Virtually every week there is another headline about a major security breach of digital data.  What would be the impact to your firm’s reputation if it were the victim of such an attack?  Security today is very serious business, but an area that CPA firms tend to downplay or assume is being properly handled by internal IT resources.  In most firms, the IT team is understaffed and focused on keeping the network stable, which takes all of their time.  Seldom do they have adequate training to be aware of today’s security threats, let alone ensure that the network is properly protected against those threats.  For this reason, we recommend ALL firms outsource all the upper level security requirements to an external IT organization with specialists on staff whose sole role is to keep up with security issues and to develop a security routine to make sure the firm is protected. 

Firms should consider having an independent third party conduct a security audit whenever they have implemented new servers or made any significant change in their Internet connectivity.  Please note, we recommend this be a different group than the external network integrator the firm utilized to install the network, and they should have a person on board that specializes in security so you truly get an independent review.  While all “one shot” security installations should be outsourced, there are maintenance items that internal IT personnel should monitor regularly, which we outline below. 

According to the CIS/FBI 2006 Computer Crime and Security Survey, viruses caused the greatest amount of financial losses to businesses, so it is imperative that the firm utilize an anti-virus application that is reliable and updated frequently.  Today, we recommend firms stick with one of the major providers such as Symantec/Norton, McAfee, and Trend Micro.  Most firms originally set the default to update their virus footprints on a daily basis.  Today, these settings should be updated to provide automatic notification when an update is available or to check at least on an hourly basis.  To add an additional layer of anti-virus security, many firms are now going to the email management companies such as Postini, BrightMail, and AppRiver to do enterprise class anti-virus filtering along with their spam management services, prior to delivering emails to the firm, which can create two layer protection against viruses and other malware.   

Spyware is another type of malware that can impact the performance of computers and it is recommended that firms have at least two products at their disposal.  In addition to the industry favorites of WebRoot SpySweeper, AdAwareSE, and SpyBot Search and Destroy, Microsoft has rolled out its own Windows Defender product that has proven to be effective.  Firms should have a process in place to verify that workstations regularly have their virus and spyware “footprints” updated and these workstations scanned.   

Another primary security threat to firms is the ability for unauthorized personnel to access the firm’s data through your Internet connection.  While virtually all firms have a firewall in place, the installation and maintenance can still leave the firm unknowingly exposed.  To see if your firewall has been certified by today’s standards, ICSA Labs (www.icsalabs.com) maintains a database for this purpose.  It is also important to have your firewall checked regularly to ensure that no changes have been made without the firm’s awareness.  One easy to use service is ShieldsUp! from Gibson Research Corporation (www.grc.com).  This utility will scan the first 1,056 Internet ports and let you know if those ports are open, closed, or in stealth mode. The firm’s network administrator can run this test regularly as part of an IT flash report to compare to previous results and help determine whether or not to contact the firm’s security support group. 

Not keeping your network operating system current is another security risk to firms.  Each year the SANS top twenty (www.sans.org) lists the most critical Internet security vulnerabilities, most of which can be protected against by having the current network operating patches loaded.  To see how well your firm is protected against the top twenty vulnerabilities, which account for the vast majority of breaches, Qualys (www.qualys.com) has a utility that you can download and run against your systems.  In addition, as most CPA firms utilize the Windows network operating systems, firms can download Microsoft’s Baseline Security Analyzer, which is an automated tool that evaluates your current security status as well as recommends which patches you should install. Implementation of patches can be further automated with Microsoft’s Windows System Upgrade Server to notify the firm’s IT personnel as soon as new updates and patches are released.   

Access controls are another area where firms are notoriously lax.  This begins with the building’s security code.  Ideally, each person would have their own access code, which could be terminated with the employee.  For firms that only have one security code for all personnel, it is important to change that whenever there is a change of personnel or of maintenance service providers.  Another access code is the individual passwords of firm personnel, which should be changed at least twice per year with rules enforced by the network operating system.  Today, it is recommended to have at least eight characters that contain case sensitive alphabetic, numeric, and character symbols to make them hard to guess.  For a sample password (and other computer usage) policy, SANS (www.sans.org) provides them on their website.  

Finally, it has been often said that people are the weakest link in the security arena, so it is imperative to make them aware of security threats and updated on firm computer policies.  It is recommended that firms have a computer/Internet usage policy in place that is reviewed annually to make sure it covers today’s technologies such as wireless and remote access, PDA usage, and threats like pharming and phishing, as well as how to respond to a security situation.  Scheduling an hour annually to educate firm personnel will help them keep informed and the firm better protected. 

Security of firm information resources is everyone’s responsibility.  To optimally protect the firm will require a combination of internal and external technical resources as well as education and awareness of all firm personnel. Act today to minimize your firm’s risk in the future. 

Roman H. Kepczyk, CPA.CITP is president of InfoTech Partners North America, Inc. and works exclusively with CPA firms to implement today’s leading best practices and technologies.  This article was reprinted with permission from the CPA Technology Advisor.