Posts

cyber hacker breaches the security of thousands of Canadian CPA firms

CPA Canada Breach Exposes Over 300,000 People

Data Breach in CPA Canada

A breach of CPA Canada exposed the personal data of over 300,000 Canadian accountants and stakeholders.

According to existing reports, the information pertained to the distribution of CPA Magazine. CPA Canada said credit card numbers and passwords were encrypted and not among the exposed data. The cyber criminals accessed CPA Canada members’ contact information on the organization’s website.

Approximately 329,000 individuals were notified of the breach and warned of possible attacks in the future.

It warned members to stay vigilant of possible phishing emails, texts or phone calls that may come as a result of the attack.

Taking Secure Steps

Members of CPA Canada will have to check their emails frequently and be careful not to open any attachments from unsolicited messages.

CPA Canada took steps to secure its systems to secure their site, however the breach could have happened months earlier. As is the case with many breaches, it’s difficult to pinpoint when exactly a breach happens.

The association ties the incident to an alert issued in April about a phishing campaign that requested users to change their CPA Canada password due to a website breach. This is a common way cyber attackers gain access to information.

A similar breach occurred after the launch of Disney Plus. Experts say that hackers sent fraudulent emails asking users to “verify” their passwords so they could be saved and sold on the dark web.

They explain that the emails originated from the IT department where the victim was employed. The emails indicates that the IT department suspected a security issue with the domain cpacanada.ca.

This is Nothing New For CPA’s

Unfortunately, this type of event is too common for accounting firms. In April 2020, the IRS issued warnings to taxpayers and firms to be aware of phishing scams involving the stimulus checks from the CARES Act.

Cyber security experts advise accountants to take even greater care of their data especially when working remotely.

Forcing digitalization has left many firms more vulnerable to attacks than ever. The usual types of phishing attacks are all present only now they’re more frequent. Hackers know that firms that had issues shifting to a remote environment left many digital vulnerabilities exposed.

The IRS itself had struggled with enabling employees to work remotely. Changes to internal systems and readjustments made for enabling remote access leaves gaps for attackers firms might not otherwise have.

Some Firms are More Vulnerable Than Others

CPA Canada reports that all activities are normal for now, but things could have turned out much worse. Accounting firms that neglect their cybersecurity can quickly become the victims of hackers. The moment attackers gain access, they encrypt and freeze data until your firm pays their fee.

Larger firms are safer because they perform frequent audits and have security consultants ready in hand. However, smaller firms might not have the resources and cyber security skills necessary to protect themselves.

These firms still deal with sensitive financial information so they become preferred targets by hackers. It’s much easier for a hacker to attack several small firms than one larger one.

Conversely, firms experience attacks caused by spiteful or careless employees. Performing regular backups is better than doing nothing but there is no guarantee the hacker won’t just keep your data hostage. Paying the ransom doesn’t guarantee an end to the attack either.

How Do you Prepare Against Phishing Attacks?

The best way to prepare for an attack is to do incremental backups and consistently testing those backups. Backups are useless if you can’t restore your systems should something happen.

Working Remotely Adds New Risks

Now that CPA firms are working remotely, they might not have the same resources or security measures they would have in an office setting. Firm employees typically access applications through their secured office desktops. Accessing these same applications on a personal device could mean they are easier to breach even with a VPN.

IF a CPA failed to assess the security measures needed to function remotely it can leave the doors open to a cyber attack that breaches systems quickly.

Compliance is Key

A way smaller firms can avoid scenarios like the one mentioned above is by applying best practices when it comes to IT security. Even if you are a smaller firm with limited IT personnel, there are Managed IT services providers that can supply you with the needed boost in security.

How? By doing what the larger firms are doing, applying best practices to all of your systems. A CPA has to follow strict compliance regulations in order to operate. SOX and FINRA regulations, for example, require regular audits that demonstrate sensitive financial data is kept safe.

The added benefit achieving compliance is that it requires a secure IT infrastructure. By auditing and verifying compliance firm are also checking for cyber vulnerabilities.

Cyber criminals have learned that companies are increasingly more difficult to infiltrate by directly breaking through their security systems. That is why they rely on phishing attacks to go around this problem.

Phishing Attacks Still Happen Because They Still Work

In the case of CPA Canada a phishing scam exposed valuable information. Phishing scams are still the most popular form of cyber attack today. That is because it doesn’t target a network, it targets the user.

Phishing is all about manipulating the target into performing an action. It can be downloading an infected attachment or clicking on a malicious link.

