A data breach could cost your business everything if you don't have the correct remote cyber security measures in place.

The Cost of a Security Breach: Is it Always Business As Usual?

What is the Cost of a Cyber Breach?

A hacker stealing your information is a bad situation. However, a hacker stealing your business’s information might be worse.

Running a successful business always implies a degree of risk. However, in today’s day and age, companies are finding themselves encountering a form of risk that often goes unnoticed: cyber attacks.

If a cyber criminal launches a cyber attack on your business the damage could be irreparable.

Think about it. A cyber attack leads to a huge loss of profit and productivity but thousands of dollars in fees. Not to mention the loss of business that follows.

The average cost from damage or theft of IT assets and infrastructure increased from $879,582 in 2016 to $1,027,053 in 2017.  The average cost due to disruption to normal operations increased from $955,429 to $1,207,965.

Even worse than this, according to Inc. 60% of all small business fail within 6 months due to cyber attacks.

41 percent of companies have over 1,000 sensitive files open to everyone, according to research by the Varonis Data Labs.

How Do Cyber Attacks Work?

Cyber attackers look for unsecured folders the moment they gain access to a network. Why? Because folders open to global access groups.  Global access groups include everyone, domain users and authenticated users. This gives them easy access to business plans, customer and employee data, credit card information and much more.

Overexposed data presents a huge risk to businesses of all sizes regardless of the industry or location. For small and medium size businesses, however, it could mean millions of dollars in losses, reimbursements, and legal fees that end up bankrupting the business.

Small businesses are often targets of cyber crime, yet invest less than $500 in cyber security.

What Are The Most Common Types of Attacks?

 

In the Ponemon study, 48 percent of small and medium sized businesses (SMB’s) report social engineering/phishing were the most common kind of attack.

54 percent of respondents in the study claimed data breaches occurred due to negligent employees or contractor.

Cyber Attacks in Remote Work

Phishing attacks:

Phishing is considered the top cause of data breaches. Hackers send apparently legitimate emails with dangerous links or attached documents. When a target clicks on the link or opens the attachment, a hacker gains access to their device. The link will contain malware or ransomware that corrupts and freezes important data.

Employees might work on personal devices which might not have the same protections as a company owned computer. As a result, the personal device might be more vulnerable to malware and other viruses. Make sure you use a company issued device whenever possible. Not just for the sake of the company, but for the sake of the remote employee as well. No one benefits when a device is breached.

Insecure Passwords:

53 percent of people rely on memory to keep track of their passwords. Therefore, they choose passwords that are easy to remember.  That makes it easy for a hacker to decipher an employees password by simply going through social media. It allows hackers to even access various accounts if the employee is using the same password.

Wi-Fi Security in a Remote environment: 

In an office environment, IT departments can protect employees and control network security. In a remote environment, however, employees probably don’t have the same protections. Hackers exploit networks with WEP security protections rather than WPA2, for example.  WEP settings are the standard Wi-Fi protection for average users.Even inexperienced hackers can download tools that allow them to break through this type of network.

Remote workers don’t realize how insecure they are until something happens. All remote employees need to consider what type of network they have at home before accessing company data. Using a VPN (virtual private network) also helps in protecting against certain types of attacks on remote workers.

During the lock-down period in 2020, there were record spikes in cyber attacks on remote workers. Hackers leverage remote workers’ devices to gain access to systems that would otherwise be more secure.

The Damage You Don’t See

Even assuming an SMB survives a cyber attack financially, the reputational damage would be just as catastrophic.

Security is everything in a business, both internally and to prospective clients. If a cybercriminal hacks your business, exposing your data, no one will want to take the risk of doing business with your company. The perception that your business is unreliable or even a liability can destroy your credibility and tank your business completely.

In the worst of scenarios, you may not even notice you’ve been breached for weeks or months, at which point recovery will be next to impossible.

One of the reasons so many businesses fail is because they have an inadequate strategy for managing cyber attacks.  SMB’s may have fire walls, anti-virus software, malware protection, and encryption but they don’t plan for the event of an actual breach.

