Protect yourself: Top tips for firm security

August 4, 2021 9:00 AM

Good security is just not good enough anymore. While it’s impossible to have truly impenetrable security, your (and your clients’) security has to be the best you can possibly implement. That’s never been truer than in today’s work-from-anywhere and hybrid office environments. And the best path to improving your practice’s security is to be aware of where the vulnerabilities lie, and how to address them in a way that’s efficient and effective.

To help in this endeavor, we talked to some of the most security-conscious firms and consultants for their guidance on where to look for vulnerabilities, and how to lock them down when you find them. Below are 14 of their best tips, but remember that when it comes to security, these tips just scratch the surface. In addition to the checklist mentioned in No. 13, and the other suggestions provided here, make sure your firm has a detailed disaster plan, not only for breaches of security, but for other disasters as well. When it comes to malware, ransomware, phishing, and other attacks on your security, it’s very likely that it won’t be if those attacks happen, but when. And when they do, you and your clients need to have a plan on how to handle them.

No. 1: Physical security

Probably one of the most overlooked aspects of security is to simply prevent physical access to the data being protected, whether that is in the form of paper, electronic email and text, or the devices used for performing office-related functions. When working in a home environment, leaving sensitive paper documents on your desk is not a good idea. It’s easy to forget that the information on these documents might be sensitive. While you don’t have to mark sensitive papers with a “TOP SECRET” stamp, you should be mindful that even leaving client documents in the open where anyone coming into your workspace can see them is a practice that you don’t want to maintain. At a minimum, put these documents into a folder when you’re not actively using them, and if possible, use a crosscut shredder to dispose of any client-related papers that you no longer need. Rather than long strips of paper, a crosscut shredder chops paper into little squares that are almost impossible to reconstruct into readable documents.

Physical security also means limiting access to your workspace. That’s not always easy, or even possible, so it’s a good idea to use a privacy screen. Multiple vendors offer a filter that attaches to your screen (monitor or laptop) and restricts visibility to someone sitting directly in front of the display. In fact, it’s almost a necessity when you travel: You don’t want a nosey seatmate looking at what you have on the screen.

As Mark Burnette, shareholder-in-charge of LBMC Information Security, noted, “If you're going to work from home and you don't have the luxury of a dedicated workspace that's only yours, and you have to share it with a child who's taking remote classes or a spouse or whatever, then you've got to be very intentional about making sure that workspace is well-kept and that you've got the ability to lock away sensitive information in a desk drawer or something."

No. 2: Protect your data

If you don’t have multiple levels of backup, disaster is just waiting to happen. A ransomware or other malware attack is just one of the reasons to back up all of the PCs and laptops that you use. Another good reason is that it only takes one hardware or software failure to wipe out irreplaceable company, client, and personal data. And, if you are in a hybrid work-from-anywhere /physical office environment, your work laptop can be broken, stolen, or lost. Best practices call for multiple levels of backup in multiple locations, so if one of your backups is corrupted with malware, you can wipe your working hard drive and bring in a backup that you feel is safe. And, if you want another layer of security, keep your work and client files on an encrypted external USB hard drive or encrypted flash drive. These come in fairly large sizes from vendors such as Apricorn and Kingston, and you can get them with 256-bit encryption that’s extremely difficult to break.

There’s also the possibility that you use the same laptop for office and home use. If that is the case, keep in mind that the apps that you use at home, such as Spotify, Netflix and, most importantly, online games, all offer the opportunity to infect your PC or laptop. If you use one laptop or device solely for work and others for the other applications that you use, you reduce the chance of infecting your work PC or laptop. You don’t, however, completely eliminate it, so segregation of work-related applications and other applications that you use shouldn’t be the only security you employ. Marc Punzirudu, director of cybersecurity at Top 100 Firm Sikich, noted, “There’s an inherent risk with taking something that you would call trusted like a work computer that’s done work functions, and bringing it into an untrusted uncontrolled environment.”

No 3: Limit access to programs and data

There are a number of defenses that address this. The first is to always use unique and hard to guess passwords. Brad Place, CIO at Top 100 Firm LBMC, said, “A password generally is where things start. We changed our password policy two years ago to a 14-character minimum password. ... Length of password turns out to be the predominant factor when it comes to security. The longer that password is, the far more secure it becomes.”

While at first glance, a password of 14 or more characters might seem like overkill, or something that’s impossible to remember. But if you come up with a passphrase — something like “!DonaldDuckLivesat456MainStreet!” — you have a pass-phrase that’s easy to remember, has a long character length, and contains a mix of capital letters, numbers, and special characters. You might not enjoy typing it multiple times, but the pain of typing pales when faced against the possibility of someone stealing or guessing your password.