With phishing scams, hackers don’t have to worry about the strength of a firm’s network because no matter how strong the network, it’s only as strong as its most gullible employee.

It can be even worse when added to a remote environment. Having a dedicated team of IT experts available 24/7 improves an employee’s chances of avoiding a phishing attack altogether.

Nerds Support has comprehensive IT solutions that allow our technicians to flag and monitor potential email scams. However, the safest action to take if you have a limited IT team is to send suspicious emails over to your IT department rather than opening them yourself.

CPA Canada has contacted the Canadian Anti-Fraud Center and private authorities to conduct a proper investigation. Only time will tell the ramifications of this breach and how vulnerable those affected really are.

Financial advisor working remotely from home on his computer.

4 Things Financial Firms can do to Succeed Remotely

Financial firms are in the best position to succeed in a remote environment. Engaging with clients is easier than meeting in person and much of the work can be done regardless of location.

Americans are slowly adjusting to working from home. As states begin to ease the quarantine restrictions some companies are declaring permanent remote work environments. Companies like Facebook and Twitter are offering their employees the opportunity to work from home indefinitely.

Many firms have already moved to a fully remote operation and many more will do so in the future. However, moving to remote work can be difficult if handled incorrectly. Creating a successful remote operation is a new challenge CPA’s and financial firms will have to overcome.

When the lock-down started business owners looked to getting operations up as quickly as possible. Those who hadn’t migrated to a cloud based system did so. Others only migrated partly. While others still, struggled to adapt to a fully remote workplace. Video conferencing tools like Zoom and Microsoft teams grew in use and popularity.

Daily downloads of the videoconferencing app Zoom increased by 300 million participants since March. Businesses and employees spent time researching the different videoconferencing application and IT services companies that best fit their standards. But that’s only the beginning.

If you as a financial firm want to succeed in a remote environment you have to navigate cooperation, time management, data security and keeping your business functioning even while everyone may be so distant.

Here are a few ways to achieve success for your firm while working apart.

1) Take Advantage of Your Remote Environment

Maybe you’ve already noticed, but it’s difficult to distract each other with office gossip when there isn’t an office to gossip about. 85 percent of employees are either not engaged or disengaged at work. As a result, there is a 7 trillion dollar loss in productivity. Many offices have an open office layout which create a 32 percent drop in productivity.

However, this is harder to replicate when you’re forced to work remotely. Instead, the productive thing to do is to set virtual office hours or schedule meetings for a specific hour the day. Employees and staff can reserve a meeting however you choose. This might appear obvious to some but even in a remote environment it’s easy to get side tracked. You get one call from one colleague and then anther call 20 minutes later from an employee.  By the time you finish, you might not remember what you were doing in the first place.

Designate a period of time in your weekly and daily schedule for all meetings. The routine will also keep you focused and organized. Keeping a routine can lead to positive mental health. A routine can help manage stress levels and less overall anxiety, according to one study by Northwestern Medicine. College professors and councilors are very familiar with this system. It would be like having virtual office hours where team members can choose a slot and book a meeting.

2) Adapt to Technology

If you stop and think, if something like the Lockdown of 2020 had happened ten years earlier, remote work would not be possible. The emergence of cloud technology and communication apps like Microsoft Teams, Skype, Facetime, and Zoom together is what allows for a successful remote work environment.

Moving forward, many experts expect these changes to persist, bringing in a new era of remote activity. For financial firms, advising, asset valuation, and consulting will be done remotely. Firms should be looking to build on this change and integrate a remote reality to their existing operation.

What can your firm do to remain competitive, updated, and secure. Invest in a cloud service provider. IT services are going to be pivotal in the coming decades. Managed service providers will be in a position to make or break your firm. Look up the different cloud models and their features. Are they FINRA or SOX compliant? Where are their servers located? Are they stored somewhere outside the U.S.?

Nerds Support specializes in working with financial firms. However, there are many options available when hiring a managed IT service provider. Some are better than others, depending on the industry. You have to factor in security, location, knowledge of your industry, and even availability.

The Workplace platform provides a comprehensive solution that combines cyber security, compliance, & remote work needs.

The Workplace platform provides a comprehensive solution that combines cyber security, compliance, & remote work needs.

Is there someone you can talk to when something goes wrong? Do you have a point of contact? Sometimes a support team consists of strangers and other times it’s the CEO.

4) Build a Better Team Remotely

Human beings are social animals.  Although remote work is beneficial to productivity, it might be harmful to be socially isolated from your team. But there is a solution.

Team building is an important tool for social bonding and improving motivation. Setting aside an hour at the end of the week to celebrate that week’s accomplishments is a good example of team-building. There are a ton of other games and exercises you can try over video chat. Many have done virtual hangouts. Virtual happy hours are also popular. Even virtual competitions with certain free online games have brought offices together.   

5) Make Sure to Reconnect with Reality

The biggest issue in a remote work environment is that everything does seem to blend together. When you can’t distinguish your bedroom from your workplace it’s easy to get lost in a work-all-the-time mentality. Having an office has the psychological benefit of creating a barrier between your personal and work life.

A Stanford study showed that after 50 hours a week productivity sharply drops. Even worse, after 55 hours productivity gets so low that working becomes counterproductive.

I bring up the Stanford study because the comforts of working from home can often trick you into working more. Working an extra hour won’t kill you but the added stress of feeling like you’re at work at all hours is a serious problem. Establish clear boundaries for yourself and your team. When it’s time to log off, you log off. Communicate with your team your unavailability after a set time. Go for a walk, listen to music, but most importantly stay away from your computer.

 

An accounting firm considering to accept cloud technology.

Why CPA’s Need Cloud Services To Survive

Cloud Services For Accountants is More Important Than Ever

As a CPA firm you’re going to have to adjust to this new remote reality. No one expected the lock-down, however firms that operated on the cloud had an advantage over those who hadn’t yet or only did so partially.

Many accounting firms learned to understand how the right technology could help them access and review financial information, create reports, manage accounts and more.

There is no telling how or when businesses will open up. Moreover, reopening A CPA firm to its full capacity requires much more than opening the doors, turning the lights on and wiping off the dust from your desk.

It is a gradual process that will require much planning and the transition itself will depend on many factors.

That is why cloud technology has become so pivotal in the last few months. The lock-down put many accounting systems to the test, forcing everyone from individual practitioners to larger firms to operate continually outside of the office.

Firms that migrated to the cloud prior to the lock-down are doing well. Their client data secured in a data center and their applications on a cloud network ready to use. The Accounting industry has been discussing the impacts that would occur as a result of the cloud. Now, it’s no longer a theoretical discussion.

Experts predict cloud accounting to be a permanent feature of any CPA firm. Firms that didn’t migrate to the cloud previously might be asking if it’s too late for them. The answer is a definitive no.

Video Conferencing

Firms that use Microsoft 365 might be familiar with Teams. Teams is one of the many video conferencing applications firms are using to communicate while working remotely.  There are also applications like Zoom, Google hang outs, and Skype. These video tools facilitate collaboration and, with the right cloud service provider, can create an effective remote environment.

Financial services experts and CPA’s are discussing the possibly of permanent remote advising. Remote advisory services was always the direction technology was heading in. However, the lock-down that proceeded the COVID-19 pandemic only sped this transition.

These remote services will only be afforded to firms willing to migrate and adopt the virtual tools necessary to perform these roles efficiently.  That means finding a managed services provider with cloud hosting capabilities that are designed to meet your firm’s needs.

Remote Advising Through The Cloud

Remote advising is the future of the financial services industry. Technology was already in the processes of changing the role of CPA’s towards more advisory positions. With software automating much of the compliance work once handled by an accountant or bookkeeper.

James C. Bourke, a CPA an accountancy technology expert, predicts that if CPA’s are not spending on technology solutions that are accessible remotely, they will be revisited.

“Priorities are going to change on technology spending, once we are all back in the office,” he said in a recent podcast.

Adopting a cloud storage system that can handle any project without downtime can help your business succeed with remote work.

Migrating  Your Firm to The Cloud

Can you migrate mission critical applications to the cloud now? Specifically can you migrate Document, tax, engagement, and practice management to the cloud?

According to Bourke, currently, migrating to the cloud will be difficult but CPA’s should do everything they can to prepare themselves for a cloud migration when we return to normalcy.

That requires firms to research the best cloud providers, checking to see if they have the right security and compliance tools to provide your firm with the proper IT support without failing to meet regulation standards.

Technology disruption and the shifting to more advisory services are creating a professional environment where accountants must offer more valued and diverse skill sets.  However, this also means shifting focus to the client’s specific needs and away from other aspects of your practice like software, cyber security and IT services.

Leveraging the Cloud

If you plan on working as a trusted advisor you need to understand the implications of these shifts and what these tools mean for your firm. It’s not only adopting a cloud solution but adopting one that has the services that benefit your firm the most. Migrating to the cloud is like purchasing a car. Just because it has four wheels and an engine doesn’t mean it will be the vehicle you.