While businesses focus on keeping attackers out, the actual data itself remains accessible and vulnerable to attack.

Businesses are losing more records in a data breach. Companies represented in the Ponemon study lost an average of more than 9,350 individual records as a result of a data breach in 2017, an increase from an average of 5,079 in the 2016.

A business needs a fully redundant system to access their applications and data and regular offline backups stored in multiple onsite and offsite locations.

Nerd Support’s experienced team can guarantee a secure business and keep your data safe. A breach doesn’t have to mean failure.

With a business continuity plan that is tailored to your needs your needs, you can get peace of mind knowing your information is safe.

Contact us today for a FREE IT Test! Or call us at 305-551-2009.

Nerds Support Contact Us Leaderboard

cyber hacker breaches the security of thousands of Canadian CPA firms

CPA Canada Breach Exposes Over 300,000 People

Data Breach in CPA Canada

A breach of CPA Canada exposed the personal data of over 300,000 Canadian accountants and stakeholders.

According to existing reports, the information pertained to the distribution of CPA Magazine. CPA Canada said credit card numbers and passwords were encrypted and not among the exposed data. The cyber criminals accessed CPA Canada members’ contact information on the organization’s website.

Approximately 329,000 individuals were notified of the breach and warned of possible attacks in the future.

It warned members to stay vigilant of possible phishing emails, texts or phone calls that may come as a result of the attack.

Taking Secure Steps

Members of CPA Canada will have to check their emails frequently and be careful not to open any attachments from unsolicited messages.

CPA Canada took steps to secure its systems to secure their site, however the breach could have happened months earlier. As is the case with many breaches, it’s difficult to pinpoint when exactly a breach happens.

The association ties the incident to an alert issued in April about a phishing campaign that requested users to change their CPA Canada password due to a website breach. This is a common way cyber attackers gain access to information.

A similar breach occurred after the launch of Disney Plus. Experts say that hackers sent fraudulent emails asking users to “verify” their passwords so they could be saved and sold on the dark web.

They explain that the emails originated from the IT department where the victim was employed. The emails indicates that the IT department suspected a security issue with the domain cpacanada.ca.

This is Nothing New For CPA’s

Unfortunately, this type of event is too common for accounting firms. In April 2020, the IRS issued warnings to taxpayers and firms to be aware of phishing scams involving the stimulus checks from the CARES Act.

Cyber security experts advise accountants to take even greater care of their data especially when working remotely.

Forcing digitalization has left many firms more vulnerable to attacks than ever. The usual types of phishing attacks are all present only now they’re more frequent. Hackers know that firms that had issues shifting to a remote environment left many digital vulnerabilities exposed.

The IRS itself had struggled with enabling employees to work remotely. Changes to internal systems and readjustments made for enabling remote access leaves gaps for attackers firms might not otherwise have.

Some Firms are More Vulnerable Than Others

CPA Canada reports that all activities are normal for now, but things could have turned out much worse. Accounting firms that neglect their cybersecurity can quickly become the victims of hackers. The moment attackers gain access, they encrypt and freeze data until your firm pays their fee.

Larger firms are safer because they perform frequent audits and have security consultants ready in hand. However, smaller firms might not have the resources and cyber security skills necessary to protect themselves.

These firms still deal with sensitive financial information so they become preferred targets by hackers. It’s much easier for a hacker to attack several small firms than one larger one.

Conversely, firms experience attacks caused by spiteful or careless employees. Performing regular backups is better than doing nothing but there is no guarantee the hacker won’t just keep your data hostage. Paying the ransom doesn’t guarantee an end to the attack either.

How Do you Prepare Against Phishing Attacks?

The best way to prepare for an attack is to do incremental backups and consistently testing those backups. Backups are useless if you can’t restore your systems should something happen.

Working Remotely Adds New Risks

Now that CPA firms are working remotely, they might not have the same resources or security measures they would have in an office setting. Firm employees typically access applications through their secured office desktops. Accessing these same applications on a personal device could mean they are easier to breach even with a VPN.

