Posted by & filed under Growing Your Firm Podcast, Team Management.

If your firm does anything in the cloud, then cybersecurity needs to be a topic of discussion. Many firms push it aside because the problem isn’t in their face. But once it becomes a problem, it can destroy a company.

Our guest today is Jamie Beresford, the CEO of Practice Protect. Practice Protect is an app that helps accountants and their clients stay safe in the cloud. They also offer policies and education to help firms keep data safe without sacrificing convenience. If you use any cloud application, including Jetpack Workflow, you need to listen to this podcast!

Podcast

Summary

  • About Practice Protect
  • Why Hackers Are Sneakier Than You Think
  • Avoiding Daisy Chained Credentials
  • Learning About Phishing
  • Why Two-factor Authentication Is Crucial
  • Location Control

Resources

Securing the Cloud Starts With People

The popular image of the hacker is someone who forcefully breaches into a secure computer to steal valuable data. Jamie says that this image is false. Hackers aren’t trying to figure out how to break into QuickBooks Online. They are trying to figure out how they can steal passwords from your company so they can gain access.

Put another way, hackers aren’t interested in breaking your doors or windows. Instead, they want a copy of your keys so they can move around undetected. This means that application security is the first thing you should look at, and that’s what Practice Protect does.

Here are three tips that Jamie shared with us that you can use to make your practice more secure.

1. Don’t Daisy Chain Credentials

In computer-speak, credentials are a username and password combination used to access a system. A daisy chain, in this context, is using the same password across multiple systems. Many people do this because it’s much easier to remember one password.

The cloud ecosystem has also made this much more prevalent. We used to only log into a single system and have everything we need in the office. Now we could use 10 or 20 cloud-based systems, each with their own credentials, for both personal and business use. That’s a lot of passwords to remember. We’re more inclined to use stronger passwords on our personal applications (bank information, dating profile) than on work applications.

The way to get around this is to use a firm-wide access management tool. This gives users a single way to access all the applications they need to do their job, so they only need a single password. The management tool takes care of logging people in and out of cloud apps with strong passwords, and handling who can access which apps. They can even sandbox your access so you never download the cloud applications onto your personal machine.

2. Learn About Phishing

Phishing (pronounced “fishing”), is the classic way for hackers to get credentials they can use to sneak into your system. It is the practice of posing as a trusted individual to get someone to do something. This could be clicking a link to allow a piece of malware into your network, posing as a manager asking for sensitive information, or even another corporation like a bank asking for your password.

Often, the emails with a link to click are loaded with ransomware, which locks down your files until you pay money to the hacker. But this isn’t the only thing that can load onto your system from an accidental click. Another payload is a keystroke logger, which reports what you type on the keyboard. This is a straightforward way to get passwords.

Once a hacker finds their way into a system, it may be trivial to get other information that will further compromise your network. For instance, if you save your passwords in your browser then they are easy to get if someone can get access to your system. The problem compounds if you share credentials across devices, which is an enormous problem now that most of us are working from home and regularly using multiple devices.

The most damaging credentials a hacker can get is your email credentials. Most people have years of emails sitting in their inboxes. That’s a motherlode of information that could be used for many things, like impersonating people.

3. Enable Two-Factor Authentication, If Possible

Finally, two-factor authentication makes it much harder for hackers to use any credentials they get. Two-factor authentication uses two passwords to access a system. One is a standard password. The other is a rotating set of digits that is connected to your identity. To log in, both need to be entered.

The digits change usually once every 30 seconds, so this is a much more secure way to access a system. These days, our smartphones can also create the digits necessary for the second password, so we need not carry around a ton of key fobs like we used to.

If you use an access management system, you may be able to use a single two-factor authentication system. If not, you may have to juggle several apps to use it. While it may add an extra step in the morning, two-factor authentication is a much stronger level of protection than a normal password.

One last piece of advice is to use location control on your network. This is like how banks restrict access to your account if they see you logging on from another country. You can limit the locations that a computer can use to access a network. This makes it much harder for people in other countries to breach your system.

If you want to know more, Practice Protect has an accounting security guide on their site. You can get to it by looking at the resources link above. Jamie offers more insight and advice about cybersecurity in his interview, so listen or watch the full episode, and take notes!

Accountants are targets for hackers because we hold such valuable information about our clients. All it would take is one breach to bring your firm down and potentially put it out of business. Don’t ignore cybersecurity issues. Just a few changes in habits can put your business on a much more secure footing.

Leave a Reply