Effective Ways for Accounting Professionals to Respond to a Data Breach: Part 1by
Security is always a big concern when working remotely, and it is important to know how to recognize when a breach occurs and know what to do. Expert Danny Severns reviews precautions you should take and other crucial information in the first of a two-part series on protecting yourself against hackers.
Security is always a big concern when working remotely, and it is important to know how to recognize when a breach occurs and know what to do.
Precautions You Should Be Taking
Before we get into the discussion of what to do if your system is breached, you want to determine you are starting remote computing with a clean PC that has not already been hacked. There are low-cost utilities that will scan and clean a computer to be sure there no bad guys are already infecting it and other devices. Additionally, if you are loading a virus protection application, it will perform a scan of your system and clean up any problem software, get rid of junk files, and remove leftover temporary web browsing files. Some will even check system drivers to be sure they are up to date. A few of the best cleaner apps are CleanMyPC, CCleaner, Advanced System Optimizer, Wise Care 365 Pro, and Norton Utilities Premium. Some have stripped-down, free versions, but I think it is worth the investment to purchase the licensed version for their additional features and run the software at least once per quarter to keep your system clean.
Windows 10 includes a Ransomware Protection feature that is turned off by default. The feature has two components: Controlled Folder Access and Ransomware Data Recovery. You access these features and turn them on through the Windows Defender Security Center. If you have another virus protection software application installed, the Windows Security selection is automatically turned off and will not appear on the menu. Controlled Folder Access protects selected folders against ransomware by preventing the bad software from encrypting, or changing in any other manner, the files in the designated folder(s).
Typically, a top-of-the-line virus protection application will protect against viruses, malware, spyware, and adware; some include ransomware as well. My definition of top-of-the-line virus software includes Norton, Symantec, PCmatic, McAfee, Bitdefender, Webroot, Trend Micro and Malwarebytes (not necessarily in that order). Personally, I have used PCmatic for six years on all my devices, and I have not experienced a single problem of any kind.
How to Know a Breach Has Occurred
Now, let’s say you’re taking precautions, but you still experience a breach. What should you do? Well first, you need to know you’ve been hacked.
The following is a partial list of events that may indicate a breach:
- Your passwords suddenly stop working
- Suspicious programs show up when you run Control Panel > Programs and Features
- Your virus protection software has been deleted or disabled
- When browsing, you start seeing many unusual browser pop-ups, URLs you enter are redirected to different webpages, or your Home URL is automatically changed to one for another website
- You are suddenly missing files
- You experience constant or regular crashes because the system has become unstable
- Applications suddenly will not run or are missing
- Your computer is running terribly slow, and even though you have a lot of memory and disk space, it keeps churning away for no apparent reason
- You get locked out of your PC altogether because it says your password is invalid
- You may get the blue screen of death, meaning the computer will not boot up at all
How to Respond to a Breach
If you are knowledgeable enough and feel comfortable moving around directories and files on a PC, you can try to fix the issue yourself. If you are not confident with the DIY approach or if the computer won’t turn on at all, call in an expert.
If you proceed on your own, your first action depends on the symptoms you are noticing. If the problem turns out to be a ransomware breach, your options will be extremely limited. This is because the computer may run, but nothing will work because all the files have been encrypted. You typically will know the problem is ransomware because the hacker’s ransom note displays as a message. It’ll tell you how to pay the ransom, at which time you’ll get the key to decrypt the files.
Have a PC tech confirm the problem is ransomware and whether anything can be done to defeat it. Techs and security experts have special software that will try to defeat the ransomware. Sometimes, it works on less sophisticated ransomware, but if the tech is from a hardcore professional hacker, it probably will not help at all. If possible, and if time permits, refrain from a panic kneejerk reaction to pay the ransom until a tech has said you have no option.
After a breach has occurred, the best defense against it shutting you down or causing major disruptions is a solid plan B and good, current backups. But even that can be problematic, depending on amount of time between when your system was breached and the time the malware is executed. Hackers know most individuals do not backup their systems regularly, in which case, the malware may execute as soon as it downloads or the next time the system boots. Alternatively, the malware may not run for several weeks or months after it downloads so it will be on all backups to negate a simple recovery by reloading. In that scenario, the malware executes again after you’ve restored everything.
Conversely, if your PC or device is not dead or infected with ransomware and still runs well, the first thing you may want to do is change all your passwords on all accounts. Preferably, pick a different and strong password for each account, user, and application. Also, turn on two-factor authentication. This will stop the hacker from reentering your system or network using the old password.
Next, try to determine if anything was stolen by examining sensitive data files to figure out if any are missing or moved. Look at files like bank account, employee, customer and vendor master files and any others that would contain important and sensitive data, like HR, order entry, transaction files, history files and others related to major applications or modules that are part of the mission critical applications. If you are a remote user, these are typically all the application files and data that reside on the host server. Check your remote use device, i.e. PC, tablet, or notebook, to see if your local connection application and configuration files are missing or have been changed since you last used them. If any of the configuration files have recent date/time on them and you haven’t made changes to them, there is a good chance they have been copied for use by the hacker to get into the host server with your identity.
In the next installment, I'll cover how to dig deeper into a breach on your own and discuss some effective ways to recover from being hacked.
Danny is a professional with a unique blend of skills and expertise combining Financial management, Software development, and Digital transformation and modernization. As a CPA, he has extensive experience in Auditing, Tax, and Consulting with clients of all sizes in a variety of industries. In private industry, he gained deep experience in...