Posts

A businessman holding a laptop secured by the cloud

Top Cybersecurity Risks for CPA Firms in Miami

Cybercriminals are always hunting for identity theft victims. It is becoming increasingly important for you to take proactive measures to protect your clients’ personal and financial information. It doesn’t matter if you work by yourself or for a large accounting firm—digital security risks are a growing concern for everyone in the accounting profession. Those who don’t address these concerns are putting themselves and their businesses at serious professional liability risk.

There has been a rise in cyber attacks since the Coronavirus pandemic set in. 80 percent of firms have seen an increase in cyberattacks. Therefore, it is becoming increasingly important to take proactive measures to protect clients personal and financial information.

The truth is, cybercriminals are always hunting for new victims. Gartner research shows that the cyber security market will be at $170.4 billion by 2022.

We’ve already seen countless instances of hackers targeting businesses and institutions and getting paid millions of dollars in ransom money. Cities like New Orleans and Naples, Fl have suffered severe attacks that compromised their systems and the security of the cities themselves.

Since financial institutions are trusted with much of their client’s personal data, they are high valued targets for hackers.

Here are the Top Cyber Security Risks CPA Firms in Miami are facing:

Ignorance

While the advanced abilities of modern cyber criminals may seem obvious, too many businesses do not grasp the reality of the frequency and the severity of the threat. One study estimates that 97% of companies have already experienced a breach of some sort, meaning at least one hacker has bypassed all layers of security. The threat of cyber security is real, and ignorance offers no protection.

Poor Passwords

Passwords are the most basic defense against unwanted digital access. How secure are your passwords? Are you using them to their fullest potential? For most corporations, poor passwords are a major security risk. About 76% of corporate network breaches are directly related to lost or stolen credentials, like easily hacked passwords. Change your password immediately if it is “123456,” “password,” or something equally unsafe. Be sure to follow best practices for strong passwords like a long chain with varying types of characters.

Internal Threats

Internal threats usually come from individuals who misuse their information access. Unfortunately, no matter how careful your firm is, you may have an unscrupulous employee on your hands. Also, service vendors may find themselves in a building where sensitive information is on display. It’s important to restrict access to information to employees on a need-to-know basis.

The Cloud and Other Technological Vulnerabilities

Unless you have Managed IT experience, finding all the technological vulnerabilities in your software and hardware is nearly impossible. Every application and operating system on your computer, phone, or tablet can have a vulnerability, and it only takes a hacker one moment to exploit it once it has been found. When you use cloud-based storage, you add another layer of vulnerability. Work with an IT professional and be sure to review your cloud-based service providers often.

Phishing, Malware, and Hacking

4,000 firms were analyzed in a 2020 Verizon report and they found that 52 percent were a result of hacking.

Phishing and malware are malicious attempts to access sensitive data. Phishing is the process of sending an email that entices a reader to click on an attachment and enter personal data, which opens the computer to a hack. Malware is malicious software installed without a user’s knowledge with the purpose of hacking the computer or otherwise disrupting its function. Both are a risk for the modern CPA. All it takes is an involuntary click on a seemingly innocent email to infect a computer or release sensitive information.

Of course, you also have the risk of being hacked.

As a data collector and caretaker, a CPA has a legal responsibility to remain compliant with government regulations. Over time, the data that is stored in order to remain compliant becomes a threat in and of itself. If the data is not properly stored, or if it is not able to be found in the event of an audit, your firm could face a large set of legal risks.

How to Defend Against Cyber Security Threats

Work with an IT professional

Work with an IT professional to ensure you have proper security protocols in place. Review any cloud-based service providers to see if they have good security measures as well. Perform a security risk assessment to stop any potential problems before they can grow.

Understand and Protect the Flow of Confidential Data

Make sure you understand the flow of confidential data in your firm and enforce proper security procedures. Review access controls to ensure only those who should see data have access to it. Train, vet, and monitor your employees, and carefully screen any service providers or vendors who come to your facility. Make sure customers are not able to see the data of others when they visit your facility.

Create an Information Security Plan

Have a written information security plan that includes a timely purging of generic data sets. Train your employees to adhere to these rules. Review the plan periodically among leadership staff as well as employees.

