The hottest topic trending today amongst the Accounting Industry is the threat of being hacked. Because accounting firms hold valuable personal information (addresses, phone numbers, social security numbers, etc.) they are becoming increasingly easy targets for hackers who can sell that information. It’s extremely important to evaluate the basic minimum procedures any firm should have in place to secure itself from this threat. There are procedures you should implement to defer some of the more common hacks. The following are recommended minimum practices (RPM):
1. Does your company have a virus protection program and a firewall in place?
RMP: Implement virus controls and filtering on all systems. Minimum controls include:
- Installing antivirus software on all systems.
- Implementing a process to keep antivirus programs up to date, utilizing automatic update of virus signatures if possible.
- Filtering e-mail attachments and downloads to reject files with the following extensions: .exe, .vbs, .bat, .pif, .scr.
- Disabling unneeded services and ports including: file transfer protocol (FTP) services and telnets (network protocols).
- Training employees not to open e-mail attachments unless they are expected and from a known and trusted source.
- Executing antivirus scans on all e-mail attachments, files and downloads before the file is opened.
- Running a commercially available product specifically designed to function as anti spyware software. At a minimum, run a monthly full scan of all computers on your network.
- Disabling any non-essential network file sharing capabilities. If file sharing is necessary, create a dedicated directory for file sharing, password protect these shared files, and restrict use to 'read only" if possible.
2. Does your company check for security software updates in a timely manner?
RMP: Subscribe to vendor patch notification services for all software and systems utilized, review and evaluate at least weekly, preferably daily. Where possible, enable automatic update capabilities. Test and install critical security patches and upgrades within 24 hours of availability, and all other patches within 30 days.
3. Does your company replace factory default settings to ensure that your information security systems are securely configured?
RMP: Implement policies regarding the configuration of all network security devices and systems.
- Avoid default configurations, and implement specific procedures for the management of strong administrative passwords for these devices and systems.
- Update policies as new vulnerabilities arise or network configurations change.
- Default policy for a firewall handling inbound traffic should be to block all packets and connections unless the traffic type and connections are specifically permitted.
4. Does your company control access to information that resides on company servers and computers?
RMP: In regard to confidential or sensitive information accessible within your company:
- Define access controls based on "need to know" or "least privilege", which refers to granting only the access required by users to perform their duties.
- Centrally administer access controls to limit access to confidential or sensitive information.
- Establish separation of duties to prevent individuals from subverting access controls.
- Implement written procedures to change user access privileges immediately upon changes in employee position or authority.
- Implement written procedures to terminate user access privileges when employment is terminated. If employment is being terminated for cause, revoke privileges concurrent with notifying the employee of termination.
5. Does your company have a policy on the creation and use of passwords?
RMP: Maintain an easily understandable written policy on creating and using passwords, and update the policy yearly to reflect current guidance.
6. Does your company use authentication and encryption to protect remote access to your network?
RMP: Authenticate and encrypt all remote access to your network, requiring user identification and strong passwords. While a Virtual Private Network (VPN) is the most common method to provide this protection, its use may not provide sufficient security when using offsite computers, networks or public Wi-Fi hotspots.
As part of your security policy, allow remote access only from other networks that meet your organization's security requirements.
7. Does your company monitor user accounts to identify and eliminate inactive accounts?
RMP: Maintain a written standard on required timeframes to eliminate inactive user accounts, and utilize software that automatically identifies and disables such accounts in accordance with the standard.
8. Does your company have the ability to monitor and control downloading of data to external storage devices such as flash drives, personal and tablet computers, and smartphones?
RMP: Maintain a written policy regarding storage of company data on portable devices, and utilize technical methods to prevent data leakage such as disabling or monitoring usage of USB ports, content filtering, and use of network monitoring software. All downloadable data should be encrypted.
However, at the end of the day, no matter what you do, there is no guarantee of completely securing your data. We recommend insuring yourself as the best safety net for containing this exposure. Cyber liability policies or endorsements can protect you from this exposure. Make sure to find coverage that will respond proactively and quickly, as time is of the essence. If your system is hacked, coverage can provide experts to identify the extent of the breach and mitigate any viruses residing from the hack. Coverage should also provide notification to all those clients whose data was exposed (you have a duty to notify within 60 days of discovering a breach, per the FTC). Notification can also include free credit monitoring to your clients for up to one year from the notification. Should you wish to find out more about this coverage, please contact Paul Morris by email at email@example.com or call him at (800) 562-4272.
By Paul Morris, RPLU
(800) 562-4272 x102