Secure your firm post-COVID-19
by Roman H. Kepczyk, CPA.CITP, CGMA
May 1, 2020
Seemingly overnight, COVID-19 required every CPA firm to operate entirely in a virtual environment. While many firms were already cloud-enabled with functioning remote users, many firms, including an even larger number of firm personnel, werenot. Firms rushed to adapt to whatever remote work tools were available without understanding the security risks they were taking on. Of course, hackers took notice and immediately began targeting security weaknesses, begging the question:
Is your firm secure in this post-COVID-19 world where everyone is remote?
With the IRS extending initial tax filing deadlines, now is the time to ensure the firm’s ‘virtual’ IT infrastructure is secure and to educate your personnel on how to function securely in this new environment. Below are security considerations to first discuss and remediate with your IT team, and then to educate all your personnel to protect your firm in this unparalleled time.
When working remotely, your computer is one of the first places to begin protecting your firm.
Authorized equipment: Access to the firm’s applications and client data should only be done on firm-designated computers, smartphones, and tablets. Your computer should not be shared with or utilized by family members. This will minimize the risk of malware infections and hacker access.
Automatic updates: Mandate automatic updating of applications on work devices, including showing your personnel how to verify these settings, particularly for Microsoft Windows and antivirus/malware applications. Personnel should never load non-firm approved applications or disable installed programs unless specifically directed to do so by a verified IT support person.
Screen locking: Access to devices should be automatically blocked by screen locking after a firm-designated period of time (<5 minutes) to protect unauthorized user access and to enforce confidentiality of client data. Put your computer to sleep if you are taking a lunch or exercise break.
Secure connections add the next layer of firm protection.
Identity verification: To connect to the firm’s information applications, you should mandate the use of multi-factor authentication as well as passphrases and/or a password manager to replace antiquated password rules. Passphrases consist of at least three nonsensical words (i.e. lunchgatelight), are unique for each login, and are not to be reused for other applications. Multi-factor or two-factor authentication requires users to verify their identity by typing in a security code that was sent to their “known” phone or email address when they initially attempt to connect to the application.
Home internet: Connecting your computer directly to the internet router with an ethernet cable and using a VPN is the most secure home connection to access firm resources. If you must use a Wi-Fi connection, first update the router’s firmware, change the default password, and setup both ‘work’ and ‘guest’ access, limiting access to the ‘work’ account. If this cannot be confidentially secured, use the mobile hot spot within your smartphone for internet connectivity.
Encrypted file transfer with clients: Mandating the use of a portal or secure email solution instead of transmission of client information via email or USB flash drives will help protect client data confidentiality. All firm personnel must be trained to utilize these tools and to assist clients in using them. Many firms include online video instructions or tutorials on their websites.
Once technical components are locked down, human error becomes your firm’s most significant security risk, which can be minimized.
IT policies: Immediately review and update firm IT policies to incorporate the latest remote user and virtual IT security requirements. Review these policies annually to consider the evolution of the firm’s applications to the cloud and adoption of new technologies.
Security education: Mandate annual security training for all firm personnel including the latest threats and be sure to record the session for new hires. This training must incorporate the IRS ‘security six’ requirements including an emphasis on evolving phishing and social engineering schemes, as well as how to respond if you suspect a breach.
Screen potential hires/contractors: Hackers are notorious for using social engineering skills to con their way into the office to compromise firm workstations and networks. In addition to background checks on all potential employees or contractors, if you see someone walking through the office you don’t recognize, introduce yourself and escort them to the person they claim to be visiting. Never leave any unknown contractors unattended as the hack can be as simple as plugging a USB thumb drive into the back of a computer.
The firm’s IT support personnel have additional security components that they must oversee.
Independent security review: Your IT personnel did the best job they could setting up your firm’s security, but how much time do they take to keep up with and protect against emerging threats? Unless, they are providing security reviews for other businesses, the answer to the question is not enough. Hire an independent third party specializing in security to evaluate and help you protect your firm, particularly for the setup of remote users.
Verified backups: Your firm’s top protection against ransomware and natural/man-made disasters is having all firm data and applications backed up and offsite. While cloud providers and application vendors increasingly provide backup capabilities, it is critical the firm’s IT team regularly verify that all internally managed applications and data is properly backed up and, in a format, to be quickly restored and accessible to resume operations.
Minimize privileges: Access privileges should be set to the minimum level an employee needs to complete work with “administrator” access being provided only when required. Hackers with administrator access have significantly more power to take control of and compromise a firm’s IT infrastructure, so don’t let them have it!
Breach response plan: The worst time to figure out how to respond to a security breach is after it happens. Create a response plan now including who is in charge and the steps the firm will take. This plan should be communicated to firm personnel, including what they must do if they suspect a breach.
Cybersecurity insurance: Even well-protected firms are not immune to being hacked, so it is imperative that they be protected from the prospect of a breach. Firms should review and update their cybersecurity insurance to take into account remote worker considerations.
Data/equipment tracking: In the event of a breach, including a lost or stolen device, the firm must know what data could have been impacted. The firm must document all the locations where data resides within the firm, the cloud, and on remote workstations. All firm devices should also have tracking tags and inventoried annually through proper disposal to verify all client data has been scrubbed.
Non-cloud firms continuing to maintain internal networks and local data have additional security considerations.
System updates: Updating network components with the latest software patches is one of the most effective tools against hackers trying to take advantage of ‘known’ vulnerabilities. In addition to file server operating systems, the firm’s IT support personnel must also review and update all devices connected to the firm’s network including, firewalls, Wi-Fi routers, printers and IoT peripherals such as alarm systems, video cameras, connected thermostats, etc.
Secure on-premise equipment: For firms with individuals connecting to servers and workstations that are physically located in the firm’s office, the firm should turn off the devices when not being utilized and monitor physical access (enhanced alarm systems). With many offices unattended or minimally staffed the risk of theft increases and it is recommended that all on-premise data be encrypted.
Firm internet: An increase in remote users connecting to the firm’s servers may slow down internet performance, particularly when virtual private networking software is being utilized. When increasing internet bandwidth or adding a new provider, be sure to verify security protocols are properly configured.
Local disk storage: Firms downloading, creating or storing any firm or client information on local hard drives must utilize disk encryption. USB flash drives should not be utilized for transferring or storing files as they can easily be lost, stolen or compromised with malware.
Act on security to make your firm more secure.
While there is a cinematic vision of super-sophisticated hackers breaking through multiple layers of security to breach a firm’s cyber defenses, the reality is quite the opposite. Current data breach analysis points to most hackers gaining access through known system vulnerabilities, phishing emails, and social engineering of employees that could be virtually eliminated by following the recommendations listed above.
Roman H. Kepczyk, CPA.CITP, CGMA is Director of Firm Technology Strategy for Right Networks and partners exclusively with accounting firms on production automation, application optimization, and practice transformation.
We are the American Institute of CPAs, the world’s largest member association representing the accounting profession. Our history of serving the public interest stretches back to 1887. Today, you'll find our 431,000+ members in 130 countries and territories, representing many areas of practice, including business and industry, public practice, government, education and consulting.