Heading off hackers

By Lisa K. Dunnigan

CPA firms may be at a higher risk for hackers because they store sensitive client data, such as social security numbers. 

If your client data is compromised, your firm also may be legally required by state law to notify clients or the public about the breach and explain the potential consequences. A security disaster plan and response team should be in place before a problem occurs so that you can respond quickly and professionally in a crisis.

While you can't prevent network and Web site breaches entirely, here are some steps to reduce your chances of hacker attacks, and how to handle a security problem if it happens.

Defend in depth

View your network security in layers. To understand this layering concept, think about your home. You might install deadbolt locks and make sure to lock your home at night and when you are away. You also could install motion detectors. You could buy a large dog, install a simple security system, or invest in a remote security service.

The simplest form of network security is the firewall. This is a basic requirement, yet many companies I've encountered rely on firewalls for all of their security.

If you are hosting your Web site on premise, you also should incorporate a demilitarized zone, or DMZ, which is an added layer of separation between your Web site and network. This way, people who have access to the Internet can access your Web site, but can't access your data network, which likely is physically connected to your Web site.

Prevent proactively

Keep all of your servers patched with the latest operating system patches and updates. Once a new operating system vulnerability is discovered, the hacker community considers it a race to exploit the vulnerability before a patch is applied. Stay current with security updates, particularly ones labeled as critical.

Install and regularly update antivirus and anti-spyware software. Pay attention to alerts on new viruses and download any updates as they become available.

Implement controls

All network users should have complex passwords to log in, such as combinations of upper- and lowercase letters, numerals, and non-alphanumeric characters. As an added precaution, change your passwords every 90 days. Weigh the inconvenience against the security of your data.

Watch for suspicious activity on your server by using intrusion-detection software. This product can monitor logins and create a baseline activity profile that will alert you if activity seems odd.

Train users against mistakes

Never leave computers logged on after hours. Invest in software that automatically logs out computers after a certain amount of inactivity or launched screen savers that lock the keyboard.

Train your staff to not write their passwords on sticky notes or share them with anyone. Even if a legitimate IT staffer needs to fix a problem, set a policy that users must be present to type in their own password.

Prepare your response

If data is corrupted or a Web site is taken down, a good backup system will enable you to recover quickly. Backup procedures should limit the consequences of a virus or hacked network.

At least once a year, conduct a data inventory to identify where critical and sensitive data resides. If you experience a cyber attack, this will help identify exactly where the breach occurred and what type of data was compromised.
 
Test your network to find out how vulnerable you are to attack. Penetration-testing tools can simulate an attack, or you can hire someone to try and hack your system. It can cost less than $50 or up to several thousand dollars for a professional service. The resulting reports can help you pinpoint current network vulnerabilities and possibly save you much more in terms of embarrassment, lost time, and productivity.

About the author:
Lisa K. Dunnigan is principal in charge of internal information systems at St. Paul, MN-based CPA and consulting firm Olsen Thielen. She can be reached at (651) 486-4575.

Related articles:


Already a member? log in here.

Editor's Choice

Upcoming CPE Webinars

Dec 3The materials discuss the concepts and principles in the AICPA’s new special purpose framework.
Dec 8Kristen Rampe will cover how to diffuse the tension in challenging situations in this one-hour webinar.
Dec 9A key component to improving your firm’s workflow efficiency while enhancing your profitability at the same time is how you leverage emerging technologies.
Dec 16Kristen Rampe will give tips on how to bring confidence into the room and build a valuable network.