Reduce Your Risk with Professional Liability Insurance

Protect yourself with proper insurance. While all of these risk reduction strategies are important, the most important way to protect yourself and your business is through professional liability insurance. Purchase a policy that properly addresses all potential cybersecurity exposures.

Protect Your Firm from Cybersecurity Threats

For CPAs, protecting data can quickly become a full-time job. It is your ethical and legal responsibility to do everything in your power to protect your clients and their personal data. Beyond that, you need to protect yourself—Cybersecurity risks are very real in this modern world. By following these strategies and obtaining appropriate liability coverage, you can fight cybersecurity threats head on.

Conclusion

The cyber risks are so great these days that management must get involved to ensure that appropriate mitigation strategies are in place. We all know the first step to treating addiction is admitting there is a problem. Similarly, the first step toward cyber security is acknowledging that you are at risk.

 

Be careful with social engineering scams that install malware

Reduce Malware Infections in 7 Steps

7 IT Solutions To Reduce the Risk Of Malware Infections

Friday, June 26 2020 The University of California at San Francisco School of Medicine paid over $1 million to regain access to data after hackers encrypted it with malware.

Situations like this happen all the time. Unfortunately, businesses and institutions across the world have failed to properly prepare for cyberattacks. In many cases it’s a matter of outdated infrastructure and insufficient funding. In other cases, it’s neglect or improper training.

Because of the fact that if your system is infected, you likely won’t be getting your files back unless you pay the ransom, you likely don’t want this to infect your work systems. One of the ways to limit the possibility of this is to educate your employees on how to minimize the chances their systems will be infected. Here are seven practical IT solutions to reduce the risk of malware infections.

1) Watch out For Vulnerabilities

Cyber attackers are using all kinds of technology to exploit networks and systems. One piece of malicious tech they use are exploit kits. Exploit kit, also exploit packs, are programs used to deliver malware to a vulnerable network.

What do I mean by vulnerable? A vulnerability in software is a mistake, or error, in the code. The hacker manipulates the user into visiting a malicious website and if any errors exist in the code of the system, the exploit can be implemented.

Furthermore, exploit kits function in the background making it difficult to determine when you’re experiencing an attack.

Update your operating system, browsers, and plugins. If there’s an update to your computer waiting on queue, don’t let it linger.  Additionally, updates to operating systems, browsers, and plugins are often released to patch any security vulnerabilities discovered.

You can protect yourself from these types of attacks by avoiding links and remembering to update your software. Many of us have the nasty habit of putting off systems updates. The little icon in the corner that reminds us of a new update is often seen as a bother. However, consider the alternative.

These systems updates fix any security vulnerabilities the developers and programmers uncover. There is actually a type of vulnerability called a Zero-Day vulnerability and it happens when hackers exploit undiscovered or unintended vulnerabilities. The malware is actually called zero-day exploits.

This applies to mobile phones as well. Software updates on your phone are meant to strengthen the software and patch any flaws the programmers missed when releasing the software. Software is constantly improving because code is constantly improving.

This explanation in many ways oversimplifies the process but it works for our purposes.

2) Remove Software and Files From your Systems You aren’t using

We’ve all heard of spring cleaning. We look through all the things we have and toss out what we don’t use. If we let things accumulate they create clutter and can create big problems. Well, the same thing applies to software on your devices.

You have to periodically look through all the software on your devices and determine which ones are outdated and which ones are worth keeping. For example, Microsoft no longer releases software updates for Windows 7 and Windows XP. Furthermore, using these applications without support or patch updates puts you in a position to get hacked.

How old are the applications you use? When did you last update them?

Do your homework and find out or someone else will.

3) Be aware of Social Engineering

Cybercriminals spread malware into your systems through social engineering tactics like phishing. There are older, less commons ways too that are worth going over. In some cases, a hacker will place an unlabeled USB in a public place or an office. The idea is that an unsuspecting victim will pick it up, consider it harmless and claim it as their own. This is also a form of social engineering because it still manipulates users into executing a certain action.

There are anti phishing tools you can use like Retruster that protect against fraudulent emails, phishing and ransomware. There are also many plug ins available for free that help users identify malicious links by creating a “safe to click” marker on them.