There are many types of cloud providers and every cloud provider has different assets, strengths and weaknesses. There are public, private and hybrid cloud. Different cloud companies like Azure have cloud services but require you to pay an extra fee for support services. Nerds Support’s accounting cloud services utilizes software that complies with SOX and FINRA standards for example.

Other cloud providers like AWS are public clouds with thousands of clients. Their service would be less personal and contacting support is difficult.

Cloud Accounting is The Future

A Survey in The New Jersey Society of CPA’s, revealed that 40 percent of participants expected a decrease in revenue as a result of the COVID-19 pandemic. The development of cloud technology and remote services will work to mitigate revenue loss once properly implemented.

The abrupt switch from in-person accounting services to remote focused work was jarring. Firms were unprepared for the demands of a remote work environment. However, now that industries, not just Accounting, have seen the results of a shut-in, firms will work to eliminate this vulnerability by revisiting cloud technologies and focusing on remote tools.

Managed Service Providers expect an increase in demand for public cloud services. Specifically, a an increase in SaaS, industry- focused apps. These include collaboration and other productivity and business continuity tools.

The social shift towards online platforms (VOD, social media platform, and cloud gaming) shift focus towards cloud infrastructure automation/management software.

In other words, cloud environment reliability, optimizing online platforms and the performance of your infrastructure determine the success of your firm in the future. Clients now and in the future will require and request online services.

Make sure your firm stays protected and ready for this new shift.

Cyber criminal breaching federal emergency loan site for access to money.

8,000 Emergency Loan Applicants Affected by Data Breach

The SBA Was Breached

8,000 small business owners who applied for loans from the Small Business Administration potentially had their personal information exposed last month, admits the agency.

The Economic Injury Disaster Loan program (EIDL) offers up to $10,000 to owners currently struggling with their businesses due to the COVID-19 pandemic.

Who Is Affected?

The breach affects people who applied for the EIDL. Traditionally, it was used to aid owner whose businesses were impacted by tornadoes, hurricanes and other natural disasters. Congress expanded it in the $2.2 trillion CARES Act.

Notification letters were sent to 7,913 applicants possibly impacted by the breach and then the letters were posted online. The letters revealed that personal data could have been exposed to other applicants. This data included phone numbers, addresses, dates of birth, income and financial information, and social security numbers.

What’s In the Loan Program?

The Economic Injury Disaster Loan program (EIDL) offers up to $10,000 to owners currently struggling with their businesses due to the novel coronavirus pandemic.

A Trump administration official described the issue to CNBC saying that an error occurred when some owners would hit the back button on a page they would see the information of someone else’s businesses rather than their own.

How Did The SBA Find Out?

According to reports by the Washington Post, the SBA was initially silent on the duration of the breach or about details of its discovery. Businesses that may have been affected were notified by the SBA and offered one free year of credit monitoring.

The Agency said it discovered the vulnerability on March 25 and notified those affected with letters. A copy of the letter was posted by a victim after the breach. The letter itself mentioned that there is no sign of data misuse as of last week.

What’s The SBA’s Track Record?

Business owners have had issues with the disaster loan website before. The site was taken down for maintenance for several hours on March 16, and owners could not apply during that time. On March 29, the SBA revised its application process for the disaster loans and owners had to reapply. Many learned days or weeks later that they needed to reapply.

Business owners experienced issues with the loan website previously. In fact, the site was taken down for maintenance for hours on March 16. This meant owners couldn’t apply for a loan in that time. About two weeks later on March 29, the SBA updated the application process for the loans and owners were required to reapply.

How Much Money Was Allocated?

As of April 19, SBA had approved almost 27,000 EIDL loans valued at $5.6 billion. Another 755,000 businesses received EIDL grants worth a total of $3.3 billion. The Trump administration official told CNBC that 4 million business owners had applied for assistance worth $383 billion—far more than the $17 billion allocated for the program.

Even before the breach the agency website was strained by a flood of applications for the loan that overburdened funding, keeping businesses waiting for weeks to receive money.

Before the COVID-19 crisis small businesses should have been eligible for up to $2 million in disaster loans. Unfortunately, because millions of companies are now seeking assistance,  the SBA had to limit the loans to the previously mentioned $10,000

What are the Risks Now That There Was a Breach?

