220 likes | 243 Views
10 Best Practices to Enhance Cyber Security for Accounting firms
E N D
10 best practices to enhance CYBER SECURITY FOR ACCOUNTING FIRMS
A cybercrime is an intended illegal act involving the use of computers or other technologies. www.entigrity.com
INTRODUCTION ENTIGRITY is an ISO 27001:2013 certified organization with policies and framework imbibed in its culture and practice for effectively identifying and managing security and information risks for ensuring fulfillment of its commercial, contractual, and legal obliga- tions. ISO 27001 is the top standard for Information Security Management System defining a suite of activities for management of information security risks. We take complete care and all the necessary steps for preventing data security risks. Hence, so far we not been subject to any security breach ever. 2017 ACHIEVEMENTS 2017 ACHIEVEMENTS 500+ 96% 100+ 0 ACCOUNTING FIRMS SERVED CLIENT RETENTION ONLINE REVIEWS & TESTIMONIALS SECURITY BREACH CYBER SECURITY LANDSCAPING ACCOUNTING INDUSTRY Today, We all live in a world, networked together, thus net- work protection is not an optional implementation but a prime necessity for small & mid-sized accounting firms who deal with sensitive client data. It should be seamless and thorough, regardless of business or organizational stand- ing. We have our set of measures in terms of practices and policies, which we have enlisted here, which are essential in having the right level of preparation vital for optimized security, damage control, and recovery from consequenc- es of any possible cyber breach incidences. www.entigrity.com
IMPORTANCE OF CYBER SECURITY FOR SMALL AND MID-SIZED ACCOUNTING FIRMS Cyber security is among the top issues currently on the minds of management and boards in just about every company large and small, public and private; including the small and mid-sized accounting firms. It becomes especially challenging because while dealing with clients’ sensitive data there is no scope for taking things leniently. Cyber-attacks may impose these firms to regulatory actions, negligence claims, inability to meet contractual obligations, and a damaging loss of trust among clients and every stakeholder. Consequently, it may bring com- mercial losses, public relations issues, and disruption of operations. As we know even a small breach leads to unsurmount- able disasters. Therefore, it is always better to have certain measures at the organizational level, such that precedent and unprecedented threats can never surface. During tax season, any down- It's not really a disclosure that accountants and account- ing firms hold delicate data about their clients like social security numbers to addresses. Hackers are continually trying to get their hands on such critical, private informa- tion. That is a challenge for them, and can be alarmingly simple if firms don’t have appropriate cyber-security mea- sures implemented at the core level. This is the reason, accountants need to be motivated now ever more, and be cautious about protecting their client data like never before. time or rupture of customer data could basically affect your accounting practice. Proactively taking measures to forestall cybercrimes is a business need. As the owner of a small accounting, bookkeeping, or finance firm, you've probably faced questions about your cyber security, and whether your firm might get hacked in the same way that any larger financial institutions may have been. The short answer is yes! www.entigrity.com
THE CHALLENGE FOR CPAS & ACCOUNTING FIRMS Cybercriminals usually target small- and medium- sized accounting firms on the grounds that, these orga- nizations tend to give relatively lesser emphasis to data security, controls, and risk evaluations; they are therefore more vulnerable than bigger firms. In many cases, firms don’t have enough staff in the IT func- tion, and not all staff have the mastery to spot these issues, which can prompt further risks. Chief account- ing officers (CAOs), chief financial officers (CFOs), treasurers and controllers are especially at risk since they are both effortlessly identifiable on the web, and are most likely to conduct online banking transac- tions for their practices. Any savvy cybercriminal also knows the steps for hijacking access to accounts, as well as the security features associated with online banking. www.entigrity.com
