How Your Firm Can Stay Safeby
When it comes to data security, one of the most dangerous lines of thought is that if you are a small firm (or business) you are safer from attacks. IT security expert and gadget guru David Cieslak says that's simply not true, and in fact, the security practices of many small firms is more risky than larger ones.
Cieslak, CPA, CITP, and co-principal of the Simi Valley, California-based technology consultancy Arxis Technology Inc., often works with other accounting firms, along with businesses, to assess their IT security readiness and help them prepare for or even fix some of the issues they run into.
In his view, the downside to being in a more connected, more data-centric world is the threat of both data security breaches and the numerous ways any system can be compromised by even the simplest acts. Cieslak noted the attacks on larger financial institutions and retailers tend to get all of the attention, but they only tell part of the story. The point is that the same activity that hampered these organizations are likely the same that could affect a small firm. More often than not, human behavior, lack of training, and enforcing internal controls are to blame, rather than the lack of expensive security tools.
âIt's the old adage, 'you don't know what you don't know,' and today, more malicious attempts are making it through to the end user without them knowing it; malware is winding up on machines. You have links people click in an email or infected websites and users are successfully exposed to malware,â said Cieslak. âYou may think you're small and why would anyone go after you, but automated hacking tools and malware does not care. If they scan your system and find a vulnerability, they will get through. It's not always a conscious target; you just have people who want to collect sensitive data to sell or use.â
Cieslak stressed that once malware finds its way to a server or machine, it can live there for months undetected, collecting data â such as personal client or financial information â and sending it off to be harvested for sale or malicious use.
But rather than panic or simply shut down all connection to the outside world, Cieslak did offer some best practices on how organizations, including small firms, can better protect their data and keep their firms and their clients comparatively safe. For small firms, first and foremost, he recommended moving more functions to the cloud.
âSmall firms are actually better off putting data in the cloud, which has redundancies and security measures more secure than on your desktop or office server,â said Cieslak. âThat's the first step. Threats are why we are moving more functions to the ether, but what of the effective ways to interact with the platforms better? That's the dialogue to be having and we have with clients.â
Several practices he says all firms should instill include:
- Having multifactor authentication
- IP-level restrictions (i.e., individuals unable to download/install anything on their machines without authorization)
- Encrypted endpoints (for data sharing)
- Strict, no-clicking on unfamiliar links or items
- Written and signed IT security policies, shared with staff
- Regular security best practices training
Cieslak admits that some of the above may not go over well with some firms, as it can limit or disrupt the flow of everyday activities. But it is for the greater good.
âI hear the griping all the time that 'I can't install things, it's my computer I should be able to,' but my job is to help protect your organization and this stuff [malware, etc.] is so effective you can't be taking unnecessary risks,â he said. âWe all need to take a harder-line approach with privileges and migrate to managed services when it makes sense. There's individuals who have more access to download and use things than they need to. The more dangerous of mindsets is to give access to everything and try to stop [malicious activity] from happening as we go.â
Finally, Cieslak is aware that data security, and migrating systems and functions to more secure services such as a cloud-vendor, takes time and should be a gradual process. He recognizes that not everything a firm does is ready for the cloud and even vendors themselves need to be well-vetted prior to migration.
He will be giving a deeper, more inclusive discussion on the topic of data security at the upcoming SleeterCon Accounting Solutions Conference, hosted Nov. 17-19 by The Sleeter Group at The Bellagio Hotel in Las Vegas. Topics covered will include personal and corporate considerations, security hardware and software, mobile, cloud, identity theft, secure connectivity, encryption, and multifactor authentication.
Please visit this link for more information and event details.