Heading off hackers
By Lisa K. Dunnigan
CPA firms may be at a higher risk for hackers because they store sensitive client data, such as social security numbers.
If your client data is compromised, your firm also may be legally required by state law to notify clients or the public about the breach and explain the potential consequences. A security disaster plan and response team should be in place before a problem occurs so that you can respond quickly and professionally in a crisis.
While you can't prevent network and Web site breaches entirely, here are some steps to reduce your chances of hacker attacks, and how to handle a security problem if it happens.
Defend in depth
View your network security in layers. To understand this layering concept, think about your home. You might install deadbolt locks and make sure to lock your home at night and when you are away. You also could install motion detectors. You could buy a large dog, install a simple security system, or invest in a remote security service.
The simplest form of network security is the firewall. This is a basic requirement, yet many companies I've encountered rely on firewalls for all of their security.
If you are hosting your Web site on premise, you also should incorporate a demilitarized zone, or DMZ, which is an added layer of separation between your Web site and network. This way, people who have access to the Internet can access your Web site, but can't access your data network, which likely is physically connected to your Web site.
Keep all of your servers patched with the latest operating system patches and updates. Once a new operating system vulnerability is discovered, the hacker community considers it a race to exploit the vulnerability before a patch is applied. Stay current with security updates, particularly ones labeled as critical.
Install and regularly update antivirus and anti-spyware software. Pay attention to alerts on new viruses and download any updates as they become available.
All network users should have complex passwords to log in, such as combinations of upper- and lowercase letters, numerals, and non-alphanumeric characters. As an added precaution, change your passwords every 90 days. Weigh the inconvenience against the security of your data.
Watch for suspicious activity on your server by using intrusion-detection software. This product can monitor logins and create a baseline activity profile that will alert you if activity seems odd.
Train users against mistakes
Never leave computers logged on after hours. Invest in software that automatically logs out computers after a certain amount of inactivity or launched screen savers that lock the keyboard.
Train your staff to not write their passwords on sticky notes or share them with anyone. Even if a legitimate IT staffer needs to fix a problem, set a policy that users must be present to type in their own password.
Prepare your response
If data is corrupted or a Web site is taken down, a good backup system will enable you to recover quickly. Backup procedures should limit the consequences of a virus or hacked network.
At least once a year, conduct a data inventory to identify where critical and sensitive data resides. If you experience a cyber attack, this will help identify exactly where the breach occurred and what type of data was compromised.
Test your network to find out how vulnerable you are to attack. Penetration-testing tools can simulate an attack, or you can hire someone to try and hack your system. It can cost less than $50 or up to several thousand dollars for a professional service. The resulting reports can help you pinpoint current network vulnerabilities and possibly save you much more in terms of embarrassment, lost time, and productivity.