According to Forbes magazine, the global cost of cybercrime will reach $2 trillion by 2019. Warren Buffett considers cyber attacks “a bigger threat to humanity than nuclear weapons,” and Ginni Rometty, IBM President & CEO, describes cybercrime as “the greatest threat to every profession, every industry, every company in the world.” The National Computer Security Survey, conducted by the U.S. Department of Justice’s Bureau of Justice Statistics, found approximately 68% of cyber theft victims will incur losses of $10,000 or more, and victims of cyber attacks will experience downtime of 24 hours or more. During tax season, any downtime or breach of client data could critically affect your accounting practice. Proactively taking measures to prevent cybercrimes is a business necessity.
Cybercrime encompasses many different computer related events, such as cyber theft of personal information or money from your bank accounts; cyber attacks—such as viruses and ransomware—that impede your ability to work; and malware, adware, email phishing, or password phishing, which attack your business to gather information. The list of attacks is constantly growing. To cybercriminals, your data and information is a valuable commodity—and protecting it vigilantly must be a priority of any business.
There is no single security measure available that will protect your business from all cyber attacks. The variety of attacks and the speed at which cybercriminals adapt their methods make it imperative that you implement several methods in order to maintain a solid plan of defense. A computer consultant with knowledge of your profession can help you identify the basic—as well as specific—items needed to keep your data safe. Be wary, however, of consultants who sell specific products rather than explain all helpful options—there is no one-size-fits-all method to computer security.
Diligence on the part of employees is mandatory. Relying on technology alone to protect your business is probably the biggest error companies make when devising a security plan. While important, technological solutions—antivirus software, daily data backups, small business firewall, encryption methods, strong passwords, and web browser protocols—are only important bricks in the wall of cyber defense and can even give a false sense of safety. The education of your employees is paramount to any successful plan to protect your firm because employees unintentionally become the access point for cybercriminals through email phishing attacks and social engineering. For example, a user checking email is duped into clicking a link or an attachment and infects the office network. A friend tags them in a post, and they click on an ad that infects them with ransomware. “I opened it because I know the person who sent it” was once an understandable excuse, but this is no longer a valid reason for trusting any email—cybercriminals can easily falsify a sender’s name.
This is why security awareness training for yourself and your employees is essential. You can have the most up-to-date software and technology deterrents in place, but in reality, you are always one click away from data loss. I discuss all new methods being used by cybercriminals with my clients to keep them informed of threats. I ask employers to teach their employees to STOP, LOOK, THINK—and avoid clicking links recklessly. Common sense and information are a business owner’s most valuable assets in the war against cybercrime.
EMAIL SECURITY
Email is the biggest security threat for most companies. According to Digital Guardian, 91% of cyber attacks start with a phishing email, making it the number one threat to your business. Phishing is sending an email that looks legitimate, seems to come from a contact, and asks for information. Most people will open an email from a known person and not check the actual email address. Your email needs to be protected from unauthorized access. One way to do this is to turn on two-part authentication, which major email services—such as Gmail, Microsoft Office 365, AOL, and Yahoo—offer. If your current email provider does not offer two-part authentication, I advise you to change to one that does.
Two-part authentication or two-factor authentication requires the user to enter his or her usual username and password and then enter a code that changes for each instance. This code gets texted to a cell phone (or, more securely, is generated by an authentication app on the phone, such as Google Authenticator or Microsoft Authenticator). This is a critical first step to preventing unauthorized persons from getting access to your information and an excellent starting point for avoiding cybercrime. It is imperative that people realize the damage that can be done with access to emails. A cybercriminal can reset your passwords and use your email to access your accounts across the internet. These criminals are clever and resourceful. Business owners and employees must be one step ahead.
For example, a client of mine was once fooled into clicking on a fake invite to a New Year’s Eve party and entered his username and password into a site that looked like Gmail. Again, he “knew” the sender. He did not think much of it at the time, but a few weeks later, his bank called, verifying a wire transfer to Europe in the next days. These cybercriminals looked through my client’s email history, saw his contact at the bank, and began a stealth exchange of emails to set up an elaborate scenario of a trip to Europe to purchase land. Luckily, the bank called to verify. Had my client used two-factor authentication, the hackers would not have gotten in at all—as they would have needed that additional one-time code. This email could easily have contained ransomware, which would have encrypted all data files on the user’s computer and held the data for ransom: a payment to the hacker to unlock the user’s own data.
Recently, a form of email phishing called “spearphishing” has appeared. These emails contain targeted information. Last year, a CPA client called regarding an email exchange with someone who contacted him via the website contact form, asking for help with prior year taxes. The exchange of emails continued until the hacker sent an email with an attachment that was described as a “Secured PDF Online Document.” The attachment contained a link to infect the user. Happily, the client called before opening it, and this attack was averted.