WHY ACCOUNTING FIRMS ARE AT HIGH RISK FOR CYBER ATTACKS? They Hold Massive Private Data Cyber attackers comprehend that accounting firms hold top to bottom information as privileged data from HNI clients or organizations. In addition to tax docu- ments, Social Security numbers, and direct-store data, accountants may also serve as sources for years of private data. Actually, some accounting firms hold virtually complete individual accounts of their customers, transforming these practices into import- ant targets. Recent increases in fraudulent tax returns propose that this sort of theft may turn out to be more prevalent. Since numerous accounting firms have legitimate obligations to illuminate clients of ruptures that affect their own personal data, accountants must make every attempt to stay aware of the state of their firm’s security. They Have Productive Corporate Information Small and mid-sized While numerous public accounting firms deal exclu- sively with tax documents, and related personal and business documents, different practices handle high-stakes corporate issues. Accounting firms that deal with mergers, acquisitions, and corporate rebuilding frequently, hold data that might be of con- siderably more noteworthy enthusiasm to cybercrimi- nals. accounting firms are easy targets for the hackers and eavesdroppers to breach sensitive client data and for misusing it. As the Financial Times reports, in late 2016, three dealers were accused of utilizing hacked data to confer securities fraud. Though in this case, the hack- ers took data from significant American law firms, an equal security breach inside an accounting firm could deliver comparative outcomes. www.entigrity.com
WHY ACCOUNTING FIRMS ARE AT HIGH RISK FOR CYBER ATTACKS? Small Firms Tend to Have Insufficient Security While one may expect that significant accounting firms have more prominent resources, and therefore, experience the maximum risk of cyber-attacks, small and mid-sized firms are, however, more vulnerable from these cyber threats. Indeed, a few criminals particularly target small accounting firms since they have implemented much lesser security systems than necessary. Some hackers utilize strong, maintained attacks on small, poorly secured firms until the point that they breach the company’s restricted protections. When they get access to an organization's system, cybercriminals can regularly steal virtually any type of documents, from financial records to emails. Small Accounting Firms May Not Recover From Hacks Some of the more obvious For small accounting practices, recovery may prove fairly hard to achieve if not impossible. Clients pay accountants for their skills, however, they likewise expect trust and tact. Once a firm has demonstrated that it can’t give satisfactory information data security or guarantee customers' protection, the organization may never have the capacity to come back to its earli- er level of business. results of Information Secu- rity failures include reputa- tional damage, placing the organization at a competi- tive disadvantage, and con- tractual noncompliance. www.entigrity.com
TOP 10 THINGS ACCOUNTING FIRMS CAN DO TO PREVENT CYBER THREATS
UPDATE THE OPERATING SYSTEM Whether you run on Microsoft Windows or Apple Mac OS X, the operating system requires frequent or rather contiguous updates for strengthened security. System updates are especially significant for server operating sys- tems where all patches and updates require to be looked into, and refreshed on a repeating plan. Regular updates of OS upgrades firewalls and anti-spyware in your workstations and pro- vide for more trusted protections against threats. EMAIL SECURITY Many accounting firms rely on email to commu- nicate with clients, even to send tax documents or personal data. As email hacks have become increasingly common, it is significantly neces- sary than ever to secure professional email accounts, especially when transmitting import- ant documents. This has also raised the requirements for efficient encryption software, which is hard to decrypt by an untrusted third party. To competently perform rectifying security service, two critical incident response elements are nec- More than 90% of cyber-attacks begin with a phishing email. A vast majority of people open an email from an unknown individual’s name, without browsing or verifying the actual send- er’s email address. Having your email shielded from unauthorized access is of prime impor- tance. One approach of it is to turn on two-part authentication, major email services- such as Gmail, Microsoft Office, and Yahoo offer such essary: information and organization. stringent security features. www.entigrity.com
ANTIVIRUS UPDATES Accounting Firms need to ensure that antimal- ware applications are set to check for refresh- es frequently, scan the devices on a set schedule in a mechanized fashion, along with any media that is inserted into any user com- puting terminal. In bigger firms, workstations must be designed for reporting the status of the antivirus updates to a unified server, which can push out updates consequently when released. INTERNET SECURITY Drive-by browser downloads are another leading method of cyber-attack. Internet searches can lead you to compromised web- sites, which infect your network with viruses and malware. To prevent this type of attack, install all the latest security patches into your computers and servers. Install a hardware firewall router with gateway antivirus, gateway anti-malware, and intrusion protection system to stop the virus before it gets into your private network. Routers provided by your Internet Service Provider do not have this type of security. While these might be adequate for your home, these are not designed for instal- lation and application into any business orga- nization. It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. www.entigrity.com