According to K2’s executive vice president Randy Johnston, a frequently overlooked vulnerability and access point is Microsoft’s RDS — Remote Desktop Services. “It has been, for three years running, the No. 1 attack vector for networks,” he said. “I think 91% of all ransomware in 2020 came through that mechanism. it was a little higher in 2019. The problem is that we're using RDS to get remote access. The bad actors are hooking directly to that. They're dropping off ransomware and malware, but they're also using that just to compromise the systems in general and extract data for later use.”

“The answer is pretty straightforward, though not very satisfying,” Johnston continued. “For the RDS users, combining VPN with MFA is the best protection we can provide right now.”

No. 4: Implement multifactor authentication on everything

This holds true whether it’s a PC, laptop, tablet, or phone. And it also holds true whether the device is yours, a partner’s, a child’s, or even that of a guest. While you may want to be hospitable, it’s still good practice to make sure even a guest is using multifactor authentication before you allow them access to your home network.

Multifactor authentication is usually used at the application level when running anything in the cloud. That includes Spotify and YouTube as well as applications such as Microsoft Office 365 or Google’s G Suite. Many online sites, such as your bank, pharmacy, and others, use facial recognition to authenticate you, and others rely on authentic apps such as Authy, Microsoft Authenticator, and Google Authenticator.

Two-factor authentication (2FA) token-based authentication hardware, such as those from Yubikey and Titan, is also a good step, and uses the FIDO2 protocol. But make sure that the sites and online apps support these hardware devices.

You might also consider an application such as LastPass, which securely stores your passwords and protects your password vault with multifactor authentication. And if a site you frequent offers Single Sign-On, which sends a verification code to your phone or other device that you have to type into a field to verify your identity, be sure to use it and not turn off the feature.

No. 5: Never use ‘Guest’ Wi-Fi

Want to invite malware onto your laptop? Just use as many public/free Wi-Fi places as you can. At best, your laptop can become infected with malware. At worst, that malware can steal your passwords, and track when you use your credit cards or access your bank account.

You may not be in a position to not use guest Wi-Fi access, but there are solutions that let you bypass most of these guest offerings. One is to use a mobile router that has a SIM card which lets you access the Internet through the cellular network. There are multiple vendors, such as Netgear, that offer these devices, and you can purchase a SIM card loaded with data minutes at pretty much any local store. And these are easy to replace if you drain the loaded minutes and need more. An alternative is to use your cell phone’s hotspot capability as your Internet link. Use these devices rather than guest or free Wi-Fi wherever you need Internet access away from your secure office. Keep in mind that your cellular hotspot or router may also be an entrance point for malware, and that you should have a way to determine if using that pathway has compromised your phone’s security.

No. 6: Be smart about smart devices

Keep in mind that anything connected to the Internet can be a pathway for malware. That’s true of anything that moves through your router or gateway, and many of today’s smart devices. Yes, possibly even that smart bulb that lets you remotely dim it and change colors. Smart TVs are a prime example, since so many of them are connected to your network and access the Internet. Video doorbells are another hackable object. Even your smart thermostat can be a vulnerability. Don’t fall into the trap of thinking that as long as your PC or laptop is adequately protected, that every device in your home is safe. Make sure that every PC, laptop and tablet in your home, or that any devices that guests may bring into your home, is protected, as they all have the potential to infect your network and all the other devices on it.

No. 7: Don’t think of security as an expense

“Companies look at security as an expense”, said Stephen Lawton, editorial director for the content studio at SC Media and CyberRisk Alliance. “They don't look at it as protecting their profits.”

Your firm invests in equipment, software, and training. Security is another important investment. Can it be expensive? Sure. But so can losing a client because you lost their data. And if word gets around that you lost client data because your security was second-rate, an exodus of clients could potentially cost you much more than an investment in excellent security would have cost in the first place.

No. 8: Careful what you click on!

Shivaun Albright, chief technologist of print security at HP, pointed out that with any kind of email or link, you just can’t guarantee that your interior perimeter network is secured.

Emails are a prime source of malware entry. Phishing is a prime route for malware. There’s a maxim that you never open an email unless you know where it’s actually coming from. It’s not foolproof, but if you get an email telling you there’s a disputed charge, problem with a credit card or bank account, or something similar, examine the sender’s email address. These can be spoofed by someone who knows how, and can even lead you to a very realistic landing page that looks authentic. But if the sender’s email reads something like apple@imgonnagetyou.com, it’s a pretty good red flag that something’s not right. And if you’re not sure, rather than clicking on the link in the email, call the company on the customer service number on your card or bank statement and ask if they have actually emailed you correspondence.