Another common threat is stealing personally identifiable information, such as name, address, or social security number. To prevent hackers from obtaining this in emails, you must send emails with encryption. Microsoft Office 365 offers email encryption for a nominal monthly fee, and it is well worth it for the protection. Please do not think password protecting a PDF is secure. There are utilities available (both free and for a fee) that will crack these passwords. Full email encryption is your only option.
Cybercriminals are now targeting individual companies to attack, taking the time to do whatever it takes to get your data. Be vigilant.
INTERNET SECURITY
Drive-by browser downloads are another leading method of cyber attack. Internet searches can lead you to compromised websites, which can infect your network with viruses and malware. To prevent this type of attack, install all the latest security patches to your computers and servers. Install a firewall router with gateway antivirus, gateway anti-malware, and intrusion protection to stop the virus before it gets into your private network. Routers provided by your Internet Service Provider do not have this type of security. While these might be adequate for your home, you should not have these for your business.
A common cyber attack seen is a browser popup that falsely claims to be a warning from a legitimate company (such as Microsoft) stating that your PC is infected and you should call the number given. These alerts fool the user into calling—and then the hackers proceed to access your computer remotely, with your permission, under the guise of cleaning up your computer. Instead, they infect your computer. Never call any number in a popup alert.
Another measure available is a subscription to a good antivirus program that provides a plug-in to your browser that qualifies a website as safe. This prevents you from going to sites that are known for infecting the unsuspecting user.
A better utility to protect you is a “sandboxing” application that allows your browser to access internet, yet prevents any permanent changes to your computer or network. For example, if you accidentally download malware, any changes that it attempts to make will be contained in a virtual sandbox, which is easily emptied. We use a product called Sandboxie.
REMOTE ACCESS
Remote access to your computers should be done with a secure virtual private network, or VPN, connection. Never use Microsoft Remote Desktop without a VPN. This will almost guarantee hackers access to your data. If it is not practical to setup a VPN, use one of a handful remote access services that offer two-factor authentication. Logmein is a good choice.
DATA SECURITY
Transporting data using a USB drive is not secure. The USB drive should be one that has encryption built in by requiring a password for access. Most offer automatic destruction if the password is entered incorrectly too many times. Use one with this feature.
I have had accountant clients who transport their client’s QuickBooks data files on a USB drive back to their office, unencrypted, assuming that because the QuickBooks file is password protected, it is secure. With utilities available on the internet that can wipe out all passwords in a QuickBooks data file, that is simply not true. These utilities allow anyone to have access to the data on the drive. Protect your data and your clients.
Laptops are another security problem. Laptop hard drives should be encrypted. Microsoft has a built-in encryption utility call BitLocker that comes with the Professional versions of Windows 10.
Disposal of computer equipment also needs to be handled properly. Removal and destruction of the drives is a good way to prevent unauthorized access to data. The Federal Trade Commission provides guides on proper disposal of digital data.
WIRELESS SECURITY
Wireless access into your network needs to be protected. Of course, use passwords, but a guest network should be set up for visitors to your office that need internet access. This prevents any guest user access to the computers and resources on your network. This is especially needed in case one of those laptops or devices used by the guest is infected.
BACKUPS
If all these measures are taken but ransomware still infects your system and network, what happens next? Your only recourse for data recovery is a good backup system. I recommend maintaining more than one system, often setting up at least two methods for my clients: a daily backup to local removable cartridges and some method to back up to an internet service. By far, the best system of offsite backup includes virtualizing your computer or server offsite. This can be done as often as every 15 minutes with little or no performance hit to your system. This type of protection is invaluable, especially during tax season. Any accounting firm that doesn’t protect itself with this type of backup is setting itself up for a catastrophic disaster.
Virtualization of a computer or server makes a virtual software photocopy of your system which can then be brought to life rather quickly with an accompanying virtual host environment. Microsoft Hyper-V and VMware provide virtual hosting environment for both fee and no-cost options, and it is a valuable technology employed by small and large companies. This is a key part of any Backup Disaster Recovery plan and is the best solution for business continuity and minimizing system downtime. A backup is a must for any business.
Cybercrime is with us. Be safe, be vigilant, be smart, and first and foremost, make backups.
Broadband and information technology are powerful factors in small businesses reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.
Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system's firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don't use the same computer to process payments and surf the Internet.
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
To find Cybersecurity Resources for small businesses visit:
https://www.fcc.gov/general/cybersecurity-small-business
Source: https://www.fcc.gov/general/cybersecurity-small-business