It is no secret that CPAs have faced an increasing level of cyber-security threats, even under normal conditions. Audit Analytics reports in its June 2020 “Trends in Cybersecurity Breach Disclosures” that cyber breaches increased 400% between 2011 and 2019. The most common breaches include malware, and the theft of Social Security numbers, which are likely to be stored by CPA firms, have become an increasing target for data thieves. The IRS warned of tax and financial fraud scams related to the coronavirus (COVID-19) pandemic (IR-2020-15), and it cannot be stated any more succinctly than IRS Commissioner Chuck Rettig, “Criminals seize on every opportunity to exploit bad situations, and this pandemic is no exception”.
Compounding the already existing cybersecurity threats, the physical shift to working from home has the potential to put the protection of client data, software, and hardware under even greater stress. This month’s column focuses on free materials for CPAs, including resources that may be new to readers. The Center for Internet Security and CSO Online, are just a few of many resources to help secure the remote technology environment.
A must-see tool on the CIS website is the “Resource Guide for Cybersecurity During the COVID-19 Pandemic,” which is accessible as a webpage or downloadable four-page PDF (https://bit.ly/3jUAcmY). The guide is a fast read with hyperlinks to more detailed resources. The first page covers COID-19-related cyberattacks, addressing phishing and malspam, credential stuffing, ransomware, remote desktop protocol (RDP) targeting, and distributed denial of service (DDoS) attacks, with connections to a variety of tools, including one CIS newsletter article: “What You Need to Know About COVID-19 Scams.”
On a related note, “Cleaning up ‘Dirty’ Wi-Fi for Secure Work-from-Home Access,” pulled from Cyber Defense Magazine (June 11, 2020), is an eye-opening discussion of the risks of home workplace access. Wi-Fi networks, which cannot be resolved by a virtual private network (VPN). VPNs have grown in popularity for providing a secure Internet connection, particularly in the work-from-home environment. VPNs cannot, however, address on their own the threats created by the “dirty” nature of many home Wi-Fi networks. Internet users may not realize the large number of connected devices in their home, each of which create an entry point for a cyberattack. The article references the CIS Wireless Access Controls, Control 15, which recommends the use of a separate wireless network for personal (or untrusted) devices versus home office equipment (https://bit.ly/3f7O4Hb).
Another CSO Online article, “8 Key Security Considerations for Protecting Remote Workers” (https://bit.ly/30aOE2D) presents links to examples of the types of products addressed in the recommended practices. The discussion begins with determining what protection should be required for employees’ home computers, with specific consideration of Windows and Macintosh products and a link to a five-minute video that identifies good questions to ask. In determining what software remote employees might need, be aware that, on the positive side, some licenses do allow installation on multiple devices; on the negative side, firewalls must be configured properly to prevent ransomware attacks.
Cybersecurity & Infrastructure Security Agency (CISA)
(Cybersecurity & Infrastructure Security Agency, CISA)
Home Network Security Tip
https://www.us-cert.gov/ncas/tips/ST15-002
Global Cyber Alliance
Cybersecurity Toolkit
https://gcatoolkit.org/smallbusiness/
SANS Institute
Tips for a Work-from-Home Environment
https://www.sans.org/blog/tips-to-secure-your-organization-in-a-work-from-home-environment/
SANS Institute
Work from Home Deployment Kit
https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit
