• PRESS ROOM4 THE PUBLIC
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE
• SEARCH
  
• 901 Dulaney Valley Road | Suite 710 | Towson MD 21204 | 800.782.2036

• January / February
• March / April
  • Peer reviews' value-added experiences
  • Security — an issue that should concern you (Part 1 of 3)
  • Intermediate sanctions and executive compensation
  • MACPA's State Tax Committee meets with Maryland Unemployment and the State Department of Assessments and Taxation
  • Bulletin board expands help for tax pros
  • 72 percent of PCPS member firms plan to offer new services
• May / June
• July
• August
• September
• October
• November
• December
• Eight ways to market your firm's peer review

Security — an issue that should concern you (Part 1 of 3)

By T. Rose Rovelto, CPA
Boomer Consulting

I grew up in Chicago, so I have a habit of always locking my car door. It is such a habit that I even lock it when it is in my garage. I now live in a small town and have traveled to even small towns where they are not so particular about locking their car doors, or even the doors of their homes. I have come to believe that it has to do with the comfort level with the area in which you live. I would guess that an individual's car or home would honly have to be broken into once for the habit of locking the door to become a practice. And, I would hope that the price paid for that experience is not too high.

One would be hard pressed to find a business owner that didn't lock up their quarters at the end of a business day — even in a small town. Why do they do this? Because they have high-priced equipment, and more important to CPAs, confidential client information that they need to protect. Client confidentiality and reputation have always been the highest priorities in the CPA profession. However, with the inclusion of the public Internet in practices today, CPAs not only have to lock their physical doors but their virtual doors as well.

According to Internet World (Aug. 1, 2000 issue), the Computer Security Institute estimates business losses of $265.6 million for the first half of 2000, compared to $120 million in ALL of 1999. Ninety percent of the 273 companies or government bodies interviewed by the Institute admitted they had suffered an attack in the previous 12 months. The statistics are a bit deceiving due to the high level of growth of Internet usage, but they area, nevertheless, alarming. CPA firms must learn what it takes to lock all the "doors" to the network before they become yet another statistic.

Security fundamentals

Before you begin your task of securing your network, let's review the basic fundamentals that apply in all networking situations (i.e., LAN, WAN, remote access and the Internet).

• Identification and authentication: You must be able to identify who the individual is and whether he/she is authorized to use the resources on your network. This will allow only authorized users access to your network.
• Access control: You must also determine whether the individual has permission to the requested resources that exist on your network. This will allow only authorized users access to certain applications or files based on "need-to-know" criteria.
• Confidentiality and integrity: When sending and receiving information, you must (1) determine whether the individual is who he/she claims to be, (2) determine whether he/she should be able to read it, and (3) identify whether the information has been changed in any way. The goal here is to ensure a "private line" rather than a "party line" and only those privy to the conversation are allowed to take part.
• System availability: You must ensure that the system is available to those that are authorized to access it. If you find yourself in the middle of tax season and the network is unavailable for any length of time, would that affect your business?
• Administration and audit: You must have procedures in place to be able to determine who did what, when and where. There is software available to track access attempts and monitor usage. This is a simple extension to the overall internal control system of your firm. You wouldn't allow your clients to operate without internal controls, would you? Practice what you preach.
• Review: And finally, you must put procedures in place to review the audit logs, procedures and policies that are established by the management team. You must ensure that attacks or unauthorized user attempts are not only monitored but also reviewed and resolved. What good is a policy that is not followed or an audit log that is not reviewed?

Identifying your threats and enemies

The complications of securing your network mount with the increasing number of individuals with whom you wish to share information. When we had an individual PC environment, we had to protect the information that was on each PC and the physical PC itself from theft and loss. When we brought individual PCs together to form LANs and WANs, we now had to protect the server and the information and applications on the server. The addition of remote access capabilities provided an interesting mix to security by not only opening up a "back door" to your network, but also providing a host of information at a thief's fingertips just by getting a hold of the machine. Finally, opening your private network to the public forum, the Internet, provides a host of new enemies and potential threats to your system and data.

Your first step, regardless of your network configuration, is to become aware of the potential risks to your network. The following is a list of probable enemies and threats to networking environments:

• Hardware failure: Inevitably, hardware will fail. Like any electronic device, computer components can cease working — and it usually happens at an inopportune time (March 14th, maybe).
• The thief: Whether it is your data or your equipment, there is always the potential for untrustworthy individuals to desire your "stuff." Today, you can consider yourself lucky if they only want the hardware.
• The hacker: The introduction of the outside world into your internal network produces the most challenging enemy — the hacker. The hacker is simply out for the challenge nad has relatively no connection to you or your company. Whether through a compromised session, denial of service attack on your Web site or through a malicious e-mail virus, hackers can bring the largest companies down to their knees. I am sure that everyone remembers February 2000, when mass denial-of-service attacks were staged on high-profile Web sites like eBay, eTrade, CNN and Yahoo. Or how about the "ILOVEYOU" virus that put a halt to systems all around the world?
• The malicious insider: You really have your greatest threat right from inside your company. Malicious or disgruntled employees can strike with a data integrity breach or through a tip-off to the security software watchdogs if proper licensure policies are not internally followed. Many firms will concentrate their security efforts to external threats. But after occurrences like that which happened to Elite Web Hosting in Orlando, Fla., in September 2000, some may finally take internal risks seriously.
  
  As seen in an article on Business Week Online, a disgruntled former employee allegedly hacked into Elite's computer system without authorization. He then allegedly sent e-mails that contained vulgar language and implied that Elite was moving into the Web porn business to every Elite customer. The missives further claimed that the company's majority owner, Augustino Mireles, had been raiding Elite's coffers for personal use. The impact on Elite was immediate: Thirty steady customers jumped ship, each taking $5,000 per month in revenue from Elite's cash flow. The worst of the story was that Elite ended up folding their business and had little recourse against the ex-employee because, as they coined it, "you can't get blood out of a stone."
• Ignorance and complacency: Most individuals can reduce many of their security issues by proper policies and procedures. Unfortunately, most firms either "do nothing" or set policies but don't monitor them. A false sense of security is worse than not being secure. If you trust every employee, vendor, customer, repairman, housekeeper, deliveryman, janitor, general observer and World Wide Web user enough to give them a key to your building, you should be just fine. If not, enhance your awareness and treat it with the importance if deserves.

Summary for now

There are security issues that exist at all levels of networking. Most are relatively inexpensive but take training to understand and to change user habits. Regardless, it is the hottest technology issue faces by CPAs today, and cannot be overlooked or minimized. You have to lock your "doors" today. Don't wait for a breach to occur before you take the appropriate steps.

HOME | HELP | RSS | DRIVING DIRECTIONS | SPONSOR | PRIVACY POLICY | SEARCH | SITE MAP
© Copyright 2010 Maryland Association of Certified Public Accountants, Inc. All Rights Reserved.