IF a CPA failed to assess the security measures needed to function remotely it can leave the doors open to a cyber attack that breaches systems quickly.

Compliance is Key

A way smaller firms can avoid scenarios like the one mentioned above is by applying best practices when it comes to IT security. Even if you are a smaller firm with limited IT personnel, there are Managed IT services providers that can supply you with the needed boost in security.

How? By doing what the larger firms are doing, applying best practices to all of your systems. A CPA has to follow strict compliance regulations in order to operate. SOX and FINRA regulations, for example, require regular audits that demonstrate sensitive financial data is kept safe.

The added benefit achieving compliance is that it requires a secure IT infrastructure. By auditing and verifying compliance firm are also checking for cyber vulnerabilities.

Cyber criminals have learned that companies are increasingly more difficult to infiltrate by directly breaking through their security systems. That is why they rely on phishing attacks to go around this problem.

Phishing Attacks Still Happen Because They Still Work

In the case of CPA Canada a phishing scam exposed valuable information. Phishing scams are still the most popular form of cyber attack today. That is because it doesn’t target a network, it targets the user.

Phishing is all about manipulating the target into performing an action. It can be downloading an infected attachment or clicking on a malicious link.

With phishing scams, hackers don’t have to worry about the strength of a firm’s network because no matter how strong the network, it’s only as strong as its most gullible employee.

It can be even worse when added to a remote environment. Having a dedicated team of IT experts available 24/7 improves an employee’s chances of avoiding a phishing attack altogether.

Nerds Support has comprehensive IT solutions that allow our technicians to flag and monitor potential email scams. However, the safest action to take if you have a limited IT team is to send suspicious emails over to your IT department rather than opening them yourself.

CPA Canada has contacted the Canadian Anti-Fraud Center and private authorities to conduct a proper investigation. Only time will tell the ramifications of this breach and how vulnerable those affected really are.

A business owner thinking about choosing a Managed IT Service Provider

5 Mistakes Companies Make When Choosing a Managed Services Provider

One of the biggest misconceptions about working with a managed IT services company is the idea that you have to replace your IT department.

However, that couldn’t be farther from the truth. Managed Services companies are usually brought in to augment and assist existing IT personnel.

Small and medium sized businesses often hire a managed IT services company to provide the same support they would have with an advanced IT department at a lower cost.

Co-managed IT services are options as well. Co-management services are for businesses that already have an IT department but want to improve upon it while taking advantage of the cost savings and structure of an MSP.

The benefits of a managed services company are numerous. For one thing, they handle application and network security issues while lightning the workload for I.T. departments.

Every business wants to grow, but growing too fast comes with its burdens as well. Rapid, exponential growth could start putting a strain on your resources and time. IT is no exception.

But, should you make the decision of hiring a managed IT services company, you have to know what to look for.

Unfortunately, business owners fail to consider some very important factors when choosing an MSP that is right for them.

Here are 5 BIG mistakes businesses make when hiring an MSP and how to avoid them.

1) Letting MSP’s Handle ALL of your Problems

Outsourcing all of regular applications and security to an MSP doesn’t rid you of responsibility. It’s still very important that you develop a strategy alongside your IT department and review it with the Managed services provider.

Businesses have to stay in the know when it comes to IT solutions and requirements. An MSP might know your industry well, but only you know your company.

As a business owner you need to discuss compliance, security, infrastructure and strategy regularly and frequently. This ensures the MSP is doing their jobs according to your business goals and complimenting them.

2) Relinquishing Control

Some providers gain popularity simply because they are large. But that doesn’t make them right for your business. Especially since they are so large that establishing a point of contact is nearly impossible.

This is a big problem among large public cloud providers. Public cloud providers have so many clients that they don’t have the time to cater to a individual client’s needs. It devolves into a tenant/landlord relationship rather than a partnership.

You are sharing their services with other businesses and they don’t have time to review your concerns. There are even cases where support is sold separately from the cloud service.

