Multi-factor authentication

IT Tips for Today’s Tax Professionals

April 2, 2019 by securewebsite

With tax day just two weeks away, many people may have their minds set on getting their taxes filed fast if they haven’t done so already. Tax professionals always find themselves swamped from February to May with businesses and individuals alike trying to finish up their taxes for the previous year. As a result, information technology (IT) may not be on the top of your mind as a tax professional but it should be.

With all of the personally identifiable information (PII) tax professionals work with on a daily basis from birthdates to social security numbers, IT security is a must to prevent breaches and data loss. Here are some top tips to keep your tax business and your clients safe.

Don’t Get Phished

Phishing emails are one of the most common ways hackers target businesses through email according to the Internet Security Threat Report Volume 24 by Symantec. “Employees of smaller organizations were more likely to be hit by email threats- including spam, phishing, and email malware- than those in large organizations,” according to the report.

Learn how to recognize phishing emails and train your employees to do so as well. Emails from unknown sources, especially those coming from someone pretending to be the Internal Revenue Service (IRS), e-Services, a tax software provider, or cloud storage provider should be deleted. Be sure to never open any link or attachments in suspicious emails as this is how the bad guys access your email and network. Note that the IRS never initiates initial contact through email with tax professionals regarding returns, refunds, requests for PII or other sensitive data.

The Symantec report does offer some good news in that “Phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018.” This may be the result of better training and anti-phishing software. Be sure to keep your employees trained so your business isn’t phished.

Draft Your Data Plan

Every business, especially those in industries that are highly regulated or those that are often targeted due to the sensitive information they handle, should create a data security plan. When it comes to tax professionals, your security plan should use IRS Publication 4557, which addresses the proper safeguarding of taxpayer data. You will also want to look at Small Business Information Security- The Fundamentals developed by the National Institute of Standards and Technology, a non-regulatory federal agency charged with promoting U.S. innovation and industrial competitiveness.

These standards outlined in these publications will help you develop a data security plan that meets rigorous standards and the individual needs of your tax business. If you need assistance developing a data security plan, third-party vendors such as ORAM Corporate Advisors can handle this for you through an IT assessment.

Security Software

You’ll need to review the internal controls your business has in place to protect its data. Start with installing anti-malware and anti-virus software if you haven’t already done so, or if you have, you may want to update the software you have in place. This will need to be done on all of the devices used for business from laptops and desktops to routers and tablets. Don’t forget about your phones as well. Be sure to keep your security software set to automatically update as software companies push out updates and patches regularly.

Powerhouse Passwords

Be sure to use passwords that are powerful. Use a mix of at least 8 or more upper and lowercase characters, numerals, and signs in your passwords. Ensure your passwords are strong and unique for each different login you have. While this might seem overwhelming, there are a number of password managers available that can help you keep them all straight.

You will also want to password protect every wireless device in case of loss or theft. Use a phrase or words that are easily remembered and periodically change your passwords. Finally, never use old passwords and use multi-factor authentication wherever possible. Be sure to train your employees on these password best practices as well.

A Prescription for Encryption

In addition to strong password protections, one of the best ways to secure data in your tax business is to encrypt sensitive files and/or emails. In a worldwide survey of businesses by Statista, encryption was “employed extensively” by 63 percent of enterprises in 2018. Another 24 percent of businesses survey by Statista said encryption was partially deployed in their company databases. There are many types of encryption software to choose from. At ORAM, we recommend Mimecast for email encryption. For full-drive encryption, ORAM recommends eSet Endpoint Encryption so you can encrypt your sensitive files when they are in storage.

Back It Up

Be sure to back up all of your sensitive data to protect your business in the event of a disaster scenario. Ransomware is rampant, viruses can infect your network, and natural disasters such as fires and hurricanes can wipe out your data. To ensure that you always have access, have a backup plan in place and know exactly what you are backing up and to where. See ORAM’s blog on “The Biggest Backup Mistakes Businesses Make” to learn what to avoid.

