Cyber Security Do’s & Don’ts - 2019 IMTIAZ MUNSHI, CPA – Co-founder & CEO, Aztec Technologies Vice President, myCPE LLC President, Munshi CPA, PC LINKEDIN - https://www.linkedin.com/in/imtiaz-munshi-57725a Email - imunshi@munshicpa.com
LEARNING OBJECTIVES Introduction to Cyber Security Identifying characteristics of best security practices Choosing the appropriate security tools / techniques Identifying Cyber Security do’s and don’t’s
CYBERSECURITY – AN INTRODUCTION Meaning and understanding Concept Importance Financial Consequences Business Perspective – for the market and business owners Approach towards Cybersecurity
FRAMING THE QUESTION AT HAND Security – a complicated necessity Need to be simple Passwords are important Assurance of security – systems approach People make policies work Right tools – Effective Results Verification is necessary to ensure trust
For Small Accounting Firms DATA PROTECTION & ITS RELEVANCE For Small Accounting Firms
CPA’s AS TARGETS FOR ATTACKS CPA’s have Confidential and Sensitive client Information. Lack of knowledge regarding good cybersecurity practices Weak Passwords Lack of proper IT controls; outdated hardware
DATA PROTECTION – WHY??? A Healthy Business Practice Protecting the Firm’s Reputation Assistance in Risk Management Industry Requirements Regulatory Essentials Complying with Patriot Act / GDPR / AICPA’s GAPP Safeguards Intellectual Property
TECHNOLOGY FOR SMALL ACCOUNTING FIRMS Personal Computer Centric Approach Operations Based on - Windows and MS-Office Email and Data Servers Networking Infrastructure Remote Access Public Cloud Website and Private Client Portal Data Backups
Why CPA’s are easy target for Hackers ? Polling Question 1 Why CPA’s are easy target for Hackers ? Confidential and sensitive data of Clients. Lack of Knowledge and Weak Passwords Lack of Proper IT Security Measures. All of the above.
DATA LOCATION Storage While Communicating Obvious locations – Servers, Backup Storage, PCs Not-Obvious: Email, Smartphone, Cloud, Printer etc. While Communicating E-mails Uploads/Downloads LAN & Wi-Fi Transmission Online Meetings
DATA BREACHES Unintentional – Human errors Intentional Transmitting to the wrong email-address Poor passwords Device mal-function, or lost/stolen devices Intentional Internal (rogue employees) External Malware attack Direct external breach – Less chances as not attractive targets
CONSEQUENCES OF DATA BREACH - 1 Cost to client Identity theft, IP leakage Compromised bio metrics Financial damage Cost to business Confidential details leaked Revenue loss Damage to trust and reputation of brand
CONSEQUENCES OF DATA BREACH - 2 What would follow - Ransom Demand Financial costs of data recovery, and notifications to protect interest of the clients Litigation Fines and Penalties
AN ENTERPRISE APPROACH TO CYBERSECURITY KEY FACETS - Prevention Detection Remedy Reporting
HOW TO MITIGATE RISK? Prioritizing security when setting up systems Framework of tech policies and procedures Assuring physical security of data –staff, maintenance personnel, vendors, ex-employees Implementing hardware and software solutions – organizational buy-in Cyber Insurance
NETWORK SECURITY Strong firewall settings Strong password policies Using ‘PRO’ versions of software + regular updates Anti-malware software Managed access to network & storage Broadband and Wi-Fi access Application access control Data encryption in transit – email Restrictions on data access in software applications
POLLING QUESTION 2 How Data is breached ? Wrong Email Address Poor Passwords Malware Attacks All of the above
HARDWARE SECURITY Ensuring server protection Secured Desktops Phase out obsolete hardware IT infrastructure management Ensured security measures from Internet of Things
SECURITY PERSPECTIVE OF MOBILE DEVICES Mobile Devices - Smartphones, tablets, laptops, USB drives Setting up Right IT infrastructure - Company owned or BYOD Data stored in Mobile Devices (e.g. email) Mobile device management systems Rights policies and effective enforcement
