Cybersecurity: Building a Defensive Moat that Keeps the Hackers Out
In the world of cybersecurity, accountants should be aware of the “big four” threats that are the most common ways to breach a company’s IT infrastructure: phishing and whaling; ransomware and worms; remote desktop protocol attacks; and WiFi hotspot hacks.
The process of protecting against these threats can be described as creating a moat around your IT castle. Here are dangers and a starting point for defensive measures.
Phishing and Whaling
Phishing and whaling both attack IT security; phishing targets individuals, and whaling focuses on executives. (Everyone is a phishing target, while some accountants are whales.) Phishing is the most common. Hackers try to fraudulently enter the victim’s system to steal their valuable data by pretending to be a trustworthy person or company. They “catch” the victim when they’re complacent or ignorant about security rules.
- Simple first step: Educate staff. They should never click on a link they don’t recognize. And they should never download anything unless they absolutely know the source. If they’re unsure, they should check with their in-house IT person or provider.
Ransomware and Worms
Ransomware is one of the most disruptive and common security threats, which is especially crippling for small and midsize accounting firms that often lack the sophistication and expertise to combat it. Ransomware locks out an accounting practice’s computers, data and networks. The firm pays the ransom or the hacker devastates the firm’s IT infrastructure. A worm is malware that can replicate copies of itself computer to computer.
- Simple first step: See above. It’s always about unverified websites, links and especially downloads. Check the email extension on any email; don’t open it or any links if you don’t recognize it. Be sure to use updated virus protection against worms.
Remote Desktop Protocol (RDP) Attacks
Businesspeople, including clients, use RDP to connect to networks regularly, so that’s become a prime target. Hackers often use brute-force password attacks, running through millions of potential passwords to enter.
- Simple first step: Start with a strong password and make your RDP available only through a company VPN (virtual private network). Implement network-level authentication and, when possible, use two-factor authentication.
WiFi Hotspot Lovefests
While it may be tempting to use the public WiFi at Starbucks to log in to a work network, don’t do it. That smartly dressed woman in the corner might be the hacker, and her hacking job becomes much easier when someone uses the public WiFi for work purposes. Many people use public WiFi systems, either through laziness or just trying to save data time. It’s a mistake (I’ve actually shown how this is done on television).
- Simple first step: Enable WPA2 (wireless protected access) or WPA3 wireless encryption. Both are digital moats that can stop most intrusions. Add a strong SSID (your network name) password, and now there are two layers of protection.
Building the Moat
We’re all guilty of wanting a single answer that fits all questions. There are none for cybersecurity. Hardware, IT knowledge, discipline (yes, everyone needs to be disciplined when it comes to establishing and maintaining protocols) and expert counsel are the only safeguards.
Here is a reliable two-step solution: At least twice a year, companies should have an IT security expert conduct a session on security with all employees. Attendance should be mandatory for all (including partners). An inhouse IT person is fine if they are well-versed on the topic, otherwise search for an expert outside the firm.
Second, run a penetrating drill and see what happens. It’s like learning a self-defense move, then using those skills on the street. Did it work? The IT provider should be able to offer this at a modest cost. All firms have insurance, and most are very happy when they don’t have to use it. Think of IT systems in the same fashion because they are part of the fortifications that protect the company against merciless hackers.
“Not following basic principles almost ensures that the company will be breached,” says Michael M. Nelson, president, DFDR Consulting, an expert in digital forensics, penetration testing and managed security. “Even worse comes the question of negligence in terms of clients, shareholders or insurance. If you survive the breach, will your reputation endure? Will your clients stick around? What is that cost compared to the original time and effort that you spend to protect your IT environment?”
This article appeared in the November/December 2020 issue of New Jersey CPA magazine. Read the full issue.