Divider
Divider


James Bourke

’Tis the Season to Strengthen Security

Ten steps to protect your network, data and identity amid the holiday rush.

December 19, 2011
by James Bourke, CPA.CITP

TechByte

The holiday season traditionally brings an increase in online activity. It also raises concerns regarding the security of confidential information. Activities such as online shopping, social networking and cloud computing potentially heighten the risk of exposure to security breaches and identity theft.

No single solution can protect confidential information that may be transmitted or accessed online. Instead, your firm should seek to deploy multiple products and strategies. Options and obstacles you should evaluate for your business include:

  • Implementation of an anti-virus application on every device attached to your network. In addition to the implementation of anti-virus protection, you should ensure that access to currently updated data patches and files also is available. Quite often, this process can be automated.
  • The use of “strong” passwords and/or passphrases that require users to revise or change their passwords continually and use alpha, numeric and special characters.
  • Regular updates of operating-system and data-file patches. Vendors such as Microsoft frequently become aware of weaknesses and holes in recently released versions of applications and systems. These vendors do their best to post updates, or patches, as soon as they are developed. From a best practices perspective, ensure that your “automatic updates” feature is turned on. Note: Windows 7 is five times more secure against malware than a machine running Windows XP Service Pack 3 (SP3) and twice as effective as a machine running Windows Vista.
  • Wireless security controls. Today, the end user can access many levels of wireless encryption. These solutions range in quality and price, but using any of them is better than using none at all.
  • The elimination of unprotected shares. Ensure that all available network drives are protected and secured and that only authorized users have access to drives and data contained on those drives.
  • Firewalls. These are an absolute must. Today, most machines come packaged with some form of firewall out of the box. All Internet access should take place exclusively through a firewall. Ideally, a firewall monitors all activity passing through it and helps to make sure malware, viruses and other online scourges are kept out of your network.
  • Web-based e-mail/file sharing. Try to stay away from using freely distributed e-mail addresses, which are more prone to viruses and malware. Also, be wary of e-mails from such addresses, which are popular with fraudsters. Do your homework before picking an e-mail provider. Ask if the provider has a firewall, checks for viruses and malware and filters them out of the system. One option to consider: Many vendor solutions have appeared over the past few months that allow for the Web hosting of traditional e-mail products such as Outlook.  
  • Router/IP addressing. Know who is attaching to your network and control such attachments. Don't settle for the default addressing sequences that are assigned to most wireless routers out of the box. When deploying a new wireless router, access the system/setup files via the administrator password and assign a unique address to your device.
  • Physical access. Think about the area surrounding the machines that have access to your network, applications and data. Make sure that when those machines are not being used that they are secured and accessible only by the appropriate users.
  • Encryption. Although a select number of states, such as Massachusetts, mandate encryption, most states still don’t require it. From a best practices perspective, look to encrypt every mobile device under your purview that has the potential to house confidential and private client information.

Protect Your Personal Privacy

Here are some tips to help protect your personal privacy:

  1. Use unique “Forgot your password?” questions. In other words, stay away from “Your Mother's Maiden Name.”
  2. Protect your friends (don’t let social networking sites scan your address book).
  3. Check privacy policies and ensure that you are aware of what they entail.
  4. Always, always check the privacy settings on social networking sites you use.
  5. Don’t post your location. In other words, don't let Twitter and other social networking applications tag your physical location to your tweets.
  6. Monitor your own online presence to confirm that no one has stolen your e-mail or social media identities.
  7. Approach all hyperlinks with caution. Even in cases where you know the sender, take extra steps to verify that links contained within their tweets and postings are valid. You never know when a sender’s account may have been hacked. Also, be wary of shortened URL links. If you don’t know whether a shortened URL will take you to a malicious site, there is a definite way to find out:
    1. If navigating to a bit.ly link, add a “+” to the end (http://bitly.com/10Sjt+). Doing this will take you to a bit.ly site that will give you specific details about the target site.
    2. If navigating to a TinyURL link, add the word “preview” in front (http://preview.tinyurl.com/6u5ba).
  8. Do your banking and credit card transactions at home, connected to a secured network.
  9. Shop only on encrypted sites designated with the "https:" characters in the URL, with "s" representing "secure."
  10. Most importantly, keep your computer safe by applying data file updates, system patches and an appropriate level of encryption.

Conclusion

You’re not alone in the war against ID theft. The Internal Revenue Service (IRS) has been victimized as well. According to a 2010 IRS report, 245,000 identity theft incidents occurred in 2010. Since 2008, the IRS has identified over 470,000 incidents of identity theft affecting more than 390,000 taxpayers. Many of these cases involve scammers using stolen Social Security numbers to file fraudulent returns in hopes of getting a quick refund check.

Identity thefts occur on a daily basis around the country. Some high-profile security breaches have included Certegy Check Services, where an employee was caught stealing customer records and selling them to a broker; Bank of New York Mellon, which lost a back-up tape containing Social Security numbers and confidential bank account information; and the U.S. Department of Veteran Affairs, which sent out a hard drive with unencrypted data in a database RAID array for repair.

Be wary and cautious and use the above tips to ensure a safer holiday season.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

James C. Bourke, CPA.CITP.CFF, is director of Firm Technology at WithumSmith+Brown. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and is the Chair of the AICPA CITP Credential Committee. Accounting Today has continually named him as one of the Top 100 Most Influential People in the Profession.