by
Roman H. Kepczyk
| Aug 14, 2020
Seemingly overnight, COVID-19 required every CPA firm to operate entirely in a virtual environment. While many firms were
already cloud-enabled with functioning remote users, many firms, including an even larger number of firm personnel, were not.
Firms rushed to adapt to whatever remote work tools were available without understanding the security risks they were taking
on. Of course, hackers took notice and immediately began targeting security weaknesses, begging the question:
Is your firm secure in this post-COVID-19 world where everyone is remote?
Now is the time to ensure the firm’s "virtual" IT infrastructure is secure and to educate your personnel on how to function securely
in this new environment. Below are security considerations to first discuss and remediate with your IT team, and then to educate
all your personnel to protect your firm in this unparalleled time.
When working remotely, your computer is one of the
first places to begin protecting your firm.
- Authorized equipment: Access to the firm’s applications
and client data should only be done on firm-designated
computers, smartphones, and tablets. Your computer should
not be shared with or utilized by family members. This will
minimize the risk of malware infections and hacker access.
- Automatic updates: Mandate automatic updating of
applications on work devices, including showing your
personnel how to verify these settings, particularly for
Microsoft Windows and antivirus/malware applications.
Personnel should never load non-firm approved applications
or disable installed programs unless specifically directed
to do so by a verified IT support person.
- Screen locking: Access to devices should be automatically
blocked by screen locking after a firm-designated period of
time (<5 minutes) to protect unauthorized user access and
to enforce confidentiality of client data. Put your computer
to sleep if you are taking a lunch or exercise break.
Secure connections add the next layer of firm protection.
- Identity verification: To connect to the firm’s information
applications, you should mandate the use of multi-factor
authentication as well as passphrases and/or a password
manager to replace antiquated password rules. Passphrases
consist of at least three nonsensical words (i.e. lunchgatelight),
are unique for each login, and are not to be reused for
other applications. Multi-factor or two-factor authentication
requires users to verify their identity by typing in a security
code that was sent to their “known” phone or email address
when they initially attempt to connect to the application.
- Home internet: Connecting your computer directly to the
internet router with an ethernet cable and using a VPN is
the most secure home connection to access firm resources.
If you must use a Wi-Fi connection, first update the router’s
firmware, change the default password, and setup both ‘work’
and ‘guest’ access, limiting access to the ‘work’ account.
If this cannot be confidentially secured, use the mobile
hot spot within your smartphone for internet connectivity.
- Encrypted file transfer with clients: Mandating the use of
a portal or secure email solution instead of transmission
of client information via email or USB flash drives will help
protect client data confidentiality. All firm personnel must
be trained to utilize these tools and to assist clients in
using them. Many firms include online video instructions
or tutorials on their websites.
Once technical components are locked down, human
error becomes your firm’s most significant security
risk, which can be minimized.
- IT policies: Immediately review and update firm IT policies
to incorporate the latest remote user and virtual IT security
requirements. Review these policies annually to consider
the evolution of the firm’s applications to the cloud and
adoption of new technologies.
- Security education: Mandate annual security training for
all firm personnel including the latest threats and be sure
to record the session for new hires. This training must
incorporate the IRS "security six" requirements including
an emphasis on evolving phishing and social engineering
schemes, as well as how to respond if you suspect a breach.
- Screen potential hires/contractors: Hackers are notorious
for using social engineering skills to con their way into the
office to compromise firm workstations and networks. In
addition to background checks on all potential employees or contractors, if you see someone walking through the
office you don’t recognize, introduce yourself and escort
them to the person they claim to be visiting. Never leave
any unknown contractors unattended as the hack can be
as simple as plugging a USB thumb drive into the back of
a computer.
The firm’s IT support personnel have additional security
components that they must oversee.
- Independent security review: Your IT personnel did the
best job they could setting up your firm’s security, but
how much time do they take to keep up with and protect
against emerging threats? Unless they are providing security
reviews for other businesses, the answer to the question is
not enough. Hire an independent third party specializing
in security to evaluate and help you protect your firm,
particularly for the setup of remote users.
- Verified backups: Your firm’s top protection against
ransomware and natural/man-made disasters is having
all firm data and applications backed up and offsite. While
cloud providers and application vendors increasingly provide
backup capabilities, it is critical the firm’s IT team regularly
verify that all internally managed applications and data is
properly backed up and, in a format, to be quickly restored
and accessible to resume operations.
- Minimize privileges: Access privileges should be set to the
minimum level an employee needs to complete work with
“administrator” access being provided only when required.
Hackers with administrator access have significantly
more power to take control of and compromise a firm’s IT
infrastructure, so don’t let them have it!
- Breach response plan: The worst time to figure out how
to respond to a security breach is after it happens. Create
a response plan now including who is in charge and the
steps the firm will take. This plan should be communicated
to firm personnel, including what they must do if they
suspect a breach.
- Cybersecurity insurance: Even well-protected firms are
not immune to being hacked, so it is imperative that they
be protected from the prospect of a breach. Firms should
review and update their cybersecurity insurance to take
into account remote worker considerations.
- Data/equipment tracking: In the event of a breach,
including a lost or stolen device, the firm must know what
data could have been impacted. The firm must document
all the locations where data resides within the firm, the
cloud, and on remote workstations. All firm devices should
also have tracking tags and inventoried annually through
proper disposal to verify all client data has been scrubbed.
Non-cloud firms continuing to maintain internal
networks and local data have additional security
considerations.
- System updates: Updating network components with
the latest software patches is one of the most effective
tools against hackers trying to take advantage of "known"
vulnerabilities. In addition to file server operating systems,
the firm’s IT support personnel must also review and update
all devices connected to the firm’s network including,
firewalls, Wi-Fi routers, printers and IoT peripherals such as
alarm systems, video cameras, connected thermostats, etc.
- Secure on-premise equipment: For firms with individuals
connecting to servers and workstations that are physically
located in the firm’s office, the firm should turn off the
devices when not being utilized and monitor physical access
(enhanced alarm systems). With many offices unattended
or minimally staffed the risk of theft increases and it is
recommended that all on-premise data be encrypted.
- Firm internet: An increase in remote users connecting to
the firm’s servers may slow down internet performance,
particularly when virtual private networking software is
being utilized. When increasing internet bandwidth or
adding a new provider, be sure to verify security protocols
are properly configured.
- Local disk storage: Firms downloading, creating or storing
any firm or client information on local hard drives must utilize
disk encryption. USB flash drives should not be utilized for
transferring or storing files as they can easily be lost, stolen
or compromised with malware.
Act on security to make your firm more secure.
While there is a cinematic vision of super-sophisticated hackers
breaking through multiple layers of security to breach a firm’s
cyber defenses, the reality is quite the opposite. Current data
breach analysis points to most hackers gaining access through
known system vulnerabilities, phishing emails, and social
engineering of employees that could be virtually eliminated
by following the recommendations listed above.
Roman H. Kepczyk, CPA.
CITP, CGMA is Director of
Firm Technology Strategy for
Right Networks and partners
exclusively with accounting
firms on production automation,
application optimization, and
practice transformation.
This tool is an example of the turnkey practice
management tools and resources PCPS
delivers. PCPS is an add-on firm membership
section within the AICPA. A PCPS firm
membership, at only $35 per CPA, up to a
max of $700 per firm, is a great investment
for a broad range of practice management
resources. Find out if you are already a PCPS
member or register for a virtual tour to learn
more at aicpa.org/pcps.
This article appears in the summer 2020 issue of the Washington CPA Magazine. Read more here.