That being said, the SBA approved nearly 27,000 EIDL loans since April 19. However, the breach raises a problem for anyone looking to exploit personal information on the website for social engineering scams. IBM Securities published research revealing it had seen a 6000% increase in email campaigns impersonating the SMB.

For more information on cyber security, cloud, remote work and more, visit Nerds Support’s blog.

 

Os33 Workplace cloud complies with FINRA, SOX, SOX11

Compliance on the Cloud 101

What is Compliance?

Compliance when dealing with cloud computing can be an issue for those using cloud storage or backup services. When you transfer data from your internal storage to a cloud provider’s you must examine how that data is stored so that you stay in compliance with laws and regulations. Financial cloud computing, for example, requires IT sox compliance to ensure quality of service.

In 2002 the Sarbanes-Oxley Act (SOX) was implemented as a response to huge accounting scandals. Companies like Enron, Global Crossing and others misled investors and cost shareholders billions of dollars. This, in turn, changed the IT world forever. What does this have to do with IT? It changed how we approach things like storage, data, security and other functions. 

Cloud compliance is, simply put, a principle that states a cloud based system must be compliant with standards that the cloud customer faces.

Compliance departments ensure that businesses conform to established rules and it’s important to understand, when switching over to a cloud service, how and in what ways the cloud meets compliance standards. Luckily, there are cloud providers that ensure compliance with regulations like SOX. 

If you’re in the financial services industry there are a few things to think about when considering an IT solutions cloud provider. 

How Compliance Works 

A global survey conducted by Veritas Technologies, a data management company, revealed that of the 13 countries and 1,200 businesses surveyed, 69 percent of organizations or 828, wrongfully believed that data protection, data privacy and compliance are the responsibility of the cloud service provider.

It isn’t.

When it comes to cloud compliance you need to be aware of the data you should move to the cloud and the data that should remain in house, the questions you need to ask of your cloud provider and what be written in a service-level agreement (SLA) to maintain industry compliance.

When SOX was first written, it explicitly left out how regulations should be met. This ensured that industries could adopt the most recent technology instead of having to wait for lawmakers to catch up to technology. Because of this, the cloud is a viable infrastructure for financial companies that forced to adhere to compliance rules. 

 The way IT departments store records changed due to the implementation of SOX. Regulations state what kind of information needs to be stored that relate to SOX compliance. Things like electronic records and messages, spreadsheets and emails are considered valuable and fall under the regulation.  

It’s important that you not take this for granted, and evaluate your SLA’s with the provider.

The first thing that organizations need to do is be aware of the type of services they use. There may be certain information that’s regarded as highly confidential and a company may decide to keep it on an internal network. Or if it is moved to the cloud, it’ll be a private cloud that will be hosted on the premises.

Nerds Support has a hybrid cloud in a secure location that has military grade security.

Ensuring Cloud Compliance 

Once your company has decided what information is to be transferred over to the cloud look at the contracts you have between with your cloud provider. Depending on whether the cloud is internal or external the approach will be slightly different. If it’s external, you have to make sure both you and the provider are clear about what type of data should reside on their cloud services and how they’ll protect said data. If it’s an internal cloud, are you going to have internal compliance checklist to make sure you’re within the regulatory standards?

With cloud financial services, customers and cloud providers share the responsibility to maintain compliance. It’s the duty of the organization to investigate the security policies of the vendor. 

Important questions to ask include: 

  • Where is data stored?
  • Who has access to the storage areas or data centers?
  • How is my data protected?

Compliance 101 SOX FINRA Cost Statistics

Service Organization Controls 

In some cases, companies can look at providers that certify compliance and chose their services without any further research. There are times, however, where a company will have to be more thorough and get involved in the cloud providers security to make sure it complies with industry standards. When it comes to SOX compliance, however, you should look for a vendor that provides you with Service Organization Controls.

This report enables user auditor to evaluate audit risks associated with the use of a financial cloud provider.   

It’s also important to establish and verify benchmarks that help check the effectiveness of the security around your data on the cloud.  Make sure your provider uses federal government guidelines for cloud security if it’s based in the US.

In order to avoid miscommunications between your cloud provider and your organization, make sure you take the time to classify the data in level of importance, delegating carefully what is suitable for the cloud and what needs to remain internally stored. Have the right contracts and go through them, establishing what will be covered under their services and how they’ll protect and back up your data. A business continuity plan is also imperative, just in case of any hiccups.

Nerds Support has cloud services that comply with financial regulations.

Contact us today to schedule a free IT assessment that can identify gaps in your IT infrastructure.