Don’t Be an Easy Target for Hackers.

As a modern tax professional, you know highly sophisticated cyber attacks make your business a potential target. With your business information digitized, cybersecurity is an essential component of your overall security. It’s the best way to guarantee your data is secure, and protect your clients’ information from unauthorized access.

But here are two pieces of information you may not know about:

Information Security & Cybersecurity

Information Security is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction to provide confidentiality, integrity, and availability.

Cybersecurity is a critical component of Information Security. It involves the protection of electronic devices and electronically stored information, with the similar goal of ensuring its availability, integrity, authentication, confidentiality, and non-repudiation.

For further information read the U.S. Federal Government’s National Institute of Standards and Technology (NIST) published guidelines entitled: “Small Business Information Security: The Fundamentals” It’s worth reading.

“Verizon’s 2016 Data Breach Investigations Report found a shocking 30% of recipients open phishing messages and 12% click on attachments.”

What’s a Cybercriminal’s Best Weapon? Ignorance!

Small and medium-sized businesses (SMBs) are a prime target for hackers today, says Jim Krantz of Krantz Secure Technologies. They are easier prey than larger enterprises because most don’t have data security policies in place. Not to mention that they don’t believe they are at risk. They won’t take the time or invest the money to protect their business. For these reasons, the Dark Web makes it easier and cheaper for anyone to use ransomware solutions, like Petya and WannaCry, and place a “bull’s eye” on your business.

Don’t Be Fooled – Your Files Have “Theft Value.”

Cybercriminals want your data – your client’s information – and your money. And they won’t stop until they get what they want. But how do they do this?

Attack Vectors – Below is a diagram that shows the most common “attack vectors” being used today, and what hackers don’t want you to know.

But what are Attack Vectors? They are the steps, codes, keystrokes, and software a hacker uses to gain access to your computer or network to deliver malware that can result in:

• Damage to your information or systems.
• Regulatory fines, penalties, and legal fees.
• Decreased productivity.
• Loss of critical business information.
• Loss of trust from your clients.
• Damage to your reputation.
• Damage to your credit so you can’t get loans.
• Loss of business income.
• Financial loss due to ransomware or wire transfer exploits.

The purpose of the theft? Hackers steal your clients’ data, so they can:

• Sell it on the Dark Web.
• Access financial accounts for withdrawals.
• Set up credit card accounts.
• File fraudulent tax returns in victims’ names to collect refunds.

As you can see, the taxpayer information you store is at high risk. That tax information, left unprotected, is a target for data theft.

Hacking is a crime. It remains a top priority for the IRS to end this criminal activity. To help keep you informed and up-to-date, back in 2015, the IRS implemented National Tax Security Awareness Week for the following groups:

• Tax return preparers
• Software providers
• State tax agencies
• Payroll providers
• Financial Institutions

The IRS urges you to take the time between tax seasons to contemplate your cybersecurity measures.

Visit their Protect Your Clients, Protect Yourself Campaign.

And yes, it is your legal obligation to protect taxpayers’ personal information. The good news is, there are easy, affordable steps you can take to protect your organization. Once in place, they balance security with the needs and capabilities of your business. When viewed as part of your business strategy and standard processes, information security makes sense.

Follow These Best Practices.

Protect Your Credit.

• Set up Fraud Alerts with your banks, credit companies, and credit cards.
• Regularly check your credit report from each of the three bureaus.
• Monitor all accounts closely, even small transactions.
• Freeze your credit report with all three services.

90% of U.S. lending decisions look at your FICO Score. Taking these steps won’t impact your credit or ability to use existing credit cards. However, if you’re applying for a loan, you’ll need to “thaw” your account. Allow three days for the reports to become available.

Classify Your Data.

• Identify what information your business stores and uses.
• Determine the value of your information. If you can’t estimate it in dollar amounts, then classify it as low, medium or high.
• Ask yourself–What would happen to my business if:
  • This data be made public?
  • This information be incorrect?
  • My clients or I couldn’t access this information?
• Do I need this info? Don’t collect personal information you don’t need. If you require it for only a short period, make sure you have a process to promptly and correctly discard it.

Security Awareness Training for Your Employees

Remember, hackers will try to gain access to your network any way they can. It’s a lot easier for the bad actors to attack using your employees, than a well-maintained infrastructure.