REMOTE ACCESS AND CYBERSECURITY Desktop devices at homes and offices Hosted virtual desktops No DIY fixes No Starbucks Beware home Wi-Fi
CLOUD TECHNOLOGY Utilizing the cloud technology Public Private Hybrid Key points while using cloud technology Encrypt sensitive files stored in cloud Strict company policies Considerations for the Patriot Act Section 125 / European GDPR
EMAIL SECURITY Email Security Facts Email Security Recommendations Security is assured only before the email is sent, beyond that it is uncertain Highly vulnerability to human errors Need for encrypting message body and attachments Modest adoption of encryption on account of complexity 38% who do encrypt use manual encryption Study: 30% of business email needs encryption Email Security Recommendations Must not interfere with workflow Must maintain file format of encrypted attachments
CYBERSECURITY STARTS WITH PASSWORD SECURITY
PASSWORD STRATEGIES Multiple Authentication Something you know – Password Something you possess – A token or a specific Smart Card Something you are – Biometrics such as thumb prints, Retina Eye verification An identification Password Screen Image Alternative authentication methods No Password Required Device access restricted within premises or Geo-Location Company policy for passwords and passphrases Password Management Tools Randomly generated passwords Add layer of authentication – Dual or multi-level security for higher sensitive data
Which Password Strategy is best ? POLLING QUESTION 3 Which Password Strategy is best ? No Multiple Authentication Easy to remember passwords Biometrics
PRACTICAL TIPS FOR SMALL FIRMS QuickBooks data file transfers – “Qbox” is one solution Recover lost QuickBooks admin password - https://passwordreset.quickbooks.com/app/qbdt/passwordreset Password Managers – LastPass; Dashlane Remote access software – Logmein; PCAnywhere; GoToMyPC Remote desktop connection – set up a dedicated IP address Sample Staff Technology Policy – email imunshi@azstec.com Starbucks – use your phone hotspot instead of free Starbucks WiFi Email encryption - docNCRYPT
CYBER SECURITY - MUST DOs
CYBERSECURITY FOR SMALL FIRMS THE MUST DOs Educate yourself and your staff about Cybersecurity Company Tech Policy signed by all staff members Use strong logins and passwords Multiple authentication where possible Change passwords regularly Encrypt sensitive information Disk drives and folders Individual files Email Protect all devices against malware (even admin computers) Update your systems and software regularly Hire an expert Backup data daily; archive 4 weekly backups
CYBER SECURITY DON’TS
CYBERSECURITY FOR SMALL FIRMS THE MUST-NOT-DOs Don’t leave your device unattended in public places Don’t forget to lock your device when not at your desk Don’t trust – verify and ensure Links Software Programs Don’t write down passwords Don’t open email and attachments from unknown sources Don’t plugin unauthorized devices to a work or personal computer Don’t use public WiFi; use your mobile phone hotspot if you have to Don’t provide your normal WiFi PW to guests; setup a guest PW instead
‘Do It Yourself’ VS ‘IT EXPERT’ – A COMPARISON Cost Assurance Failure Risks Success ratio – Statistics for small firms Compliance Need of the changing times
PREPARING TEAM FOR THE CHALLENGE Training Testing Implementing policies Email encryption Strict policies and enforcement regarding mobile devices on premises Telephonic confirmation required for wire transfers Confirmation Text
SESSION OVERVIEW Cybersecurity – understanding and importance Data Security and relevance for Small Accounting Firms CPAs as targets Tech for small CPAs Data breach – Types and Consequences Enterprise Approach Towards Cybersecurity Framing the questions at hand Do’s and Do not’s DIY Vs. IT Expert a Comparison How to prepare your team for good cybersecurity
THANKS! DO YOU HAVE ANY QUESTIONS??? REACH ME - imunshi@munshicpa.com