Proper Disposal

Make sure that when you dispose of data, it’s being done so properly. Whether you are super shredding hard copies of data or replacing old computers, be cognizant of how you do it. All of your old computer hard drives should be wiped clean or destroyed before you dispose of them. This is also true of printers which can also store sensitive data.

Limit Access

Limit access to taxpayer data to only those employees who require it to fulfill their job duties. This is meant to protect both your client data as well as your own business. While many breaches happen due to outside sources, internal threats are still an issue in organizations around the world.

As a matter of fact, an online article from Security Intelligence reported that insider threats account for nearly 75 percent of security breaches. Disgruntled employees, those recently let go, and others may be ready to turn on your business to make a buck or out of spite. In the IT world, this limited access is known as the practice of least privilege. Be sure to employ it to protect your business from insider threats.

Check Your IRS e-Service Account

Be sure to check in on your businesses IRS e-Service account on a weekly basis. This allows you to ensure that the number of returns your business has filed with its EFIN is correct. If there are any discrepancies with the number of returns filed, contact the IRS immediately. Additionally, you will want to report any data theft or loss immediately. You will need to determine the appropriate IRS Stakeholder Liaison with whom to report the loss.

Keep In Contact

Stay in contact with the IRS and keep abreast of new developments though a subscription to the e-News for Tax Professionals, the latest national and local IRS news. QuickAlerts sends important messages, within seconds, to keep you up to date on the events that affect authorized IRS e-file providers like you. You can also keep in contact with the IRS through various social media as an authorized IRS e-file provider.

The IRS also has a Data Security Resource Guide for Tax Professionals that details the signs of data theft, teaches you how to report data theft to the IRS, and provides a number of data theft links. We recommend all tax professionals download the guide and read through it so you are prepared for a worst case scenario. This way you won’t be struggling for resources when you’re already under stress.

If you need more assistance securing the data of your tax business, please contact ORAM today at (617) 933-5060 or visit us online. We are happy to schedule a free initial consultation to get your tax business on the road to better security fast.

Major components of a solid cybersecurity plan for businesses

January 15, 2019 by securewebsite

It happens every day. Businesses of all sizes experience data breaches which can lead to the loss of proprietary or private client data, damage a company’s reputation, or even unleash lawsuits. The consequences can be so damaging, in fact, that an organization may face closure as a result.

In addition to the aforementioned concerns, small to medium-sized businesses face additional challenges that larger businesses often don’t; a lack of IT personnel, funding for strong IT, and knowledge for developing a cybersecurity plan, for example. With that said, there are several major components every business owner and leader should consider when creating a solid cybersecurity plan that will serve to best protect their organization.

IT Audit
The first step in creating a cybersecurity plan for your business is to conduct an IT audit. An IT audit is when your company’s information technology (IT) infrastructure, policies, and operations are examined and evaluated for security purposes and to see if they measure up to best practices. This will help determine where your security is strong and where it needs improvement.

Information technology audits allow businesses of all sizes to determine if the controls (hardware, software, practices, and policies) they have in place protect the company’s assets, ensure the integrity of data, and align with the organization’s overall goals. These audits are typically conducted by IT auditors who examine the physical security of your business in addition to the security of your information systems ranging from financial controls to your company’s overall business policies.

Some IT organizations such as Oram Corporate Advisors offer free technology assessments to get you started. These free technology assessments can assist in strategically evaluating whether your IT infrastructure is ready to grow, identify areas of opportunity for improvement, and can “red flag” areas that require deeper analysis and adjustments. Just remember that all technology assessments are not created equal and you often get what you pay for.

When it comes to IT audits, they can be expensive, but businesses need to have them to secure their organizational data, assure clients that their information is safe, and to protect their reputation. Additionally, many industries are now required by their state and/or federal government to participate in regular audits among other IT regulations. Be sure to check with your state and federal government to determine if your business is affected by such IT regulations. Your IT auditor should be able to answer these questions for you as well and assist your business with regulatory compliance requirements.

