Security Concerns Every CPA Should Consider
By Trey James, Xcentric (May 20, 2010) 

This article was originally going to be titled “10 Surefire Ways to Break into an Accounting Firm’s Data,” but, as you can imagine, we were concerned about making it any easier than it already is to break in and didn’t want to create any unnecessary frustration in the marketplace. So here’s a tamed down, but hopefully still potent, reminder that data security doesn’t simply care for itself and must be managed like any other aspect of your business. 

By law, we have a duty to protect our client data.  It’s important that we understand our physical security risks, know what risk points exist for exposure of client data and enforce a plan to keep key systems properly updated and staff up to date on security best practices.

The truth is a hacker can find out everything they need to know about your domain, spam service, website and mail server just through passive and publicly available information lookups. And if you happen to be hosting both your website and mail server from your office, this tells a hacker exactly which IP range to attack. 

So how do you keep your firm protected?  Here are some things to consider:

Server Security

If your servers are located in your office, new legislation, like the freshly minted (as of March 1, 2010) Massachusetts 201 CMR 17,  requires that they be behind a secure locked door with restricted access and locks on the server cases, cabinets, drive chassis and server console screen.  Or if your servers are hosted offsite at a data center, it’s best to ensure that all of the physical security requirements are being met based on your needs.

Confidential Data

In theory, CPA firms securely shred everything. In practice, someone could likely find a wealth of information they shouldn't have access to just by going dumpster digging. Does your firm actively enforce a confidential data policy that addresses paper copies of confidential data? 

Password Security

It is important to educate your firm on the importance of using secure passwords and keeping them secure by not writing them down, telling them to anyone or using the “remember my password” checkbox at the login prompt.  Did you know that adding just one capital letter and one asterisk changes the processing time to crack an 8 character password from 35 minutes to 346 days?  We recommend enforcing a password policy that includes forced password changes every 90 days with specific complexity requirements (a minimum of 8 characters with a combination of lowercase, uppercase, numbers and symbols).   Feel free to use Xcentric’s password policy as a starting point for your firm.

Microsoft Patches

Staying up to date with Microsoft patches is a critical step to ensuring your firm’s security.  We recommend using automated patch management like GFiLANguard or Windows Server Update Services, which is free. All of the Microsoft server vulnerabilities and their related patches (sometimes called ‘fixes’) are published on their Security Advisories Archive site. This serves as a great inventory of how to protect your firm, but also simultaneously provides cyber-punks a roadmap for exactly how to break into your un-patched servers.  Server security is only as good as its latest application of patches.

Website

Another thing to consider is what information you post on your website.  CPA firms love to publish everyone’s name, phone number and email address, which is helpful for the general public, but makes it one step easier for someone to get into your network. If you find this concerning, consider including a contact number and generic email address for each department to add one more layer of protection for your firm.

Voicemail System

Secure passwords are important here too.  You don’t want someone calling your office after hours, figuring out how to get a password prompt and then gaining access to someone’s voicemail because they used something like 1111, 1234, or 0000 as their password.  This is another reason not to post everyone’s number online.

ISP Router

The Internet Service Provider’s (ISP) “managed router” is one of the most overlooked pieces of the network. It’s a nondescript box in the closet with blinking lights that few people understand.  Somehow ignorance makes way for comfort. Most firms assume that because the ISP set it up, it must be configured correctly. Not true. We've seen default passwords used on ISP routers many times. MANY times. Some of these routers have built-in sniffing tools to allow you to watch all traffic going in and out. This information is very helpful to a hacker.  Request that your ISP changes the default login password on your router.

Firewall

When is the last time your firewall was updated? Firewalls are found both in the server room and as a piece of software on your PC.  We recommend using Cisco for network hardware-based firewalls.  Other options include SonicWall or WatchGuard. Just as any other component of technology needs management, hardware firewalls also need to be kept up to date. Your PC-based firewalls found on desktops, laptops and home PCs are generally updated whenever the Windows Updates are installed. 

We also recommend using Intrusion Detection/Prevention (IDS/IPS) to protect your firm in addition to firewalls. Where firewalls passively block known attacks, IDS/IPS solutions are proactive in nature and will provide reporting on the number and types of attacks that are attempted. There are numerous options out there, including free services like Symantec DeepSight and Snort.  Other options include McAfee, VeriSign, IBM ISS and Cisco.  This provides an extra layer of protection, as a hacker would have to get through your firewall and IDS/IPS system before getting to your client data.

Wireless Access

WPA2 (Wi-Fi Protected Access) is mandatory for all new devices considered “Wi-Fi Certified” by the Wi-Fi Alliance.  Using WEP (Wired Equivalent Privacy) is unsecure and opens up the risk of key loggers and Wi-Fi piggybacking.  If a hacker were able to get onto your wireless network, they would be able to dig deeper by scanning and mapping your network from the inside.  You also want to make sure no one brings a computer from home to plug into your network that isn’t Wi-Fi certified.

Remote Access

In this day and age the convenience of anytime, anywhere access to data posses new security threats that firms need to consider and address.  Our duty to keep client data secure now extends far beyond the walls of the office and staff in the field to our employees’ homes and cell phones as well.  It’s a good idea to develop a written policy for remote access and transit with things like remote wipe, mobile phone lock, Wi-Fi protocol and password complexity enforcement.  Centralized management of anti-virus and personal firewalls is also key to making sure your firm is adequately protected on all fronts. 

Encryption

Most states have breach notification laws and nearly all of them waive the requirement for notification where data has been encrypted. Whole disk and USB-stick encryption are the two most common places where encryption can be used.  Imagine all of the free press you could get just by having an auditor lose their USB-memory stick. 

Another way to avoid data loss without using device or PC encryption is by using remote access technologies such as Citrix/Terminal Services.  In the remote computing environments, data is rarely stored on the device, rather it is left on the server where it can be controlled and is generally less likely to be left on a train or stolen from your backseat. 

We also recommend using remote laptop security tools like Xtool MobileSecurity and Absolute Software Computrace LoJack, which come with a laptop tracker and recovery guarantee to help protect your firm.  Xtool MobileSecurity also includes features like encrypted disk and remote delete, which are helpful in such situations as well.  We recommend using IronKey or PGP to encrypt your USB sticks and PGP or Windows Vista BitLocker for whole disk encryption. 

We encourage you to consider this list, as well as additional policies like third party connection, acceptable use, and incident report, to ensure your firm is adequately protected on all fronts.  Above all, make sure your firm actively enforces the policies and standards you establish because, no matter what kind of security you have in place, your firm is only as safe as your weakest line of defense. 

Special thanks to our internal security experts for explaining the deep and dark hacker tricks in terms that even I can understand.

Trey James is the co-founder and CEO of Xcentric, which specializes in Cloud Computing and IT consulting for CPA firms. Trey brings 19 years of experience – a blend of executive, strategic, technical and operational roles including successful roles with the regional firms, local firms and leading IT consultancies to the profession. Trey was selected as one of the “Top 100 Most Influential People” in the accounting industry for 2009 by Accounting Today and as a “Top 40 under 40” honoree by The CPA Technology Advisor in 2006, 2007, and 2008.  Trey graduated from Texas Wesleyan University in Fort Worth, TX with a degree in Information Systems.  Trey can be reached at 678.297.0066 ext. 517 or at tjames@xcentric.com. For more about Xcentric, go to www.xcentric.com  or follow them at blog.xcentric.com and www.twitter.com/xcentric.

<Back to Home Page    ^Back to Vision Alert Index

© 2010 InfoTech Partners North America, Inc....your technology partner  (480) 706-1728