Cybersecurity for Accountants

By:
Patrick Buono
Published Date:
Mar 1, 2018

According to Forbes magazine, the global cost of cybercrime will reach $2 trillion by 2019. Warren Buffett considers cyber attacks “a bigger threat to humanity than nuclear weapons,” and Ginni Rometty, IBM President & CEO, describes cybercrime as “the greatest threat to every profession, every industry, every company in the world.” The National Computer Security Survey, conducted by the U.S. Department of Justice’s Bureau of Justice Statistics, found approximately 68% of cyber theft victims will incur losses of $10,000 or more, and victims of cyber attacks will experience downtime of 24 hours or more. During tax season, any downtime or breach of client data could critically affect your accounting practice. Proactively taking measures to prevent cybercrimes is a business necessity.

Cybercrime encompasses many different computer related events, such as cyber theft of personal information or money from your bank accounts; cyber attacks—such as viruses and ransomware—that impede your ability to work; and malware, adware, email phishing, or password phishing, which attack your business to gather information. The list of attacks is constantly growing. To cybercriminals, your data and information is a valuable commodity—and protecting it vigilantly must be a priority of any business.

There is no single security measure available that will protect your business from all cyber attacks. The variety of attacks and the speed at which cybercriminals adapt their methods make it imperative that you implement several methods in order to maintain a solid plan of defense. A computer consultant with knowledge of your profession can help you identify the basic—as well as specific—items needed to keep your data safe. Be wary, however, of consultants who sell specific products rather than explain all helpful options—there is no one-size-fits-all method to computer security.

Diligence on the part of employees is mandatory. Relying on technology alone to protect your business is probably the biggest error companies make when devising a security plan. While important, technological solutions—antivirus software, daily data backups, small business firewall, encryption methods, strong passwords, and web browser protocols—are only important bricks in the wall of cyber defense and can even give a false sense of safety. The education of your employees is paramount to any successful plan to protect your firm because employees unintentionally become the access point for cybercriminals through email phishing attacks and social engineering. For example, a user checking email is duped into clicking a link or an attachment and infects the office network. A friend tags them in a post, and they click on an ad that infects them with ransomware. “I opened it because I know the person who sent it” was once an understandable excuse, but this is no longer a valid reason for trusting any email—cybercriminals can easily falsify a sender’s name.

This is why security awareness training for yourself and your employees is essential. You can have the most up-to-date software and technology deterrents in place, but in reality, you are always one click away from data loss. I discuss all new methods being used by cybercriminals with my clients to keep them informed of threats. I ask employers to teach their employees to STOP, LOOK, THINK—and avoid clicking links recklessly. Common sense and information are a business owner’s most valuable assets in the war against cybercrime.

 EMAIL SECURITY

Email is the biggest security threat for most companies. According to Digital Guardian, 91% of cyber attacks start with a phishing email, making it the number one threat to your business. Phishing is sending an email that looks legitimate, seems to come from a contact, and asks for information. Most people will open an email from a known person and not check the actual email address. Your email needs to be protected from unauthorized access. One way to do this is to turn on two-part authentication, which major email services—such as Gmail, Microsoft Office 365, AOL, and Yahoo—offer. If your current email provider does not offer two-part authentication, I advise you to change to one that does.

Two-part authentication or two-factor authentication requires the user to enter his or her usual username and password and then enter a code that changes for each instance. This code gets texted to a cell phone (or, more securely, is generated by an authentication app on the phone, such as Google Authenticator or Microsoft Authenticator). This is a critical first step to preventing unauthorized persons from getting access to your information and an excellent starting point for avoiding cybercrime. It is imperative that people realize the damage that can be done with access to emails. A cybercriminal can reset your passwords and use your email to access your accounts across the internet. These criminals are clever and resourceful. Business owners and employees must be one step ahead.

For example, a client of mine was once fooled into clicking on a fake invite to a New Year’s Eve party and entered his username and password into a site that looked like Gmail. Again, he “knew” the sender. He did not think much of it at the time, but a few weeks later, his bank called, verifying a wire transfer to Europe in the next days. These cybercriminals looked through my client’s email history, saw his contact at the bank, and began a stealth exchange of emails to set up an elaborate scenario of a trip to Europe to purchase land. Luckily, the bank called to verify. Had my client used two-factor authentication, the hackers would not have gotten in at all—as they would have needed that additional one-time code. This email could easily have contained ransomware, which would have encrypted all data files on the user’s computer and held the data for ransom: a payment to the hacker to unlock the user’s own data.

Recently, a form of email phishing called “spearphishing” has appeared. These emails contain targeted information. Last year, a CPA client called regarding an email exchange with someone who contacted him via the website contact form, asking for help with prior year taxes. The exchange of emails continued until the hacker sent an email with an attachment that was described as a “Secured PDF Online Document.” The attachment contained a link to infect the user. Happily, the client called before opening it, and this attack was averted.