The cost of an IT audit can be prohibitive for many small to medium businesses. As a matter of fact, they can run into the thousands depending on how much work has to be completed to conduct the audit. Fees are typically charged on an hourly basis and can range from IT company to IT company. Most IT auditors should be willing to give you a free estimate, however, so you know what your investment will be.

Employee Training
The next step in developing a solid cybersecurity plan for your business is to train your employees. After all, your employees can be your strongest line of defense or your weakest link. Information technology best practices require regular IT training for all employees.

Every employee should know certain IT rules such as not opening emails or attachments from unknown or untrusted sources. Phishing scams are one of the most common ways hackers attempt to infiltrate business networks using email. Other items employees should be trained on include spear-phishing, executive whaling, and malware. Training should also include specific company IT policies and procedures that support better data security. Employees should also be trained in a myriad of other topics such as the proper disposal of confidential data (both digital and hard copy), how to handle requests for information, and how to report a suspected breach.

A blog by Forbes magazine online offers small and medium businesses five tips on how to train employees. While these are general training guidelines for any type of employee education, they can also be applied to IT training. In addition to hosting your own educational meetings, most IT companies offer employee training for best IT practices as well. The cost for such training will depend on which company you hire, how frequently you wish to schedule training, and how many employees you have.

Your WISP
The third component of your business cybersecurity plan should be your written information security plan or WISP. This encompasses many items and includes several steps in and of itself. You will need to sit down with an IT specialist and outline a WISP that is specific to your business and the information it holds. Your WISP will need to include the following at a minimum:

Objective– Outlines your WISP including the creation of effective administrative, technical, and physical safeguards for the protection of personal and proprietary information.

Purpose– Outlines what your WISP will do such as ensuring the security and confidentiality of personal information, protect against any anticipated security threats, and protect against unauthorized access or use of information.

Scope– In formulation and implementing your WISP, outline the scope of the plan including reasonably foreseeable internal and external risks, the potential and likelihood of damage caused by such risks, evaluate the sufficiency of your existing IT policies, and design and implement a WISP that puts safeguards into place to protect data. In addition, regular monitoring of the effectiveness of those safeguards should also be included.

Data Security Coordinator– Designate a data security coordinator in your WISP that will implement, supervise, and maintain your written plan. They will head the initial implementation of your plan, train employees, and regularly test the safeguards outlined in the WISP. The security coordinator will also evaluate the ability of each third-party service provider to supply appropriate security measures for information to which they have access. They will also review the scope of the security measures in the WISP and conduct annual training for all employees including the owners, managers, and independent contractors as well as temporary employees who have access to personal information.

Internal Risks– Identify probable internal risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.

External Risks– Identify probable external risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.

Implement Your Plan
Implementing your business’s cybersecurity plan is the next step. This includes adding data security features you have opted to employ in addition to making employee training a reality, integrating new software such as updated anti-virus and/or firewall programs on your network, and updating patches to existing software.
Other layers of your cybersecurity plan should include:

Social Media Education– Hackers can find personal information online from social media sites such as Facebook, Instagram, and LinkedIn that they can use to manipulate employees of companies, getting them to disclose personal or sensitive information. Train employees about social media best practices as well as the use of different passwords for each site, software, or application they use. Emphasize your company’s security protocols as well as IT best practices such as the use of least privilege.

Let’s Get Physical, Security– While you may think your building is secure enough to protect your sensitive data, good hackers know how to penetrate this type of security. Be sure not to leave computers exposed and destroy all hard drives using professional services. Physical security breaches can be avoided by encrypting hard drives, leveraging cloud backups, and enclosing hardware ports exposed to the public. Employing theft recovery software, checking door locks and cameras, and properly disposing of shredded paper also help.

