Cyber Security Do’s & Don’ts - 2019

IMTIAZ MUNSHI, CPA –

Co-founder & CEO, Aztec Technologies

Vice President, myCPE LLC

President, Munshi CPA, PC

LINKEDIN - https://www.linkedin.com/in/imtiaz-munshi-57725aEmail - imunshi@munshicpa.com

LEARNING OBJECTIVES

• Introduction to Cyber Security

• Identifying characteristics of best security practices

•Choosing the appropriate security tools / techniques

• Identifying Cyber Security do’s and don’t’s

CYBERSECURITY – AN INTRODUCTION

• Meaning and understanding

• Concept

• Importance

• Financial Consequences

• Business Perspective – for the market and business owners

• Approach towards Cybersecurity

FRAMING THE QUESTION AT HAND

• Security – a complicated necessity

• Need to be simple

• Passwords are important

• Assurance of security – systems approach

• People make policies work

• Right tools – Effective Results

• Verification is necessary to ensure trust

DATA PROTECTION&

For Small Accounting Firms

ITS RELEVANCE

CPA’s AS TARGETS FOR ATTACKS

•CPA’s have Confidential and Sensitive client Information.

• Lack of knowledge regarding good cybersecurity practices

•Weak Passwords

• Lack of proper IT controls; outdated hardware

DATA PROTECTION – WHY???

• A Healthy Business Practice

• Protecting the Firm’s Reputation

• Assistance in Risk Management

• Industry Requirements

• Regulatory Essentials

• Complying with Patriot Act / GDPR / AICPA’s GAPP

• Safeguards Intellectual Property

TECHNOLOGY FOR SMALL ACCOUNTING FIRMS

• Personal Computer Centric Approach

• Operations Based on - Windows and MS-Office

• Email and Data Servers

• Networking Infrastructure

• Remote Access

• Public Cloud

• Website and Private Client Portal

• Data Backups

Why CPA’s are easy target for Hackers ?

• Confidential and sensitive data of Clients.

• Lack of Knowledge and Weak Passwords

• Lack of Proper IT Security Measures.

• All of the above.

Polling Question 1

DATA LOCATION

•Storage• Obvious locations – Servers, Backup Storage, PCs• Not-Obvious: Email, Smartphone, Cloud, Printer etc.

•While Communicating• E-mails• Uploads/Downloads• LAN & Wi-Fi Transmission• Online Meetings

DATA BREACHES

• Unintentional – Human errors • Transmitting to the wrong email-address

• Poor passwords

• Device mal-function, or lost/stolen devices

• Intentional• Internal (rogue employees)

• External • Malware attack

• Direct external breach – Less chances as not attractive targets

CONSEQUENCES OF DATA BREACH - 1• Cost to client

• Identity theft, IP leakage

• Compromised bio metrics

• Financial damage

• Cost to business• Confidential details leaked

• Revenue loss

• Damage to trust and reputation of brand

CONSEQUENCES OF DATA BREACH - 2

• What would follow -• Ransom Demand• Financial costs of data recovery, and notifications

to protect interest of the clients• Litigation• Fines and Penalties

AN ENTERPRISE APPROACH TO CYBERSECURITY

KEY FACETS -•Prevention•Detection•Remedy•Reporting

HOW TO MITIGATE RISK?

• Prioritizing security when setting up systems

• Framework of tech policies and procedures

• Assuring physical security of data –staff, maintenance personnel, vendors, ex-employees

• Implementing hardware and software solutions –organizational buy-in

• Cyber Insurance

NETWORK SECURITY

• Strong firewall settings

• Strong password policies

• Using ‘PRO’ versions of software + regular updates

• Anti-malware software

• Managed access to network & storage • Broadband and Wi-Fi access

• Application access control

• Data encryption in transit – email

• Restrictions on data access in software applications

How Data is breached ?