ENCRYPT BACKUP DATA Firms should encrypt any backup media that leaves the workplace, and also validate that the backup is complete and usable. Firms should frequently review backup logs for com- pletion, and restore files randomly to ensure they will actually work when required. Hiring an IT specialist is advisable to set up your firm's network, and ensure your data is encrypted and secured. As an accountant, your responsibility is to ensure that data is secure when it's in your custody. Moreover, a backup is a definite must for any business. EDUCATE EMPLOYEES Security education is a must as professional accounting CPE, and should be required once a year. In addition to looking into the firm’s approaches, employees should be regularly instructed on current cyber security attack techniques such as phishing and pharming, dangerous threats including ransom ware, and social engineering used by hackers to gain access to a user’s PC. Note: NEVER share your login, password, or confidential information over the phone to people you don’t know. Firms should review IT/computer usage policies, and provide reminder training to employees at least once in a year for all the new and updated policies. Ransomware is unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice to the crime! www.entigrity.com
WIRELESS SECURITY Secured remote/wireless access into your net- work system should be planned, tested, and then implemented. Obviously, deploy a strong pass- word policy, along with having a guest network, which should be set up for visitors (to your office network) that need internet access via your wire- less network system. This prevents any guest user access to the system and resources on your network. This is particularly required to protect in case one of the workstations or gadgets used by the visitor is infected. MOVE YOUR DATA TO THE CLOUD Transporting data using a USB drive is not secure. Data stored on the cloud has greater pro- tection than data that is stored on company serv- ers. The move to such cloud services can change business habits that help ensure a much secure accounting firm. For example, if all company data is stored on the cloud, then there’s less need for workers to email attachments to one another. When team members become less reliant on email, it helps minimize the risk of falling victim to phishing emails. Cloud accounting can make your business more efficient. It lets you provide basic accounting services more easily – and cost effective. Fix the basics, protect first what matters for your busi- ness, and be ready to react properly to pertinent threats. Think data, but also business services integrity, If you haven’t moved your accounting practice to the cloud, you most likely believe it is a complicat- ed thing to do. But it’s not that hard to migrate your practice to the cloud, and it will improve your efficiency, save money and make your clients feel safer than what they are feeling now! awareness, customer expe- rience, compliance, and reputation. www.entigrity.com
TEST SECURITY MEASURES Hire Security specialists for proper configura- tion when implementing firewalls and securi- ty-related features such as remote access and wireless routers. Chances are, your inter- nal IT people have not been exposed to ideal security training, or have experience with set- ting up a new device. External resources can likewise be called upon to do perception test- ing to recognize and lock down any system vulnerabilities. BYOD POLICIES Bring your own device (BYOD) trend has seen grow rapidly in offices throughout the nation. Since many accountants do get to access Company and Client data on their personal devices, it is essential for accounting firms to have policies in regards to Cyber-Security for such individual devices. Some accounting firms have decided to completely prohibit the utilization of personal gadgets for organization matters, while others have imposed limita- tions to the data that can be accessed on them. Furthermore, such devices can be easily targeted or exposed to cyber-attacks by hackers seeking confidential client data. Thus, it is for the best interest of the account- ing firms not to allow BYOD so that the data never leaves the office. Cyber-threat is mainly the reflection of our weakness- es. An accurate vision of digital and behavioral gaps is crucial for consistent cyber-resilience. www.entigrity.com