At the end of the day an MSP is an extension of your business, not a business unto itself. They are there to consult and contribute but not control. Choose a provider that is transparent and easy to access.

Which leads me to mistake number three.

3) Choosing a provider that is indifferent about response time.

Downtime is a significant issue for all businesses. However, not all MSP’s act accordingly when it comes it comes to downtime.

Choosing a provider that fails to properly respond to down time is particularly horrible because it can be frustrating, agonizing and terrifying.

Imagine your business goes down and not only is the response time slow, but support is nearly unreachable. The average response time for a large MSP is 5.5 hours. They often market themselves in a way that de-emphasizes their response time in favor of their durable network and security. But, that’s just a trick.

A great MSP has multiple alert systems and responds to downtime in twelve minutes or less. Anything beyond that is negligence. It doesn’t matter how popular, “efficient” or “secure” an MSP is when during an outage or downtime they’re nowhere to be found.

54 percent of companies experienced a downtime event that lasted more than eight hours. That means over half of all companies, regardless of size, experience downtime of over a full work day. Furthermore, that could lead to massive hits in profit and revenue.

According to a Ponemon Institute Study, the average cost of an outage is $9,000 per minute. Let that sink in. Eight hours, sixty minutes an hour, $9,000 per minute. Let that sink in.

4) Thinking all MSP’s are Essentially the same

All MSP’s are different. Managed IT Services companies have resources and tools that suite different companies. Don’t assume that all MSP’s offer the same services or have the same expertise.

For example, Nerds Support works with many financial services companies and CPA’s. As a result, we put a heavy emphasis on cloud compliance and regulations. Financial firms are heavily regulated due to the sensitive information they work with on a regular basis. So whatever MSP a financial firm hires has to closely follow those same regulatory guidelines.

To achieve compliance we had to undergo SOC I and SOC II audits to ensure our clients felt secure relying on us with securing their data and systems.

You have to make sure you ask any potential MSP the right questions. If you want to know exactly what questions to ask a prospective MSP, check out our e-guide “22 Questions for your IT Department”.

5) Misunderstanding Service Level Agreements

The contract between a company and a Managed IT services provider is called a Service Level Agreement, or SLA. Make sure that the contract and the agreement are clear that all relevant staff knows the ins and outs.

That includes where and when these services are available, where their servers are located, how to contact support and what is covered in the terms of billing.

The MSP should provide you with a non-disclose agreement that needs to be signed before the provider gains access to your company’s confidential data.

There should also be an understanding of how to report and analyze resources and services. If something isn’t working to your expectations, know how to report it and who to report to.

Financial advisor working remotely from home on his computer.

4 Things Financial Firms can do to Succeed Remotely

Financial firms are in the best position to succeed in a remote environment. Engaging with clients is easier than meeting in person and much of the work can be done regardless of location.

Americans are slowly adjusting to working from home. As states begin to ease the quarantine restrictions some companies are declaring permanent remote work environments. Companies like Facebook and Twitter are offering their employees the opportunity to work from home indefinitely.

Many firms have already moved to a fully remote operation and many more will do so in the future. However, moving to remote work can be difficult if handled incorrectly. Creating a successful remote operation is a new challenge CPA’s and financial firms will have to overcome.

When the lock-down started business owners looked to getting operations up as quickly as possible. Those who hadn’t migrated to a cloud based system did so. Others only migrated partly. While others still, struggled to adapt to a fully remote workplace. Video conferencing tools like Zoom and Microsoft teams grew in use and popularity.

Daily downloads of the videoconferencing app Zoom increased by 300 million participants since March. Businesses and employees spent time researching the different videoconferencing application and IT services companies that best fit their standards. But that’s only the beginning.

If you as a financial firm want to succeed in a remote environment you have to navigate cooperation, time management, data security and keeping your business functioning even while everyone may be so distant.

Here are a few ways to achieve success for your firm while working apart.

