man clutching laptop
tacojim_istock_man with laptop

Best Practices to Keep Your Firm Safe in the Cloud

by
Nov 6th 2015
Share this content

Going to the cloud doesn't mean you can rest regarding your firm's security – in fact it should just make you more diligent.

This was a key theme delivered by Trey James, chief executive of cloud hosting service Xcentric, who set out to dispel some common misconceptions regarding cloud security during his session “Cloud Security Best Practices” at the Thomson Reuters Synergy conference in Orlando, Florida, on Nov. 5.

Not surprisingly, one of the common questions James faces is whether there are more breaches today than in year's prior. His answer is yes, but only because there is now a requirement in most states that if a company gets breached, the incident must be reported. And if it's reported, a data breach at a company is considered newsworthy, which is why there is more visibility around the issue.

Target, eBay, Adobe, JP Morgan Chase – all have suffered from data breaches, and accounting firms are not immune.

“We have the tools and we have the knowledge to be as safe as you can be; you just have to cover some standard bases,” James said.

James discussed why hacking takes place (financial reasons), and that there are market prices for credentials, such as security codes on your debit cards, credit cards, and PayPal accounts.

“Nobody is coming after your credit card or your bank account number; people want [a larger] scale,” James said. “It's not some person in a basement targeting you.”

Perhaps the biggest myth regarding the cloud is that it is inherently less secure than traditional networks. James stressed that having your servers behind closed doors is not safe because anyone who walks into your firm can have access to your clients' information.

And if you must have your servers on-site, make sure you lock the door, secure them to the floor, cover them in a cage, and if a cleaning person needs to go into that room at night, someone must accompany them.

“You are so much more secure if you are using a provider that actually stands behind what they do,” he said.

James discussed the importance of updating your firm's firewall – which he describes as “basically an anti-virus for your network.”

“It's a security blanket and if you don't maintain a firewall, you are only as good as its last update. Most of the good ones will update themselves to come up nightly or set up a schedule. If your firewall is within three years old, it's probably updating itself automatically,” he said, adding that firms that are not using IDS or IPS firewalls should seriously consider moving in that direction.

Firm Threats

The biggest security data risk is when users bypass the firm's plans and procedures that have been put into place for protection.

That said, CryptoLocker is malware that can encrypt not only all your files, but the files your files are connected to â€“ which can be a huge headache to firms. It is often unexpected and there is no real protection other than to be aware.

For those unsuspecting, it is often email that comes in looking official – some tax-related or relevant business content, for example, and even sometimes a zip drive. In these instances, the person on the receiving end should not click open the email and start clicking on links in the body of the email or the attachment. Instead, they should take an extra minute or two to double check if they are expecting an email from someone they don't know. Simply asking around can save hours of heartache around lost workflow and money.

To avoid this type of data breach, James suggests the following:

  • Check the “From” and “To” areas of the email.
  • Double-check the content of the message for obvious discrepancies.
  • Clicking on links in emails should be avoided. Instead hover.
  • Ensure AV software is up-to-date.
  • Backup important data. There is no known tool to decrypt the files encrypted by CryptoLocker.
  • Never open links directly from an email.
  • Create, publish, and train email usage policy.

James said it's important for firms to understand that even though their data might be in the cloud, it is still the firm's responsibility to take safety precautions and train everyone in the firm about protecting data. Partners are not exempt from this because they can be known to often skip training.

To minimize issues with Wi-Fi, James recommends turning off auto-correct, verifying your network Wi-Fi connection, using Virtual Private Network (VPN), and two-factor authentication where possible. Regarding network management, James advises enforcing a strict password policy via an Active Directory-based domain, automate Windows Patch, routinely update firewall, get regular reporting, and schedule penetration testing.

The front door to a security breach, however, is your password.

“It's the credentials,” James said. “Your credentials are the holy grail to everything else. With the right credentials, I can look at tax data, credit card information, government information, and every record.”

James advises against reusing your passwords in multiple locations, using a common dictionary word, and writing your passwords down. He suggests taking a good hard look at how hard your security questions are during the login process. He reminded audience members how easy it is to find someone's maiden name or school mascot – common prompts for a security question. Instead of using real information, make answers up. James also points to LastPass, a plug-in that remembers your passwords and will securely sync across all devices.

James also recommends using a unique email address for password recoveries – because if a hacker knows where your password reset goes, that's a line of attack. Instead create a special email account for these occasions and make sure you choose a username that isn't tied to your real name.

In closing, James provided the following list of questions that should be on a cloud provider security checklist.

  • Does the provider's data center conduct an annual SOC2 audit?
  • Does the provider conduct an annual SOC2 audit on their own operations?
  • How are offsite backups stored?
  • How does a provider's physical security compare to your current IT environment?
  • Is two-factor authentication available?
  • Does the provider offer management services for on-premise infrastructure (firewalls, laptops, desktops, printers, etc.)?

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.