REMOTE WORKING AND CYBER SECURITY Large accounting firms deploy resources for management of threats related to Cyber Se- curity. They are well equipped with infrastruc- ture as well as manpower to keep such threats at bay. But small- and mid- sized accounting firms may not enjoy similar privi- leges, and could be relatively more vulnerable to cyber threats. Recently, a huge number of accounting firms have turned to remote staffing, and have hired remote staff to work for them. This makes their worries about client data even more potent as they won’t be able to monitor all the setup personally. In this case, the role of the remote staffing agency becomes all the more important. Since the staff is working from their remote offices, it needs to be secured in terms of both, policies as well as practices. Entigrity Remote Staffing is one such company, which has stringent measures for quality control and data security, clearly defined and implement- ed with periodical scrutiny of all security sys- tems. Exhaustive prevention is an illusion. We can't secure misconfiguration, shadow IT, third parties, human error, former employee... Focus on what matters more, and be ready to react. www.entigrity.com
FOUR Cs ENTIGRITY's 4 PILLARS OF DATA SECURITY AND CONFIDENTIALITY
CERTIFICATION Entigrity is an ISO 27001 certified organization, which enforces we take all the necessary mea- sures for securing all confidential data. We em- phasize on providing 100% safety to all client data that is disclosed to us as part of work assign- ment. COMPLIANCE Our practices are in compliance with the mea- sures and practices, which help us do away with cyber threats. Let's have a look at each of them. BEING PAPERLESS Entigrity is a completely paperless office. This means that no pen, paper, printer, or any statio- nery is not allowed inside the office, particularly in the work areas. Also, we follow a clean desk policy where every employee is required to keep minimum articles. It is not possible to take note of anything or print any information, or even carry it outside the office! The 4 pillars of Entigrity's CONTROLLED INTERNET ACCESS Every computer access-controlled. Firstly, only those software applications are installed, which are trusted and are required by process, making the computers devoid from malware or other viruses. Secondly, social networking websites, ecommerce web- sites, and other such irrelevant platforms are banned and blocked. Only if ever a client requires the employee to have such access, we permit that on a need to know basis, and it is supervised by the manager continuously. An added benefit of having controlled internet is that no harmful con- tent or software could be downloaded, which is deemed suspicious. data security and confiden- at Entigrity’s office is tiality are FOUR Cs: CERTIFICATION COMPLIANCE COMMITMENT & CREDIBILITY www.entigrity.com
NO PERSONAL EMAILS Entigrity’s policies do not allow its employees to use personal emails. Such email sites are also banned from being accessible on their comput- ers. The only emails they can access are the ones that are provided by the company domain, which all are monitored by the dedicated IT Admin team. Therefore, no unwanted data can be trans- ferred even electronically. DISABLED USB Any desktop computer’s USB ports are the most convenient means of data transfer, and are also a medium of bringing in harmful files, viruses, Tro- jans, malware, ransom-ware to a computer. Hence, we have all the USB ports disabled in all the installed computers. Even if someone tries to connect any portable memory device to our com- puters, they simply won’t be accessible as the system cannot identify any such USB storage device plugged into the USB ports! Thus, protect- ing the systems from any offline cyber threats. Digital services increasing- ly rely on external factors. PROHIBITED MOBILES Security must broaden its All the work areas are “no mobile phone” zones. No employees are allowed to carry their mobile devices to the work areas. The mobile phones are deposited in secured lockers outside the work areas, and can be used only outside the office premises. The clients can communicate with their remote staff over secured VOIP lines, if and when they need to make a call using their phones. All communication is secure, and is again monitored on a regular basis by the IT Admin team. scope, and imagine how to ensure a 'known and con- sistent' risk level with in-house and outsourced means. www.entigrity.com
