, but to provide a reasonable checklist that you can use to improve your frm's safety. When you refect on your risks, think through the security issues like you might be working a busi- Mr. Johnston is executive vice president and partner of K2 Enterprises and Network Management Group, Inc. He is a nationally recognized educator, consultant and writer with over 30 years' experience. He can be contacted at randy.johnston@cpapracticeadvisor.com. 14 ness continuity or disaster (BC/ DR) plan. Frankly, many security risks should have responses as part of that plan, but we're beting most o f y o u d o n't h a v e a n a c t i v e , updated BC/DR plan. What are some risks? What can we do about it? Let's consider the impact of some risks in your office. Don't take this table as comprehensive, but as an example of what can happen. This list only contains items that we know happened to C PA f i r m s i n t he pa st t welve months. For that matter, update this list to ft your own view of the risks. Add risks that keep you up at night. Note also that this list is focusing primarily on securit y items, not other elements of a BC/ DR plan, such as losing power, weather impacts or having a hard drive crash. Recall that breach reporting r ules are in force in almost all states. Our standard rule to eliminate breach reporting is to encrypt all devices everywhere and have passwords or pin codes on them. However, if you have an incident, you shou ld contac t you r lega l counsel, followed closely by legal authorities and your insurance company. Consider the following: August 2013 • www.CPAPracticeAdvisor.com RISK Firewall doesn't block intruders RESPONSE Power down Wireless access compromised Reinstall with proper security Cleaning crew uses your network Change services Partner loses tablet or smartphone Remotely wipe the entire device Offce Break in and computers are stolen Call legal counsel and insurance provider PDF sent via email that is not encrypted Review procedures with team member Virus infection Power off all equipment, disconnect all network cables. Run clean-up software. Key logger malware makes it through your defenses Network will run slower, and you may not notice it for a while. Clean as soon as found. Social network site infects a computer Power off computer, disconnect all network cables. Run clean-up software. Cloud provider is attacked with a Distributed Denial of Service attack Data center is shut down Email account is compromised Change password. Consider if this needs reported to legal authorities. Your domain name is stolen Contact domain registrar to resolve. Social Engineering Attack Contact legal counsel. Instruct team members on how to respond to requests. Infected PDF fle received Power off computer, disconnect all network cables. Run clean-up software. End user clicks through a link and installs a fake anti-virus Power off computer, disconnect all network cables. Run clean-up software. The frm's web site is taken over and offensive content is placed on your site Shut down the web site. Repair the content. Try to determine how the compromise occurred. Bank account of the frm is compromised and a Contact bank to resolve. Be prepared to large transfer out is made contact legal counsel. Client confdential data is compromised by team member. Instruct on appropriate procedures, contact legal counsel. Vendor loses control during a breach of debit cards that you use for your payroll service Request new cards and distribute along with instructions to end-users Shooting occurs inside your frm Call emergency personnel and police. Patches not installed on Microsoft software Update patches. Anti-virus update keeps applications from running Try using a prior restore point. Otherwise reload machine. Client transfers fles via the portal that has viruses Clean infected machines/network. Teach team member the appropriate transfer methodology. Discuss issue with client