4) Inspect your Inbox Like Your business depended on it: Because it does.

Understand that the biggest vulnerability your business has walks on two feet. It doesn’t matter how many tools, tips and software updates you have if you fall for a social engineering scam. And it doesn’t just happen to small companies either.

Facebook and Google put together were victim to a payment scam of over $100 million. Between 2013 and 2015 a Lithuanian hacker managed to send each company fake invoices while pretending to be an Asian manufacturer they were in business with.

This is an example of Vishing, a.k.a. voice phishing. Leading to the next point:

5) Always Verify credentials with Cold Callers

Vishing is a bit more difficult to pull off on companies. However, when done correctly it can generate a huge amount of profit for the scammer like I mentioned with Facebook and Google.

Depending on the company you might get a call from someone pretending to be Microsoft. In other cases it’ll be a vendor or a bank checking in. It’s difficult to say in what form these scams will come because the scammers tailor them specifically for a business.

In the case of Facebook and Google, for example, the scammers had to know they two companies were working with that specific vendor.

For your company it will be different according to your specific circumstances. If it isn’t believable then the victim won’t fall for it.

6) Make sure You have a Secure Connection

Whether you’re working in the office or remotely, you need to ensure your connection is secure. If you’re working from home, perhaps you’ll need a VPN to protect your Wi-Fi connection. Additionally, when you’re browsing on the web make sure the website is secure.

7) Use strong passwords with Multi-layer authentication

A large percentage of people reuse the same passwords for the personal and professional logins. It’s time to change that habit. Companies like Google and Apple created password generators that create strong, complex passwords. However, don’t leave it up to google.

If your business doesn’t use multi-layer authentication for access to important documents, files or websites, you’re living in the past. Nerds Support uses multi factor password authentication to ensure whoever is logging in can only do so if they are the right person.

Our systems require a mobile phone confirmation, email confirmation and password confirmation in order to provide access to our systems. That way, if a device gets stolen or a hacker gains access to a password, neither will be enough to access files alone.

Conclusion

Malware attacks are growing. Now that businesses are moving towards remote work, protecting against these types of attacks are more important than ever. Cyber security is not just about the technologies that protect your important data. It’s also about what you are doing to protect your business. It is the first and the last line of defense.

Nerds Support Contact Us Leaderboard

Coronavirus Malware Phishing Scams Thumbnail

How Cyber Attackers Use The Coronavirus to Steal Your Data

Coronavirus Email Scams

The recent coronavirus outbreak has motivated cybercriminals to send virus related malware attacks across the world.

Phishing emails claiming to possess information on protecting against the virus have appeared, spreading misinformation and malicious software. These emails encourage victims to open attached documents containing malware that can freeze or completely steal valuable data.

Scammers use fear and uncertainty to manipulate victims into infecting their computer with malware. However, incorporating tragic events, potential pandemics or natural disasters into their attacks is nothing new.

Beware of Phishing After Any Big Event

Attackers customize phishing emails to current or upcoming events like tax season, hurricane season, and holidays. Regardless of the occasion, the goal is the same: to access valuable information. The attacks prey on people’s desperation for answers and suggest that they have can give them to you.

Furthermore, there have been cases of scams emerging in places like Michigan and New York. Officials in these states are warning residents to be vigilant of emails asking for donations or personal payment card information.

Coronavirus scam emails were popping up in early February which prompted Michigan’s Department of Health and Human Services to warn citizens on their dangers.

The Federal Trade Commission even sent out a memorandum advising people on how to spot email scams and stay safe online.

Additionally, the FTC says cyber criminals could be setting up fraudulent websites that sell fake products using illegitimate emails, social media posts and texts to trick people into sending them money or personal information.

An example of a phishing email scam offering fake information about COVID-19.

Common attributes of a fake email are spelling and/or grammar errors.
If you receive a suspicious link, hover your cursor over it to view the destination url.

Protecting Against Coronavirus Phishing Scams

Here are some tips recommended by the FTC to keep safe against scammers:

1) Be suspicious of emails claiming to be from the Center for Disease Control and Prevention (CDC) or anyone purporting to be an “expert” with information on the virus.