1) Take Advantage of Your Remote Environment

Maybe you’ve already noticed, but it’s difficult to distract each other with office gossip when there isn’t an office to gossip about. 85 percent of employees are either not engaged or disengaged at work. As a result, there is a 7 trillion dollar loss in productivity. Many offices have an open office layout which create a 32 percent drop in productivity.

However, this is harder to replicate when you’re forced to work remotely. Instead, the productive thing to do is to set virtual office hours or schedule meetings for a specific hour the day. Employees and staff can reserve a meeting however you choose. This might appear obvious to some but even in a remote environment it’s easy to get side tracked. You get one call from one colleague and then anther call 20 minutes later from an employee.  By the time you finish, you might not remember what you were doing in the first place.

Designate a period of time in your weekly and daily schedule for all meetings. The routine will also keep you focused and organized. Keeping a routine can lead to positive mental health. A routine can help manage stress levels and less overall anxiety, according to one study by Northwestern Medicine. College professors and councilors are very familiar with this system. It would be like having virtual office hours where team members can choose a slot and book a meeting.

2) Adapt to Technology

If you stop and think, if something like the Lockdown of 2020 had happened ten years earlier, remote work would not be possible. The emergence of cloud technology and communication apps like Microsoft Teams, Skype, Facetime, and Zoom together is what allows for a successful remote work environment.

Moving forward, many experts expect these changes to persist, bringing in a new era of remote activity. For financial firms, advising, asset valuation, and consulting will be done remotely. Firms should be looking to build on this change and integrate a remote reality to their existing operation.

What can your firm do to remain competitive, updated, and secure. Invest in a cloud service provider. IT services are going to be pivotal in the coming decades. Managed service providers will be in a position to make or break your firm. Look up the different cloud models and their features. Are they FINRA or SOX compliant? Where are their servers located? Are they stored somewhere outside the U.S.?

Nerds Support specializes in working with financial firms. However, there are many options available when hiring a managed IT service provider. Some are better than others, depending on the industry. You have to factor in security, location, knowledge of your industry, and even availability.

The Workplace platform provides a comprehensive solution that combines cyber security, compliance, & remote work needs.

The Workplace platform provides a comprehensive solution that combines cyber security, compliance, & remote work needs.

Is there someone you can talk to when something goes wrong? Do you have a point of contact? Sometimes a support team consists of strangers and other times it’s the CEO.

4) Build a Better Team Remotely

Human beings are social animals.  Although remote work is beneficial to productivity, it might be harmful to be socially isolated from your team. But there is a solution.

Team building is an important tool for social bonding and improving motivation. Setting aside an hour at the end of the week to celebrate that week’s accomplishments is a good example of team-building. There are a ton of other games and exercises you can try over video chat. Many have done virtual hangouts. Virtual happy hours are also popular. Even virtual competitions with certain free online games have brought offices together.   

5) Make Sure to Reconnect with Reality

The biggest issue in a remote work environment is that everything does seem to blend together. When you can’t distinguish your bedroom from your workplace it’s easy to get lost in a work-all-the-time mentality. Having an office has the psychological benefit of creating a barrier between your personal and work life.

A Stanford study showed that after 50 hours a week productivity sharply drops. Even worse, after 55 hours productivity gets so low that working becomes counterproductive.

I bring up the Stanford study because the comforts of working from home can often trick you into working more. Working an extra hour won’t kill you but the added stress of feeling like you’re at work at all hours is a serious problem. Establish clear boundaries for yourself and your team. When it’s time to log off, you log off. Communicate with your team your unavailability after a set time. Go for a walk, listen to music, but most importantly stay away from your computer.

 

How Accounting CPA's will continue post the pandemic

Accounting In A Post Pandemic Era

The coronavirus has impacted nearly everyone in the country. Now, accountants might find themselves wondering how to create a secure work environment for themselves and their clients.

The needs of your clients are changing and so is the industry. Furthermore, new regulations created as a consequence of the coronavirus are affecting business practices.

With that in mind, here are a few changes the CPA’s will experience in the coming years.

Employees

All businesses including CPA firms are looking to get employees back to work.  These are some guidelines that might help your firm organize itself as the country begins to open up again.

