Heading off hackers

By Lisa K. Dunnigan

CPA firms may be at a higher risk for hackers because they store sensitive client data, such as social security numbers. 

If your client data is compromised, your firm also may be legally required by state law to notify clients or the public about the breach and explain the potential consequences. A security disaster plan and response team should be in place before a problem occurs so that you can respond quickly and professionally in a crisis.

While you can't prevent network and Web site breaches entirely, here are some steps to reduce your chances of hacker attacks, and how to handle a security problem if it happens.

Defend in depth

View your network security in layers. To understand this layering concept, think about your home. You might install deadbolt locks and make sure to lock your home at night and when you are away. You also could install motion detectors. You could buy a large dog, install a simple security system, or invest in a remote security service.

The simplest form of network security is the firewall. This is a basic requirement, yet many companies I've encountered rely on firewalls for all of their security.

If you are hosting your Web site on premise, you also should incorporate a demilitarized zone, or DMZ, which is an added layer of separation between your Web site and network. This way, people who have access to the Internet can access your Web site, but can't access your data network, which likely is physically connected to your Web site.

Prevent proactively

Keep all of your servers patched with the latest operating system patches and updates. Once a new operating system vulnerability is discovered, the hacker community considers it a race to exploit the vulnerability before a patch is applied. Stay current with security updates, particularly ones labeled as critical.

Install and regularly update antivirus and anti-spyware software. Pay attention to alerts on new viruses and download any updates as they become available.

Implement controls

All network users should have complex passwords to log in, such as combinations of upper- and lowercase letters, numerals, and non-alphanumeric characters. As an added precaution, change your passwords every 90 days. Weigh the inconvenience against the security of your data.

Watch for suspicious activity on your server by using intrusion-detection software. This product can monitor logins and create a baseline activity profile that will alert you if activity seems odd.

Train users against mistakes

Never leave computers logged on after hours. Invest in software that automatically logs out computers after a certain amount of inactivity or launched screen savers that lock the keyboard.

Train your staff to not write their passwords on sticky notes or share them with anyone. Even if a legitimate IT staffer needs to fix a problem, set a policy that users must be present to type in their own password.

Prepare your response

If data is corrupted or a Web site is taken down, a good backup system will enable you to recover quickly. Backup procedures should limit the consequences of a virus or hacked network.

At least once a year, conduct a data inventory to identify where critical and sensitive data resides. If you experience a cyber attack, this will help identify exactly where the breach occurred and what type of data was compromised.
Test your network to find out how vulnerable you are to attack. Penetration-testing tools can simulate an attack, or you can hire someone to try and hack your system. It can cost less than $50 or up to several thousand dollars for a professional service. The resulting reports can help you pinpoint current network vulnerabilities and possibly save you much more in terms of embarrassment, lost time, and productivity.

About the author:
Lisa K. Dunnigan is principal in charge of internal information systems at St. Paul, MN-based CPA and consulting firm Olsen Thielen. She can be reached at (651) 486-4575.

Related articles:

You may like these other stories...

Event Date: May 29, 2014 In this presentation Excel expert David Ringstrom, CPA brings you up to speed on the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both...
No field likes its buzzwords more than technology, and one of today's leading terms is "the cloud." But it's not just a matter of knowing what's fashionable. Accounting professionals who know how to use...
There is a growing trend of accountants moving away from traditional compliance work to more advisory work. Client demand is there, but it is up to the accountants to capitalize on that. What should accountants' roles be...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.