Wi-Fi Protection– Wireless internet can also pose a threat. Wi-Fi signals can extend beyond office walls. A bad actor can connect to your signal from far away and infiltrate your network where they can steal files containing proprietary or personal information. Businesses should employ WPA2 (Wi-Fi Protected Access 2) protocols as they are safer than the old WEP (Wired Equivalency Privacy) or WPA (Wi-Fi Protected Access) protocols. Ensure your router has a strong, unique password that is not easily guessed.

Password Protocols– Passwords should be changed often and kept private. Train employees on this and teach them that the strongest passwords include uppercase and lowercase letters, numerals, and special characters. Additionally, passwords need to be different across all accounts. The best way to remember passwords is to use a password manager. There are some free password managers available but the most secure ones typically charge a small annual or monthly fee. Most also allow businesses to sign up for a membership that covers all employees.

Two-Factor Authentication– Even with difficult, unique passwords on every account, seasoned hackers can often penetrate security. As a backup, it’s best to employ multifactor authentication wherever possible. Most large companies use it including Apple, Google, and Dropbox. Using a mobile number and/or email account, multi-factor authentication provides an added level of security. Your business can also implement it with other applications and services as well. New technology such as facial recognition, fingerprints, and/or ultrasonic sounds are on the near horizon and companies should prepare to employ more secure technologies as soon as they are commercially available.

Email Security– This is the most necessary asset for your business to protect. Once in your email, hackers can reset passwords and wreak all types of havoc so be sure to prioritize protecting company email. Never click links in emails or attachments from untrusted or unknown sources as these could take you to a phishing site that looks like a real website. Using Google Gmail and Google Apps is recommended given they have the best spam, virus, and phishing protections available in addition to multifactor authentication already built in.

Anti-Virus– Keep your anti-virus updated at all times. While this helps protect your email and other sensitive information, new malicious viruses are always being created. That means anti-virus companies are always updating their software to address the threats on their “blacklists.” Consider using a service that employs a “whitelist,” which only allows software and programs that are pre-approved to be downloaded adding extra security to your network.

If you need assistance with conducting an IT audit, crafting an IT plan or WISP, or implementing your plan, contact Oram Corporate Advisors today at (617) 933-5060. You can also reach out to us online. Our professionals are always here to support your business with superior IT and IT services.

‘Tis the season for being victimized

November 13, 2018 by securewebsite

Tips for staying safe online this holiday season

Whether you’re sharing plans for your upcoming vacation on Facebook, you’re knocking out holiday shopping online, or you’re a retailer ready to strike while the iron is hot through a virtual store, the holidays can be risky business. Hackers connive year-round to steal important data that can leave you broke or your organization in shambles, but the holidays are an especially profitable time for them.

With modern technology, information is always at our fingertips. What you don’t want is your information being shared as it can put you at risk online and off both as an individual and as a business leader. Here are some things to think about before sharing, shopping, and selling online this season.

Beware & Don’t Overshare
It is hard not to get wrapped up in all the excitement of the holidays and want to share it with others. After all, who wouldn’t want to read about all of the visitors, gifts, and fun from your seasonal gatherings? While you may wish to share photos of your family, talk about your travel plans, and show off your new gifts, you must be wary of sharing too much.

Just as your friends and family enjoy your posts cybercriminals, cyber criminals could be as well. The information you share on social media accounts, especially when your privacy settings are public, can be seen by everyone. Criminals can use this information to misrepresent themselves as someone you know, use the information to crack your account passwords, or even learn when you’re out of town to rob your home or business.

Put a Lock On It
Analysts project that there will be more than three billion active social media users by 2021, according to Statista, a compilation of statistics and studies from more than 22,500 sources. That equates to about 40 percent of the world’s population. Be sure to set your accounts to maximum privacy and carefully choose who you give access to your social media. Here are a few tips to keep you socially savvy during the holiday season:

• Set the privacy settings to be as secure as possible.
• Don’t accept friend or connection requests from people you don’t know.
• Be careful not to overshare on your social media.
• Never announce when you have plans to be out of town on social media.