2) Avoid emails that allude to any “investment opportunities.” Social scams will promote products claiming they can cure, detect, treat or prevent the disease are fake.

3) If you’re going to donate, do the proper research into the organization and payment method. Don’t be pressured to donate and especially if it’s through an email link.

4) Ignore offers for vaccinations. Ads that say they have the cure or treatment for coronavirus are probably scams. Any medical breakthrough will be announced on mainstream media networks.

5) For up-to-date information on the virus visit the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO)

Don’t Be Misled

These scams will continue to spread and they won’t go away any time in the near future. In fact, scammers will certainly take greater advantage of the misinformation and fear from media coverage.

Moreover, cyber scammers in China were reported sending malicious emails containing malware. It’s difficult to protect yourself from these types of attacks but

Threat actors also targeted users in Japan with a campaign that spread malicious documents with supposed information on the virus.

Unsurprisingly, these social engineers even sent emails impersonating the CDC to lure unsuspecting users into malware traps.

The Coronavirus is a real threat but it’s important to keep a level head and not expose yourself to even greater harm online.

Ultimately, even Facebook has begun planning to ward off misinformation on the virus. Other social media platforms have voiced concern about the spread of false claims on their platforms as well.

The virus has attracted the attention of a global audience but that doesn’t mean you have to fall victim to those looking to profit off of that attention.

Coronavirus Malware Phishing Scams Leaderboard

New York Ransomware Payment Ban Thumbnail

New York Proposes Bills Banning Ransomware Payments

Two New York state senators proposed bills to ban local governments from paying ransomware with taxpayer money.

The bills, S7246 and S7289, are virtually the same except S7246 proposes to create a state fund to help municipalities strengthen their cyber-security. This is the first time states have proposed such a law.

Why is this happening?

In 2019 alone, there have been over 100 reported ransomware attacks across the U.S. in government entities and municipalities.

Texas suffered from 9 separate attacks. Florida had 8 and New York, Connecticut, and North Carolina each had 6 reported attacks.

Moreover, 37 of the 104 ransomware attacks, or 35.5%, were committed against schools. This isn’t surprising considering the fact that schools are particularly easy targets.
The reasons for this are simple: schools lack security. They lack security because they have limited budgets.

Neglecting cyber security has been a practice for both businesses and governments alike and now the consequences are being felt. In fact, school ransomware attacks are  so problematic, the United States Senate also introduced a bill in December that would mandate bolstering they cyber security and infrastructure of schools.

Local Governments

The problems aren’t just the schools, however. Six figure payments have been made to hackers freezing stolen data from other government facilities in cities like Riviera Beach, Fla., New Orleans and 22 separate municipalities in Texas.

In New York specifically, Albany County Airport authority chose to pay out a ransom demand and two school districts within a two month period were infected by ransomware.

Last July, the US Conference of Mayors adopted a resolution declaring they would not pay ransom demands after an attack and presented their cyber security plans, but the resolution was informal and toothless.

The bill indicates something Cyber security experts have been saying for years: If our society doesn’t prepare itself for the digital age it will cost everyone. Luckily for governments, they were able to rely on tax money to pay a ransom. The question is, what about a small, private business with no cyber security plan in place?

Who Really Pays?

The main point is, this type of negligence always costs.  An article  released by the New York Times stated in 2019, 205,280 organizations turned in files that were eventually hacked in a ransomware attack.

Furthermore, the average payment to went up to $84,116 towards the end of 2019.

Ransomware attacks have led to the shutdown of numerous businesses as well. The Heritage Company was forced to send more than 300 employees home after their IT department failed to recover last October.

The Heritage Company is by no means an isolated case. In fact, one in five businesses are forced to shut down after a ransomware attack according to a report by the security firm Malwarebytes.
All of the experts warn that cyber-attacks are becoming more sophisticated, targeted and costly.

Ransomware is the most damaging from of cyberattack because both businesses and governments haven’t kept up with security.

It’s as if someone invented a buzz saw and banks kept all of their money behind a wooden door.

They’re Getting Away With IT

As for the robbers, tracking them down has proven difficult because they ask for ransom in the form of bitcoin. Bitcoin is untraceable and can be encrypted to ensure anonymity.

