Today's Technology for Tomorrow's Firm.
Issue link: https://cpapracticeadvisor.epubxp.com/i/399112
FROM THE TRENCHES By Randy Johnston CYBER INSURANCE – consider i f protection is needed beyond your f i r m's ba se profe s s ion a l l i abi l it y coverage. Opt ions i nclude: AON, L loyd 's of L ondon , R hode s R i sk Advisors and others. POLICIES – the frm should have a variet y of acceptable use, securit y and breach response policies. We can provide samples of these on request. BUSINESS CONTINUITY DISASTER RECOVERY PLAN – all frms should have a plan, but few do. A BC/DR plan seems to be a something that is particularly easy to put of. CURRENCY OF APPLICATIONS – older sofware, for example Windows XP and before and Ofce 2003 and before are no longer maintained by Microsof. Tese products allow bad guys easier access to our systems. REMOTE WORKERS – in the world of Bring Your Own Device (BYOD) and working from client sites or homes, how do we protect the systems from atacks started from authorized user's infected computers? SECURITY BREACH PREPARATION – w h at do you do to prepa re? I s encryption sufcient? Te main concern for accounting frms is that if data is compromised, you wou ld have a sec u r it y breach repor t i ng i ncident. Today, a l l but t h ree states have sec u r it y breach repor t i ng l aw s . T he c h a nc e s a re prety good that you are doing busi- ness w ith clients in more than one state. W hile I'm not an atorney and unable to render legal adv ice, if all workstations are protected with disk encryption, and the server drives are by default encr y pted with your vir- t ua l i z at ion sof t w a re, u nder most securit y breach statutes, your f rm should be exempt from reporting. In other words, since you have encryp- tion active at the desktop and a level of protection at the server, you don't have a reportable incident. What To Do You may want to give management t e a m s s o m e b a c k g r o u n d o n t h e aggressiveness and risks of atacks. For additional information, you may w a nt t o r e v ie w my blo g p o s t on securit y http://tiny url.com/John- ston-Security-Patriot. Some atacks o r i n f e c t i o n s a r e p a r t i c u l a r l y aggressive. For example, the only way we k now to protect aga inst Cr y p- t oWa l l r i g h t no w i s t o b l o c k a l l at t ac h ment s at t he f i re w a l l , a nd require clients to transfer fles in and out of the frm v ia a portal such as Sha reFi le. From a prac t ica l v iew- point, this is not likely to happen. If you are a system administrator or IT manager, we suggest that you: 1) review your anti-virus signature a nd set up week ly, 2) hold e x t ra training for employees, 3) make a plan for what to do if infected. Tis includes warning your users to plan on outages of 24-72 hours and that if they atempt to work again too soon that they are likely to re-infect their systems. Consider what you believe to be t h e r i s k s f o r y o u r f i r m . B u i l d a response plan. Remediate any short fa l ls in your secur it y, policies and pro c e d u r e s . Tr a i n you r u s e r s t o minimize the risks. A nd be safe out there! THE MAIN CONCERN FOR ACCOUNTING FIRMS IS THAT IF DATA IS COMPROMISED, YOU WOULD HAVE A SECURITY BREACH REPORTING INCIDENT. For more information, please visit CPAPracticeAdvisor.com/10028044