Accounting
Security Issues That Stop You in Your Tracks
Someone in your firm needs to be literate on security and managing your risk. The number of security risks are increasing.
Jul. 31, 2013
From the August 2013 digital issue.
Someone in your firm needs to be literate on security and managing your risk. The number of security risks are increasing. This article won’t be a comprehensive list of risks, but a good reminder of fundamentals that need to be done by all firms. Being realistic about mitigating security risks will notably reduce your exposure and prevent unnecessary expenses.
You will probably need to get some professional help to implement some of the ideas that we discuss, and others simply will take good procedures, diligence and consistency. Again, the intent is not to name all risks, but to provide a reasonable checklist that you can use to improve your firm’s safety.
When you reflect on your risks, think through the security issues like you might be working a business continuity or disaster (BC/DR) plan. Frankly, many security risks should have responses as part of your BC/DR plan, but we’re betting most of you don’t have an active, updated BC/DR plan.
What are some risks? What can we do about it?
Let’s consider the impact of some risks in your office. Don’t take this table as comprehensive, but as an example of what can happen. This list only contains items that we know happened to CPA firms in the past twelve months. For that matter, update this list to fit your own view of the risks. Add risks that keep you up at night. Note also that this list is focusing primarily on security items, not other elements of a BC/DR plan, such as losing power, weather impacts or having a hard drive crash.
Recall that breach reporting rules are in force in almost all states. Our standard rule to eliminate breach reporting is to encrypt all devices everywhere and have passwords or pin codes on them. However, if you have an incident, you should contact your legal counsel, followed closely by legal authorities and your insurance company. Consider the following:
Risk |
Response |
Impact |
Reportable? |
Firewall doesn’t block intruders |
Power down |
No internet access until repaired |
Yes |
Wireless access compromised |
Reinstall with proper security |
Network resources used by unauthorized people |
Yes |
Cleaning crew uses your network |
Change services |
Maintenance personnel might have accessed client records |
Yes |
Partner loses tablet or smartphone |
Remotely wipe the entire device |
Possible loss of data not copied yet |
Yes |
Office Break in and computers are stolen |
Call legal counsel and insurance provider |
Loss of data, productivity, loss of image |
Yes, if hard drives not encrypted |
PDF sent via email that is not encrypted |
Review procedures with team member |
Data of that client is compromised. |
Yes, if it has SS# or Fed ID involved. |
Virus infection |
Power off all equipment, disconnect all network cables. Run clean-up software. |
Probable extended outage involving a day or more. Strong likelihood that some computers will need to be wiped clean and reinstalled. |
No |
Key logger malware makes it through your defenses |
Network will run slower, and you may not notice it for a while. Clean as soon as found. |
High probability that much client and banking information has been stolen. |
Yes |
Social network site infects a computer |
Power off computer, disconnect all network cables. Run clean-up software. |
Possible loss of data on computer. Some infections access network data. |
Maybe. Discern if the infection had access to your network. If not, no. If you are not sure, yes. |
Cloud provider is attacked with a Distributed Denial of Service attack |
Data center is shut down |
You’ll be unable to use your normal cloud services until service resumes. Have manual process ready. |
Maybe, but that’s the data center’s financial responsibility in most cases, not yours. |
Email account is compromised |
Change password. Consider if this needs reported to legal authorities. |
Client information could have been sent, or the email could have been used for illegal or illicit purposes |
Maybe. Assess if emails had access to client info. If so, yes. |
Your domain name is stolen |
Contact domain registrar to resolve. |
Web site, email and other internet services won’t be available for up to 72 hours after resolved. |
No. |
Social Engineering Attack |
Contact legal counsel. Instruct team members on how to respond to requests. |
Client information is likely breached. |
Yes. |
Infected PDF file received |
Power off computer, disconnect all network cables. Run clean-up software. |
May take one computer or your entire network down. |
Maybe. Determine the type of virus and discern if client information was accessible. |
End user clicks through a link and installs a fake anti-virus |
Power off computer, disconnect all network cables. Run clean-up software. |
May take one computer or your entire network down. |
Maybe. Determine the type of virus and discern if client information was accessible. |
The firm’s web site is taken over and offensive content is placed on your site |
Shut down the web site. Repair the content. Try to determine how the compromise occurred. |
Professional image damage. |
No, unless the web site granted access to your portals or other client information. If so, yes. |
Bank account of the firm is compromised and a large transfer out is made |
Contact bank to resolve. Be prepared to contact legal counsel. |
Money may be permanently gone. |
No. |
Client confidential data is compromised by team member. |
Instruct on appropriate procedures, contact legal counsel. |
Possible loss of client and/or reputation. |
Yes, to client. |
Vendor loses control during a breach of debit cards that you use for your payroll service |
Request new cards and distribute along with instructions to end-users |
Possible loss of client and/or reputation. |
Yes, to payroll clients. |
Shooting occurs inside your firm |
Call emergency personnel and police. |
Possible loss of life and reputation. |
No. |
Patches not installed on Microsoft software |
Update patches. |
Possible security compromises and infections. |
Yes, if client information was compromised. |
Anti-virus update keeps applications from running |
Try using a prior restore point. Otherwise reload machine. |
Loss of productivity. |
No. |
Client transfers files via the portal that has viruses |
Clean infected machines/network. Teach team member the appropriate transfer methodology. Discuss issue with client |
Lost time. |
No |
Again, this table was not intended to be comprehensive, but simply examples. We have to put our firms in a position to protect against common security problems.
So, What Should You Do About This?
First, you can solve some of these issues by better procedures and training. Many security breaches could have been avoided if team members had just not clicked through a link, read a message or copied a file. Consider your policies related to BYOD technologies, using public or client network connections or copying files from USB, hard drive or cloud sources.
Second, you can solve some issues with the appropriate software. Open license Microsoft Windows so you can use BitLocker encryption. Alternatively consider encryption products like PGP or Tru-Crypt. Make sure that your software providers have great security. For example, ShareFile and SmartVault are portal and file transfer products that have strong encryption in motion and at rest. Consider an email encryption product like Zixmail or Secured Accountant.
Third, remember that the best security is physical security. Even though you may be practicing in a safe, small town, consider what physical security makes sense. Many firms have chosen to lock all doors from their lobbies back into the practitioner’s office spaces. Others have implemented automatic lock systems on certain doors. Everyone should have their computer server room locked. Motion sensing, night vision cameras can be installed over all doors and the lobby waiting area.
Finally, recognize that most security issues have at least some level of soft cost and lost productivity. When reportable breaches occur, it costs money to notify and monitor the losses. Some firms have purchased CyberSecurity insurance for this purpose. What can you do to mitigate the risk of a security issue in your firm?