No. 9: Buy expertise when needed

Many firms are as vigilant as they can be in identifying potential vulnerable points. But the truth of the matter is that unless you have specialized training, and the tools that go along with it, there’s a fair chance you will overlook places where your firm and your work-from-anywhere office can be attacked, or you may miss malware that’s already in place. The tools and techniques that security specialists use are a quantum level more effective than what’s available, or even usable, to many of the practices most at risk. Hosted services are another point of vulnerability.

Randy Johnston suggests that you choose reputable IT providers that understand and implement best practices for security to help and supplement your internal IT staff.

And SC Media’s Lawton pointed out, “For a smaller company, this is one of those times when you want to spend the money and go out and find a security pro that can do the job correctly. Because it's too easy for malware to slide underneath the radar. ... I don't care how big your practice is. A smaller practice has as much responsibility as EY or Deloitte or any of the big firms. You have to protect the data of your customers.”

No 10: Educate yourself and your staff

“Ignorance is bliss” doesn’t work when it comes to security. While deep security audits should always be done by experienced personnel, everyone who works for the practice should be educated in basic security does-and-don’ts. This education can come from vetted on-line materials, vetted YouTube or other videos, materials prepared and distributed by personnel experienced in security practices, and other available resources. Lynn Baril, CTO of Top 100 Firm KLR, emphasized that, “MFA is just the front line of defense. We know that most of the bad things that happen in a network environment can be avoided with adequate training. Teaching employees about malware and ransomware, and how to avoid them, is just as important as the training given in how to use the software applications.”

Withum’s Jim Bourke, managing director of advisory services at Top 100 Firm Withum, noted that the American Institute of CPAs, other national organizations, colleges, and state and local CPA societies all offer courses and seminars on security. Taking these, and having relevant staff take them as well, not only raises awareness of vulnerabilities and how to address them, but also earns CPE hours. He also pointed out that his firm forces staff to document watching required videos, and answering questions about what they watched. And if the staff member doesn’t follow this protocol, they are locked out of the company network.

No. 11: Never trust; always verify

“Zero Trust” is a term that’s gaining more recognition when talking about, and implementing, security. While there is no universally accepted definition of what Zero Trust is or how it is implemented, at a basic level it requires that no one working remotely actually has direct contact and control over data or programs in the physical office. Rather, this access is conducted in a virtual bubble, or sandbox, that doesn’t provide a direct pipeline between source and user.

What’s more, according to SC Media and CyberRisk Alliance’s Lawton, “As you bring workers back into the office, you have to assume that every device that’s been out there has been compromised.” This doesn’t mean a quick sweep with a normal virus scan: “Before you stick it back on the network, you have to do a much deeper forensic cleaning.”

No. 12: When possible, air-gap your data

This goes along with the Zero Trust approach mentioned above. If at all possible, store sensitive data on an external drive or NAS (Network Attached Storage). If possible, this drive should be encrypted, and when not actively being used, should be powered down, and both the AC plug and network cable unplugged (assuming it isn’t a Wi-Fi drive, which is true of most NAS drives). This physically removes access to the drive and provides yet another layer of security. And if you find out that the network has become infected, don’t reconnect the external drive until the infection has been contained and eradicated.

No. 13: Have a list, check it twice

Withum’s Bourke suggested a few things that should be on your checklist, including having a professional-level VPN (virtual private network), encrypted hard drives and flash drives, education around phishing attacks and other Internet vulnerabilities, and locking down home Wi-Fi. Add to this every other thing you can think of where you and/or your clients might have a vulnerability. Then have several staff members in different positions go over it and add anything that they think you’ve missed. At a minimum get your and your clients’ IT people involved, and circle in any other personnel in any position where an intrusion or infection can take place. When you have this list, expand it to include how these vulnerabilities can be addressed, and create a checklist detailing what actions should be taken (and by whom) if an intrusion or attack is made.

No. 14: Client vulnerabilities are your vulnerabilities

Security doesn’t always flow in one direction. If your client is the target of a malware attack, it can infect your network in the process. Don’t assume anything you get electronically from a client is clean. Subject everything to as deep a forensic scan as your firm is capable of performing. And if at all possible, educate your clients on the risks they face, and help them implement and shore up their security as well.