  1.  EEOC sub regulatory guidance is a mouthful, but it is also important when considering how to navigate your firm’s re-opening process. According to EEOC guidance, employers are permitted to test for the presence of the COVID-19 virus before allowing employees to enter the place of work.
  2.  Employers must ensure the right infection controls regarding testing and be cautious of false positives and false negatives. Keep in mind that even the most accurate test only detects the virus if it’s currently present in the body. It does not guarantee the employee will not get the virus later.
  3.  Temperature checks are permissible under EEOC guidelines. However, who should administer the checks and how to administer them are not clear.
  4.  Employees testing positive for COVID-19 should be isolated from others and the workplace. Employers are encouraged to follow CDC and OSHA guidelines, which include closing off areas used by the sick employee, cleaning and disinfecting the environment, and informing other employees of any possible exposure to the virus in the office.
  5. Results from a COVID-19 test or temperature check fall under ADA confidentiality provisions. These tests are considered confidential information that should be kept in a secure location away from other employee information.

 

Industry

We covered employees, but what about changes in the industry itself? The COVID-19 crisis has accelerated certain trends and shifted others. Let’s review what some of those are.

A Shift in Duties For CPA’s

Small-business clients need help accessing relief programs in the CARES Act and the Paycheck Protection Program specifically. This means firms need to quickly transition from consulting to advisors as they help businesses get through the lockdown.  Financing reviews, a lot of cash flow forecasting and evaluating relief packages will be more important through tax season and the next few months.

Working Remotely

Experts agree that remote work for CPA’s is going to become the new normal. With companies like Twitter, Facebook and more making remote work permanent.

Although remote work was projected by  to increase gradually, the lockdown sped up the process. Firms were forced to quickly adopt remote enabling technologies like Video conferencing apps and the cloud.

Cloud Accounting

Speaking of the cloud, the move to remote operations has been difficult for firms who complain that apps like Zoom are not working well with their Citrix environment. That’s mainly because these firms have only partially moved over to the cloud.

Cloud accounting is an inevitability now that we know a pandemic can force us to work beyond the office at any moment.

A firm that was not prepared likely did not have the time to migrate to the cloud all of their applications and infrastructure over. So as things begin to pick up speed they’ll do so.

Moving to the cloud is not as easy as choosing to do so. There are steps to cloud migration. Moreover, the quality of the cloud service depends on the quality of the provider. Firms must familiarize themselves with the different types of cloud services: public, private and hybrid clouds.

By choosing a large public cloud like Amazon Web Services, you could be sacrificing personalized care. Choose a cloud that lacks the proper regulatory standards and it might hurt your firm more than it helps.

The chief concern for all CPA’s should be to assist clients, help save businesses and keep jobs.  CPA’s are the financial experts both individuals and main street businesses need right now. Having the right tools in place is going to be essential.

Accountants may have the technology to work remotely but not all of them have everything they require to work efficiently. Although being in the office doesn’t compare with being at home, adjusting is a matter of making the right choices.

Clients

Additionally, accountants can’t meet face-to-face with clients so they’ll resort to remote advising as a way to adjust. However, just like remote work, remote advising is going to outlast the lockdown it seems.

Accountants and clients will adjust to working from the comfort of their homes without having to bare long commutes or wait in an office.

Remote advising will redefine what it means to be an accountant like tax application services are doing now. Firms will realize that remote advising is not just a way of working through a pandemic but perhaps a more efficient way of doing business for both them and their clients.

Firms

Although the long-term consequences of the lockdown are still unknown, accountants need to see themselves as advisors businesses need to survive. Firms of all sizes are going to called on by their clients to help them though the economic downturns created by the lockdown.

CPA’s, unlike other professions, are facing an opportunity for growth. Accounting firms should position themselves as the first responders during a financial crisis. Employers, businesses and average citizens are looking for help. They want to apply for loan programs, government assistance, and financial relief programs. All of these examples require knowledgeable of tax, accounting and payroll.