Let’s look at how employees may be your most significant vulnerability:

• Employees share their passwords with other employees.
• Using simple passwords easily cracked and stolen by brute-force hacking tools.
• They get tricked by phishing attempts and CEO fraud.
• Unknowingly divulging confidential information or provide access to funds.

For this reason, it’s essential to have a professional, like Krantz Secure Technologies, conduct Security Awareness Training on a regular basis.

Secure Your IT Infrastructure.

1. Your network must be well managed with patching, virus protection, backup solutions and firewalls that are diligently kept up to date.
2. Use GEO IP Filtering on your Firewall whenever possible. This feature allows you to block connections to or from a geographic location. It should be a next–generation firewall with perimeter malware protection.
3. Be sure you have reliable backups, both onsite and offsite.
4. Use next-generation endpoint protection, which also includes any printers and copiers connected to your network.
5. Use robust and up-to-date spam and content filtering.
6. When using remote access 2 Factor Authentication is essential.
7. Undergo an annual cybersecurity assessment.
8. Deploy a proactive effort with incremental layers of security to meet today’s new security challenges.
9. Conduct ongoing Internal Vulnerability Assessments and Remediation.
10. Provide Cybersecurity End User Training.
11. Get Cybersecurity Insurance. (Your provider should be part of your Incident-Response Team.)
12. Develop a Cybersecurity Policies and Procedures Manual.
13. Make sure you have a written (and tested) Business Continuity Plan.

Let’s Not Forget to Use the SANS 20 Critical Security Controls

The SANS 20 Critical Security Controls was adopted by regulatory and government agencies as the foundation for security strategies. By implementing these controls, you can reduce the potential impact of cyber-attacks. They may seem daunting, but the experts at Krantz Secure Technologies can help you streamline the process and ensure your firm is following the best practices for information security.

Ensure Your Mobile Devices Are Secure.

With the proliferation of mobile device use and BYOD to work, your business needs secure mobile device solutions. Mobile Device Security ensures your workforce uses their devices in a safe and controlled manner. It protects your data, whether it’s deployed across multiple mobile service providers or on a variety of mobile operating systems.

Your Mobile Device Security Solutions should allow:

• Access to remotely locate, wipe or lock a stolen device.
• Permission to wipe only business data from a personal device.
• Dynamic security features that continuously monitor and manage devices.
• Implementation of secure passcode policies.
• Enforced encryption policies.

Your Mobile Device Security should include your employees’ smartphones. They contain valuable contact information and emails that cybercriminals want. Let’s not forget text messages and spoofing. Simple text messages are vulnerable.

Bluetooth is convenient but not secure. Viruses can spread via Bluetooth and hackers can use it to connect and compromise your phones. Always turn off Bluetooth when it’s not needed, and disable automatic pairing. Also, set your devices to “Non-discoverable.”

Wi-Fi Hotspots can put your business information at risk. Anything that you send over an unsecured Wi-Fi is subject to interception. Always turn off Wi-Fi when you’re not using it. Don’t allow your device to auto-join unfamiliar networks. And don’t send sensitive information over Wi-Fi unless you know it’s secure.

Keep an Internet Security Mindset.

Just visiting an unsecured site without clicking any links can compromise your cybersecurity. When browsing online, be sure to check the website’s security status. Make sure it begins with HTTPS before you enter any personal or financial information. You want to see a closed padlock symbol next to the URL (shown below). This way, you know that GeoTrust has confirmed the site’s security is up to date.

Be Careful with The Internet of Things (IoT).

The IoT refers to the connection of devices to the Internet. Cars, appliances, medical and manufacturing tools are coming online through the IoT— With the rapid development of the IoT, and the fact that more small devices are hooking-up to the Internet, security is an increasing concern.

Many IoT devices have weak or no security. There are known vulnerabilities that can’t be patched or upgraded. If you use them in your business, isolate them to a separate network.

Take the Time to Protect Your Business Before It’s Too Late.

As you have learned, there is much to be considered, when it comes to protecting your business from today’s hackers. Off-the-shelf software is no longer the answer. The good news is Krantz Secure Technologies can address potential cybersecurity threats. We’ll train your staff to recognize and defend against them. Security Awareness Training, coupled with our Cybersecurity Solutions, will protect your business against today’s ever-growing forms of cybercrime.

For assistance, contact us at (212) 286-0325 or via the contact form on our website.