KEY CARD ACCESS All the work areas in Entigrity’s office are elec- tronically locked, and need access cards to unlock. Only those employees are allowed to enter a work area who have their workstation there. Apart from that every other access is prohibited. At times, access is granted to sub- ject experts upon permission from supervisors or managers but that is only limited to certain time, when the need arises or when required by clients. These activities are monitored by the Admin with the help of internal electronic surveillance. 24X7 SURVEILLANCE The whole premise of Entigrity is under 24X7 CCTV surveillance, both the exterior and the interiors. Every work area, has at least 2 secu- rity cameras installed so that we can keep an eye on every activity taking place at the office. The Admin team tirelessly keeps monitoring daily activities to keep any unwanted activity taking place, and maintain the integrity of the cyber security intact. If you want to build security, avoid straining people to respect complex security tasks, but rather teach them to be vigilant and how to SECURED SERVERS long for convenient and Entigrity has a consistent 99% uptime and secure servers to keep the data safe and backed up at all times. They are encrypted so that eavesdropping attempts fail miserably. They are accessible to employees only on a need to know basis. safe solutions. www.entigrity.com
COMMITMENT Entigrity believes in providing transparency to the claims we put forth towards our clients. While working for CPAs and Accounting firms, protecting their data is as important as it is for our own. Hence, we sign up with a Non-Disclo- sure Agreement with every client. This binds us ethically, professionally, and legally to protect the confidentiality of the data that is being shared with us. We would be very happy to give our clients a visit to our office to inspect the infrastructure personally. If travelling so far is not viable we could arrange for a virtual/video tour, so as to see the operations and security arrangements online. The agreement, which binds us for pro- tecting the data is explicitly applicable to all our employees as well. Every recruited staff goes through a rigorous background check, and signs a non-disclosure agreement for the information he accesses in the premises, according to work requirements. All our policies and practices undergo regular updates and evolutions, and we maintain a very high level of security commitment. Clients have visited our office before and seen the arrange- ments themselves to their satisfaction. We can also proudly say that we have never had any cyber security breach in all these years of our business. As Cybercrime is a step ahead of the regular IT security market, each busi- ness should implement innovative counter-mea- sures, and this approach has to leverage the start- ups’ offer. www.entigrity.com
CREDIBILITY After having worked with hundreds of clients from across the nation, we have had a tremendous record of ZERO security breach- es into confidential data of clients. We take pride to share numerous client success sto- ries, testimonials and reviews from our clients, which are consequently, our stories of out- standing achievements in data security and quality of service. Several clients have taken their time to visit our operations Centre in India, and have found the offices to be very stringently safeguarding critical, sensitive client data / information. We have often heard from our clients that our office is more secure than that of their own! Security must Shift from supply chain to value chain. Shape a customer-centric security approach, and look beyond your own produc- tion means to see the true picture of cyber-risks. www.entigrity.com
CONCLUSION All professionals owe a duty to their clients, managers, and other employees to address digital security. Being aware of breaches at other companies is not enough, nor is crisis-mode response to security problems at your own organization. Active contribution is key to addressing the risks of illegal cyber activities: Understand your data and focus efforts on the most critical information, imple- ment encryption, become compliant with Cy- bersecurity regulations, educate employees about mobile devices, and devise a basic set of desktop security policies. These steps are a good first start, but they do not completely cover the gamut of standards and protocols seen in a high-security Cyber Security Risk Management System. Much of America's most For the accounting firms, who are also having their teams working from remote locations, they need to select their vendors after due research and assurance that the data shared would be as secure as their clients would want. Hence, Entigrity can proudly boast of the fact that there have been no security breaches at our office till date. sensitive data is stored on computers. We are losing data, money, and ideas through cyber intrusions. This threatens innovation and, as citizens, we are also increasingly vulnerable to losing our personal infor- mation. www.entigrity.com
Watch Webinar CYBER SECURITY FOR ACCOUNTING FIRMS By MIKE GOOSSEN, CPA +1-646-827-4348 www.entigrity.com info@entigrity.com