Recast Episode: This episode was originally published on November 17, 2016, but it’s a favorite among our Growing Your Firm Podcast community, so we’re bringing it back. Comment below to tell us if you’ve been listening to the podcast since the original airing of this episode
- The #1 Vulnerability in Your Firm
- Top Ways Your Firm can be Attacked
- Steps Your Team can Take to Protect Your Firm
- The Power of the Right Passwords
Connect with Ken
Meet Ken Pyle
Ken Pyle, a 15-year vet in Information Technology (IT) and Partner at CYBIR, formally known as DFDR Consulting, can show you exactly how to protect your accounting firm from cyber attacks. A topic touched on for the first time on the podcast, as IT continues to develop and grow, tech isn’t the only thing that gets more sophisticated — cyber attacks do as well. Ken works daily to protect accounting firms like yours. In this episode of the Growing Your Firm Podcast, David Cristello and Ken Pyle cyber-chat about:
- The #1 vulnerability in your firm
- The top ways your firm can be attacked
- Steps your team can take to protect your firm
- The power of the right passwords
The #1 Vulnerability in Your Firm
Ken has seen it all when it comes to viruses and attacks on accounting firms. CYBIR, formally known as DFDR Consulting, is a cyber security and digital forensics IT firm. Many accounting firms hire Ken’s firm as an “outsourced” IT team. However, it’s critical and many firms aren’t nearly as concerned about cyber security as they should be.
CYBIR offers digital forensics, which dissects when a problem occurs or data is compromised and works to fix it. However, even with this extra layer, it’s important to remember that “the #1 vulnerability with a firm no matter the size is the user-base.” The actual people working with the data in the firm and your client’s information are the biggest threat to your firm. Obviously, you can’t hire robots, but you can put in best practices and strategies to combat cyber attacks.
The Top Ways Your Firm Can be Attacked
Cyber attacks are very similar in nature but different in outcomes.
- Phishing: You might’ve seen phishing in the past. Most commonly, it is done through emails. You’ll get a message from what looks like a real company (or even from what looks like a well-known company but slightly disguised). The message will ask a user to click a link and enter information. When the link is clicked, malware picks up your keystrokes and uses them to try to steal information and money from you.
- Crypto Attacks: Similar in nature, you will most likely get an email from the attacker. The attacker will ask for you to download a Dropbox, Google Drive folder, etc. After your download, malware infects your whole hard drive. The only way to get back in is by paying the hackers.
Ken sees doctor’s offices, law offices, and accounting firms getting hit hardest. Namely, because with crypto attacks, the hackers can demand large amounts of money (Ken once heard of the ransom being $100,000) as these types of companies have the money. Another reason for attackers to be drawn to these businesses is because they typically have client social security numbers, bank info, and more.
Get everything you need to manage projects and meet deadlines.
The first step to take is teaching your team warning bells to look out for while going about their business.
- Don’t click on email links EVEN IF YOU KNOW THE PERSON. If you’re even 1% unsure about an email, give a call to your teammate.
- Use a portal for client documents rather than attaching emails. Anything you can keep out of email, the better.
- Double-check your emails are encrypted every time. This requires additional security layering, but extra protection.
- Don’t send passwords through email. Sending two emails for confidential information doesn’t stop hackers, if they have access to your email, they will see both emails.
A major issue Ken sees, again and again, is the lackadaisical attitude towards employees having access to too many areas of the firm’s cyber landscape. It’s not uncommon to give priority security access to a team member for a quick project and the access never gets revoked. Remember, your own team is the biggest threat to your security. For you or your CTO, allowing and revoking passes can take some administrative time, but you can’t allow team members to have too much free reign in their capabilities.
The Power of the Right Passwords
In the past, you could get away with simple passwords. Now, intrusive algorithms can crack short passwords in a matter of minutes. Ken, himself, could crack any 10 digit password in a matter of hours. 10 digits is already a lengthy password, and most don’t even have an eight-digit password.
Keeping passwords on your central hard drive can lead to issues. If you don’t want anyone to see something very private, it’s best not to even put it on your work computer (including your passwords).
The best password guide:
Ken recommends getting used to the idea of a 15 digit password (yes, 15). A 15 digit password is the threshold for algorithms to have the most difficulty breaking in. A trick to remember a password this long is to make it a phrase you would know. Rather than try and remember a log of random letters and numbers, simply put together a sentence only you would know. Computers have trouble untangling a group of words together, but for a human, it’s simple. An example, “mycarisblackwithfourdoors” sounds like an easy password, but for a hacker, this is difficult to crack.
Don’t include personal information that is easy to find (especially birthdates or zip codes). Your password is your first line of defense against hackers, make it strong.
Your policies: HR and the IT team need to be in constant communication, especially with hiring and firing. Wells Fargo had 5,500 employees committing fraud due to the lack of policies and checkpoints in place. Especially, when it came to which employees could be granted access to certain areas. Disgruntled employees are the most likely batch to cause security breaches on your team. Many times, you may not know an employee is disgruntled until it is too late. You must monitor and have policies behind certain actions.
Most CPA firms don’t have enough manpower on the IT side, and policies fall through the cracks because the IT team can’t keep up with everything. The IT team should be given full power over the securities of the firm and can take action as needed. Ken sees too many firms not giving their IT team enough power and then the team is blamed when a breach occurs.
In this technological age, you need to bolster your IT side. One bad click could cause your client’s data to be publicly known. This could lead to a domino effect where your firm is exposed to massive penalties and repercussions.
Protect your accounting firm from cyber attacks.
Listen to the full podcast for a more in-depth explanation of the importance of cyber security in your firm! You can also find Ken speaking at many tech and accounting conferences, spreading the word about protecting your company.