octobernovember2022 - 32

FEATURE
Wi-Fi network name. So change your SSID, make it
generic. It will be less likely to be hacked, " he said.
3.
Install antivirus and internet security
software at home: One of the most common-and
effective-security strategies for working
from home is to invest in a comprehensive antivirus
suite for your company and your employees.
Antivirus suites offer automatic remote work
security against a host of threats, including:
* Zero-day attacks (viruses taking advantage of security
gaps before they are patched);
* Malware, spyware, and viruses;
* Trojans and worms; and
* Phishing schemes, including those sent via email.
Nowadays, comprehensive antivirus and internet
security software automatically updates itself to
stay on top of new and emerging threats.
4.
Use a VPN: Virtual private networks (VPNs)
add an extra layer of protection to internet
use from home. They cannot on their own be relied
upon to prevent cyberattacks, but they can be a
useful barrier against one.
According to antivirus provider Kaspersky, VPN
security can be enhanced by using the most robust
possible authentication method. Many VPNs use a
username and password, but firms might want to
think about upgrading to the use of smart cards.
Companies can also enhance their encryption
method for VPN access, for example, by upgrading
from a Point-to-Point Tunneling Protocol to a Layer
Two Tunneling Protocol.
But no matter how strong your VPN is, if an
employee's password is compromised, it will give
hackers an easy way in. So Kaspersky recommends
that employees update their passwords regularly.
Employees should also be reminded to only use the
VPN when they need it, switching it off if they are on
their work devices for personal use in the evenings
or on weekends.
5.
Define clear procedures for reporting and
responding to security incidents:
" This
is so important because if everyone is remote
and there's an anomaly or an incident with
somebody's email system or somebody in your
organization believes that there's been a breach,
you want to make sure that they have a welldefined
incident response plan so that they can
identify, mitigate, and reduce the cost of the
cyberattack, " Guccione said. " Most importantly,
we want to make sure that every person in the
organization knows what to do if they think
there's been a breach. They need to know who
to report it to, how to report it, and what to do.
So making sure that you have this plan in place
is of paramount importance. "
6.
Set up two-factor or multifactor authentication:
By now, we've all used two-factor
or multifactor authentication when logging into
something, whether on work computers or mobile
devices. Cybersecurity experts say it is an effective
and fairly easy-to-understand extra layer of security.
When used with single sign-on solutions,
multifactor authentication makes logging in easier
because it allows users to pass through many security
measures at once.
" When you sit in front of a system that's protected
with multifactor authentication, you present a username
and password-something you know-and then
you provide a PIN from a security token-something
you have. This can be a hard token, a soft token, or a
smart card, " Steve Tcherchian, chief product officer
and chief information security officer at XYPRO
Technology, said during a webinar. " If you don't have
that token, you won't have that PIN. And that PIN, in
most cases, will rotate every 30 seconds. So even if
your username and password were stolen, unless the
attacker has that token along with your username and
password, what your PIN was at that moment in time,
your username and password is useless to them. "
7.
Make sure critical applications utilize zero
knowledge, zero trust, and end-to-end
encryption: Zero knowledge is " the premise that
only the user of your application has full knowledge
of your master password and complete control over
and domain of, in terms of ownership, your encryption
key that's used to encrypt and decrypt your
information, " Guccione said.
" When you buy these products, you want to
make sure that any encryption or decryption is
done client-side, meaning it is done at the client
device level. It is not done at the vendor level, " he
added. " The vendor should never be generating
those keys for you, and they should never have the
ability to decrypt and view your information. This
is really important. "
The premise of zero trust is " the idea around
privileged access that you want to make sure in
a very simple world you can trust, but you always
must verify, " Guccione said.
" At the end of the day, you should know through
event logging and reporting what every single user
on your system on every device is doing, what
they're accessing, and who they are transacting
with, " he continued. " And you should have those
internal controls, those role policies, those enforcement
policies, the reporting, and the logging, and
32 OCTOBER/NOVEMBER 2022 ■ www.CPAPracticeAdvisor.com
the auditing capability in that ecosystem to make
sure you can lock everything down if there is an
incident, whether by a rogue employee or an external
adverse third party or bad actor. You can lock
down that device and make sure that you maintain
the integrity of your organization. "
End-to-end encryption is really important to
have for sensitive information, such as personal
identifiable information, business assets like a
business plan or a financial model, tax returns, or
wiring instructions to a bank account, he said.
" If you're transacting over any type of ... application,
you want to make sure all of that information
is completely encrypted from point A to point B, and
that means from one user device to and through the
internet, down into that device and into their screen
from A to Z. You want to make sure that you practice
full end-to-end encryption, " Guccione said. " These
three things are so critical because they're intrinsic
and existential elements of any great productivity
and security application. "
8.
9.
Provide cybersecurity awareness training
that includes threats and best practices:
Guccione said it is extremely important that every
single person in the organization who uses a computing
device is trained on things like phishing
scams, cybersecurity awareness, the dark web, and
credential stuffing attacks. He added that phishing
simulations " are one of the best tools that you can
utilize in a company to prevent against a passwordrelated
data breach. "
Keep family members away from work
devices: Kaspersky recommends reminding
your staff to not allow other household members to
access their work laptops, mobile devices, and other
forms of hardware. They should also be reminded
of the importance of password protecting their
devices to prevent third parties from accessing
sensitive files.
Bourke recommends setting up a separate
network in your home for guests. " Do your work
under your secure Wi-Fi network that you have
in your house, and if you bring guests over, set up
a guest network. Guests should use that network
and have that password. It keeps things totally
separate, " he said. ■
Jason Bramwell is senior staff writer for CPA Practice
Advisor. He has nearly 25 years of professional writing
experience, the last nine covering the accounting profession.
He most recently was a staff writer and editor at Going
Concern, and he previously spent five years as a staff writer
and editor at AccountingWEB. He can be reached by email
at jbramwell@cpapracticeadvisor.com.
http://www.CPAPracticeAdvisor.com
octobernovember2022

Table of Contents for the Digital Edition of octobernovember2022