Riviera Beach Fla., another victim of ransomware, agreed to pay over $600,000 to criminals and they still haven’t been identified. With payouts like those ransomware attacks are not going away.

The F.B.I. said it received nearly 1,500 ransomware reports in 2018 and the agency acknowledges all report numbers are under-reported. In other words, the problem is even bigger than anyone knows.

What New York is doing only begins to scratch the surface of this epidemic.

Cities, like Lake City,Fla., are rushing to improve and strengthen their back up systems and infrastructure. It’s even adopted a cloud-based back up system that cost $60,000 a year.

Then again, what would you pay to protect your business?

For more on cyber security, cloud and tech, follow us on social media to stay updated.

New York Ransomware Payment Ban Leaderboard

What Should Concern Businesses About the New Orleans Cyberattack

The city of New Orleans experienced a cyberattack so severe Mayor Latoya Cantrell declared a state of emergency.

The attack occurred on Friday, Dec. 13 and caused the city to shutdown government computers. Officials announced the shutdown via social media posts.

City Shutdown Government Computers

The attack started at 5 in the morning, according to the city of New Orleans. At around 11 a.m., employees noticed what they considered suspicious activity. As a result, the city’s IT department ordered employees disconnect from Wi-Fi and close down their computers.

Fortunately, an investigations into the attack is currently underway as Federal and State agencies gather more information. As of now, nothing is known about the malware used during the attack and the Mayor said no ransom demands had been made yet.

Louisiana’s Third Cyberattack

This ransomware attack is the third to affect Louisiana in five months. In November, another attack prompted Louisiana’s Office of Technological Services to shut down multiple state agencies. And in July, cyber criminals attacked several Louisiana school districts, shutting down their networks for ransom.

As a result of the schools attacks, Governor John Bel Edwards declare a state of emergency that allowed state agencies to help local governments recover from the attack.

What’s the Damage?

Unfortunately, it’s always difficult to tell the extent of the damage. It could take months and, in some cases, years to truly understand what information was stolen.  Furthermore, hackers could have stolen government employee information, financial information and more from New Orleans.

Moreover, they will have to contact financial institutions and implement new procedures to address cyberattacks like this as well as increase security on their networks.

This begs the question, if State governments have to shut down entire systems and declare a state of emergency to deal with a cyberattack, what will it cost a small business?

Since the attack in November, The National Governors Association (NGA) has urged states to develop a formal continuity plan for responding to cyber threats. Additionally, cyber forensic experts will need to be brought in to investigate the breach.

New Orleans Government Cyber Attack Statistics

 

Cyber Response Plan

The NGA released a State Cyber Response plan in July, that governments are developing and 15 states have made their plans public.

Without a doubt, the impact of ransomware attack is nothing to scoff at and governments are learning the hard way. Ultimately, having a continuity plans in place ensures recovery from a breach runs as smoothly as possible.

Cybercriminals Declare Hunting Season

The FBI issued a warning in October declaring an increase of cyberattacks on “big game” targets. These are targets with money and sensitive information, willing to pay ransoms to restore their systems.

That doesn’t just mean local and state governments, municipalities and agencies. For instance, hackers often target businesses, hospitals, accounting firms and financial advisers for their data.

Additionally, businesses have to adapt and invest in security if they expect to succeed. The first of several security lessons: no one is too big or to small to get hacked.  Sensitive data is always in high demand. More importantly, dark web marketplaces, like Joker’s Stash, are always willing to sell it.

The Future of Cybercrime

Researchers warn that ransomware attacks will intensity in 2020. What’s worse, attacks are getting more sophisticated.

On the other hand,with the year coming to a close and a new one beginning, now is the perfect time to audit your IT infrastructure and verify it’s competency against these types of threats. Fortunately, 2020 will also see the rise of things like cyber insurance, AI and cloud-based security solutions.

Transitioning to a cloud-based solution, like a hybrid cloud,  might help industries across the board avoid scenarios like the ones in Louisiana.

You can read our article on how businesses can protect themselves from a cyberattack.

If you want to know more on cybersecurity news, the cloud, managed IT services and more contact us or visit our blog.