Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/399112
26 October 2014 • www.CPAPracticeAdvisor.com FROM THE TRENCHES By Randy Johnston Get Hacked, Get Sacked! What can we do to minimize the possibility of identity thef, malware, v ir uses, and attack? By the way, whether you run a private cloud or use public cloud facilities, you have a risk of atack and thef. As you might surmise, the public cloud data centers have more sophisticated tools to watch for atacks, but their tools are marg i na l l y b e tter at p revent i ng atacks in the frst place than properly maintained in-house IT equipment. Atacks come from a number of sou rc e s: PDF f i le s , em a i l l i n k s , d i rect attack s f rom sof t wa re a nd more. A lthough the amount of spam is dropping and the protection from spam flters is increasing, the efec- tiveness of frewalls and anti-virus is decreasing. Further, the aggressive- ness of the attackers is becoming much greater. In addition, with the Un ite d St ate s be i n g t he se c ond largest source of atacks according to an eWeek article, the threat is just as much from people around us as it is from overseas. My conclusion is fairly simple in this area, though: the bad guys are following the money. W it h ident i f ic at ion t hef t a nd security breaches reported almost daily, we are becoming desensitized to t he r isk a nd i mpac t of a t hef t. W it h massive ident it y t hef ts l i ke those reported in August 2014 of the Russian hackers accumulating 1.2 billion stolen user names and pass- w o r d s a n d h a l f a b i l l i o n e m a i l addresses garnered from 420,000 sites, it is hard for us to imagine the size and scale of the thef. M a n y o f y o u p r o b a b l y h a v e trouble recalling the October 2013 repor t of 153 m i l l ion credent ia ls bei ng stolen f rom A dobe. T hese large scale thefs remind us of the importance of routinely changing ou r pa s s word s a nd m a i nt a i n i ng these credentials with some sort of password management tool. Consider the Solutions Tere are a number of strategies that must be followed by public cloud providers or on your own in-house net work a nd pr ivate cloud. Even though it is our belief that all frewalls and anti-virus products are becoming less effective as the hacker's tools become more soph ist icated, you shou ld be fol low i ng c u r rent best practices for security to establish that you r f i r m i s m a k i ng re a son able efforts to protect client data. The responsibilit y of protecting client data can't be transferred to another entity who is doing your hosting or your IT work. Minimum Protection Includes: FIREWALL WITH INTRUSION PRO- T EC T I ON SERV I CE S – op t ion s include Cisco, SonicWall, Watch- Guard and others. ANTI-VIRUS THAT IS UPDATED REGULARLY – options include GFI Vipre, eSet, McA fee and others. PASSWORD MANAGERS – options include Citri x Password manager, L ast Pass, R oboFor ms, Pass word Depot and others. ENCRYPTION OF ALL DRIVES AND REMOVABLE MEDI A – opt ion s include M icrosof t Bitlocker, PGP and the built-in encr y ption in the Mac OS, which unfortunately is of by default. SOFTWARE PATCHING POLICIES – patch ing sof t ware can be done ma nu a l ly or automated t h roug h products l i ke Cont i nuu m, Sola r- W i nds, K aseya, L evel Plat for ms, N-Able and others. Just as important is when you don't patch, for example ser vers a nd f i r mwa re du r i ng ta x season. OTHER CONSIDERATIONS – Besides the technical products used above, you s hou ld c on s ide r a dd it ion a l protection for the frm. SECURIT Y TRAINING – we have covered this in prior articles. If you'd like an outline for an in-house lunch and learn, consider the topics here: www.nmgi.com/tag/security/Randy 26 October 2014 • www.CPAPracticeAdvisor.com Randy Johnston is executive vice president and partner of K2 Enterprises and Network Management Group, Inc. He is a nationally recognized educator, consultant and writer with over 30 years' experience. He can be contacted at randy.johnston@cpapracticeadvisor.com . R i s k m i t i g a t i o n w h e n y o u r practice is atacked is an eco- nomic consideration. What will breach reporting cost? What will recovery cost and time lost be? Although we are not likely to be termi- nated by our clients or our frm, even this type of loss is possible.