Heading off hackers

By Lisa K. Dunnigan

CPA firms may be at a higher risk for hackers because they store sensitive client data, such as social security numbers. 

If your client data is compromised, your firm also may be legally required by state law to notify clients or the public about the breach and explain the potential consequences. A security disaster plan and response team should be in place before a problem occurs so that you can respond quickly and professionally in a crisis.

While you can't prevent network and Web site breaches entirely, here are some steps to reduce your chances of hacker attacks, and how to handle a security problem if it happens.

Defend in depth

View your network security in layers. To understand this layering concept, think about your home. You might install deadbolt locks and make sure to lock your home at night and when you are away. You also could install motion detectors. You could buy a large dog, install a simple security system, or invest in a remote security service.

The simplest form of network security is the firewall. This is a basic requirement, yet many companies I've encountered rely on firewalls for all of their security.

If you are hosting your Web site on premise, you also should incorporate a demilitarized zone, or DMZ, which is an added layer of separation between your Web site and network. This way, people who have access to the Internet can access your Web site, but can't access your data network, which likely is physically connected to your Web site.

Prevent proactively

Keep all of your servers patched with the latest operating system patches and updates. Once a new operating system vulnerability is discovered, the hacker community considers it a race to exploit the vulnerability before a patch is applied. Stay current with security updates, particularly ones labeled as critical.

Install and regularly update antivirus and anti-spyware software. Pay attention to alerts on new viruses and download any updates as they become available.

Implement controls

All network users should have complex passwords to log in, such as combinations of upper- and lowercase letters, numerals, and non-alphanumeric characters. As an added precaution, change your passwords every 90 days. Weigh the inconvenience against the security of your data.

Watch for suspicious activity on your server by using intrusion-detection software. This product can monitor logins and create a baseline activity profile that will alert you if activity seems odd.

Train users against mistakes

Never leave computers logged on after hours. Invest in software that automatically logs out computers after a certain amount of inactivity or launched screen savers that lock the keyboard.

Train your staff to not write their passwords on sticky notes or share them with anyone. Even if a legitimate IT staffer needs to fix a problem, set a policy that users must be present to type in their own password.

Prepare your response

If data is corrupted or a Web site is taken down, a good backup system will enable you to recover quickly. Backup procedures should limit the consequences of a virus or hacked network.

At least once a year, conduct a data inventory to identify where critical and sensitive data resides. If you experience a cyber attack, this will help identify exactly where the breach occurred and what type of data was compromised.
 
Test your network to find out how vulnerable you are to attack. Penetration-testing tools can simulate an attack, or you can hire someone to try and hack your system. It can cost less than $50 or up to several thousand dollars for a professional service. The resulting reports can help you pinpoint current network vulnerabilities and possibly save you much more in terms of embarrassment, lost time, and productivity.

About the author:
Lisa K. Dunnigan is principal in charge of internal information systems at St. Paul, MN-based CPA and consulting firm Olsen Thielen. She can be reached at (651) 486-4575.

Related articles:

You may like these other stories...

If you're thinking that bitcoin and digital currency generally are merely some one-off flash in the pan, the new Digital Currency Council would argue otherwise. The council launched in September and already had 400...
Sponsored Content from Confirmation.com: AccountingWEB takes a look at confirmations in audit engagements, how they can serve as a doorway to fraud, and what you can do about it. Today, auditors have to fight fire with...
If your small-business clients are on the fence about cloud accounting, they've got plenty of company. A recent survey by market researcher and consultant Software Advice indicates a decidedly mixed view by respondents...

Already a member? log in here.

Upcoming CPE Webinars

Oct 21Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience’s communication style.
Oct 22This webinar will include discussions of important issues in AU-C 800, Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks.
Oct 23Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.
Oct 30Many Excel users have a love-hate relationship with workbook links.