Another common threat is stealing personally identifiable information, such as name, address, or social security number. To prevent hackers from obtaining this in emails, you must send emails with encryption. Microsoft Office 365 offers email encryption for a nominal monthly fee, and it is well worth it for the protection. Please do not think password protecting a PDF is secure. There are utilities available (both free and for a fee) that will crack these passwords. Full email encryption is your only option.

Cybercriminals are now targeting individual companies to attack, taking the time to do whatever it takes to get your data. Be vigilant.

 INTERNET SECURITY

Drive-by browser downloads are another leading method of cyber attack. Internet searches can lead you to compromised websites, which can infect your network with viruses and malware. To prevent this type of attack, install all the latest security patches to your computers and servers. Install a firewall router with gateway antivirus, gateway anti-malware, and intrusion protection to stop the virus before it gets into your private network. Routers provided by your Internet Service Provider do not have this type of security. While these might be adequate for your home, you should not have these for your business.

A common cyber attack seen is a browser popup that falsely claims to be a warning from a legitimate company (such as Microsoft) stating that your PC is infected and you should call the number given. These alerts fool the user into calling—and then the hackers proceed to access your computer remotely, with your permission, under the guise of cleaning up your computer. Instead, they infect your computer. Never call any number in a popup alert.

Another measure available is a subscription to a good antivirus program that provides a plug-in to your browser that qualifies a website as safe. This prevents you from going to sites that are known for infecting the unsuspecting user.

A better utility to protect you is a “sandboxing” application that allows your browser to access internet, yet prevents any permanent changes to your computer or network. For example, if you accidentally download malware, any changes that it attempts to make will be contained in a virtual sandbox, which is easily emptied. We use a product called Sandboxie.

REMOTE ACCESS

Remote access to your computers should be done with a secure virtual private network, or VPN, connection. Never use Microsoft Remote Desktop without a VPN. This will almost guarantee hackers access to your data. If it is not practical to setup a VPN, use one of a handful remote access services that offer two-factor authentication. Logmein is a good choice.

DATA SECURITY

Transporting data using a USB drive is not secure. The USB drive should be one that has encryption built in by requiring a password for access. Most offer automatic destruction if the password is entered incorrectly too many times. Use one with this feature.

I have had accountant clients who transport their client’s QuickBooks data files on a USB drive back to their office, unencrypted, assuming that because the QuickBooks file is password protected, it is secure. With utilities available on the internet that can wipe out all passwords in a QuickBooks data file, that is simply not true. These utilities allow anyone to have access to the data on the drive. Protect your data and your clients.

Laptops are another security problem. Laptop hard drives should be encrypted. Microsoft has a built-in encryption utility call BitLocker that comes with the Professional versions of Windows 10.

Disposal of computer equipment also needs to be handled properly. Removal and destruction of the drives is a good way to prevent unauthorized access to data. The Federal Trade Commission provides guides on proper disposal of digital data.

WIRELESS SECURITY

Wireless access into your network needs to be protected. Of course, use passwords, but a guest network should be set up for visitors to your office that need internet access. This prevents any guest user access to the computers and resources on your network. This is especially needed in case one of those laptops or devices used by the guest is infected.

BACKUPS

If all these measures are taken but ransomware still infects your system and network, what happens next? Your only recourse for data recovery is a good backup system. I recommend maintaining more than one system, often setting up at least two methods for my clients: a daily backup to local removable cartridges and some method to back up to an internet service. By far, the best system of offsite backup includes virtualizing your computer or server offsite. This can be done as often as every 15 minutes with little or no performance hit to your system. This type of protection is invaluable, especially during tax season. Any accounting firm that doesn’t protect itself with this type of backup is setting itself up for a catastrophic disaster.

Virtualization of a computer or server makes a virtual software photocopy of your system which can then be brought to life rather quickly with an accompanying virtual host environment.  Microsoft Hyper-V and VMware provide virtual hosting environment for both fee and no-cost options, and it is a valuable technology employed by small and large companies. This is a key part of any Backup Disaster Recovery plan and is the best solution for business continuity and minimizing system downtime. A backup is a must for any business.

Cybercrime is with us. Be safe, be vigilant, be smart, and first and foremost, make backups.


Patrick Buono has over 35 years of experience providing consulting and IT services and support to the business community.  He is currently the president of Aurora Computer Technology, Inc., a company he founded in 1987. Mr. Buono focuses on computer consulting, IT support and services, internet security, and data protection for his clients. He has a degree in Public Accounting from Baruch College and was employed as an accountant for CPA firms prior to starting his company. Mr. Buono has given cyber security seminars to clients and organizations, such as the Staten Island Chapter of the NYSSCPA.  He can be reached at 718-981-2363 or pbuono@auroracomputer.com.

 
Views expressed in articles published in Tax Stringer are the authors' only and are not to be attributed to the publication, its editors, the NYSSCPA or FAE, or their directors, officers, or employees, unless expressly so stated. Articles contain information believed by the authors to be accurate, but the publisher, editors and authors are not engaged in redering legal, accounting or other professional services. If specific professional advice or assistance is required, the services of a competent professional should be sought.