• Wrong Email Address

• Poor Passwords

• Malware Attacks

• All of the above

POLLING QUESTION 2

HARDWARE SECURITY

• Ensuring server protection

• Secured Desktops

• Phase out obsolete hardware

• IT infrastructure management

• Ensured security measures from Internet of Things

SECURITY PERSPECTIVE OF MOBILE DEVICES

• Mobile Devices - Smartphones, tablets, laptops, USB drives

• Setting up Right IT infrastructure - Company owned or BYOD

• Data stored in Mobile Devices (e.g. email)

• Mobile device management systems

• Rights policies and effective enforcement

REMOTE ACCESS AND CYBERSECURITY

• Desktop devices at homes and offices

• Hosted virtual desktops

• No DIY fixes

• No Starbucks

• Beware home Wi-Fi

CLOUD TECHNOLOGY

• Utilizing the cloud technology• Public

• Private

• Hybrid

• Key points while using cloud technology• Encrypt sensitive files stored in cloud

• Strict company policies

• Considerations for the Patriot Act Section 125 / European GDPR

EMAIL SECURITY

• Email Security Facts• Security is assured only before the email is sent, beyond that it is uncertain

• Highly vulnerability to human errors

• Need for encrypting message body and attachments

• Modest adoption of encryption on account of complexity

• 38% who do encrypt use manual encryption

• Study: 30% of business email needs encryption

• Email Security Recommendations• Must not interfere with workflow

• Must maintain file format of encrypted attachments

CYBERSECURITY

STARTS WITH

PASSWORD SECURITY

PASSWORD STRATEGIES

• Multiple Authentication• Something you know – Password• Something you possess – A token or a specific Smart Card• Something you are – Biometrics such as thumb prints, Retina Eye verification

• An identification Password Screen Image• Alternative authentication methods

• No Password Required• Device access restricted within premises or Geo-Location

• Company policy for passwords and passphrases• Password Management Tools

• Randomly generated passwords• Add layer of authentication – Dual or multi-level security for higher sensitive data

Which Password Strategy is best ?

• No Multiple Authentication

• Easy to remember passwords

• Biometrics

POLLING QUESTION 3

PRACTICAL TIPS FOR SMALL FIRMS

• QuickBooks data file transfers – “Qbox” is one solution

• Recover lost QuickBooks admin password -https://passwordreset.quickbooks.com/app/qbdt/passwordreset

• Password Managers – LastPass; Dashlane

• Remote access software – Logmein; PCAnywhere; GoToMyPC

• Remote desktop connection – set up a dedicated IP address

• Sample Staff Technology Policy – email imunshi@azstec.com

• Starbucks – use your phone hotspot instead of free Starbucks WiFi

• Email encryption - docNCRYPT

CYBER SECURITY- MUST DOs

• Educate yourself and your staff about Cybersecurity• Company Tech Policy signed by all staff members

• Use strong logins and passwords • Multiple authentication where possible• Change passwords regularly

• Encrypt sensitive information• Disk drives and folders• Individual files• Email

• Protect all devices against malware (even admin computers)

• Update your systems and software regularly

• Hire an expert

• Backup data daily; archive 4 weekly backups

CYBERSECURITY FOR SMALL FIRMS THE MUST DOs

CYBER SECURITYDON’TS

CYBERSECURITY FOR SMALL FIRMSTHE MUST-NOT-DOs

• Don’t leave your device unattended in public places• Don’t forget to lock your device when not at your desk• Don’t trust – verify and ensure

• Links• Software• Programs

• Don’t write down passwords • Don’t open email and attachments from unknown sources• Don’t plugin unauthorized devices to a work or personal computer• Don’t use public WiFi; use your mobile phone hotspot if you have to• Don’t provide your normal WiFi PW to guests; setup a guest PW instead

‘Do It Yourself’ VS ‘IT EXPERT’ –A COMPARISON

• Cost

• Assurance

• Failure Risks

• Success ratio – Statistics for small firms

• Compliance

• Need of the changing times

PREPARING TEAM FOR THE CHALLENGE

• Training

• Testing

• Implementing policies• Email encryption

• Strict policies and enforcement regarding mobile devices on premises

• Telephonic confirmation required for wire transfers

• Confirmation Text

SESSION OVERVIEW

• Cybersecurity – understanding and importance

• Data Security and relevance for Small Accounting Firms• CPAs as targets• Tech for small CPAs• Data breach – Types and Consequences

• Enterprise Approach Towards Cybersecurity

• Framing the questions at hand

• Do’s and Do not’s

• DIY Vs. IT Expert a Comparison

• How to prepare your team for good cybersecurity

THANKS!DO YOU HAVE ANY QUESTIONS???

REACH ME - imunshi@munshicpa.com