Online Shopping Set to Boom
When it comes to online shopping during the months of November and December, this year promises to see the largest online holiday sales yet. According to a piece by Shopify, worldwide online holiday sales reached $94.4 billion in 2016 but that jumped to $108.15 billion in 2017. Online purchases peak between Black Friday and Cyber Monday but the entire week of Thanksgiving is one big shop ‘til you drop event for consumers. According to the Shopify article, online spending is set to jump again this year with an estimated $3.35 billion in expected sales on Thanksgiving and $5.8 billion in sales for Black Friday which means people are learning to love shopping from the comfort of home.

Safer Shopping
The thought of dragging yourself to the store, fighting holiday crowds, standing in long lines, and dealing with traffic can make the holiday elf in all of us quickly turn into the Grinch. Avoiding all of that while easily finding the best deals on the gifts we want to give (and get) has become irresistible. Criminals can put a huge dent in your holiday budget though, if you aren’t careful.

To best protect yourself while shopping online, stick to retail websites you already know and trust. Avoid shopping through links on social media and email as they can take you to legitimate-looking sites that are actually fraudulent. If you do find a must-have gift on an unfamiliar site, do some investigative work before handing over your credit card number. Check the company out online, see if they have a social media following, and read customer reviews. You can even contact the business directly and call the Better Business Bureau for more information.

You will also want to ensure that when you sign up for new accounts that you use strong passwords that are unique to each site. You can use a password manager to help you keep track of new accounts. Be sure to use a complex set of lowercase and uppercase letters, numerals, and special characters when creating your passwords.

Be On Alert
Regardless of when you do your holiday shopping online, there are some precautions you should be taking. There is an easy acronym (ALERT) to help you shop smart and stay safer online:

• A– Activate two-factor authentication on all banking transactions. This means that you need to input a one-time password (OTP) which is sent by your bank (via SMS or email) to confirm the transaction. This provides an added level of security as anyone trying to use your cards would also have to have access to your mobile phone or email.
• L– Look for signs that the site you are shopping on is secure. Before you type your card details into a website, look for a small padlock symbol in the address bar and a web address beginning with https:// (the s stands for ‘secure’).
• E– Enter a web address yourself and don’t access it through links. Links in email messages, text, instant messages and pop-up ads can take you to websites that look legitimate but are not.
• R– Review all transactions, check your statements, and SMS notifications to ensure that all debits from your account are familiar. Use credit cards, not debit cards, for online shopping. Credit cards offer better fraud prevention and consumer protection.
• T– Treat your details with care. Don’t save your card details on your computer or in your browser. Be selective as to where you input your details, avoid shared devices, and always make sure your security software is up to date.

If You’re the Store
If your business allows people to shop, pay, or schedule appointments online, then it has a responsibility to protect client data at all times. This is especially true during the holidays when hackers are even more likely to attempt to swipe credit card data or personally identifiable information (PII). To ensure the privacy and protection of your clients, you will want to employ the CIA Triad:

• Confidentiality– Ensure the privacy of data so it can’t be accessed by unauthorized parties.
• Integrity– Ensure the accuracy of data in a manner that guarantees the data is reliable.
• Availability– Ensure data is available and cannot be destroyed either maliciously or accidentally.

This triad provides a structured approach to helping businesses appropriately store, transfer, and protect client data as well as their own. In order to do a thorough job of protecting vital, proprietary data, we need to consider data privacy from all angles and the CIA Triad allows us to do just that by encouraging us to think before we click, verify sources of information and requests, ensuring accuracy, and following data security policies.

Keep It Updated
Whether you are an individual or a business, ensure your devices from mobile phones and tablets to laptops and desktops are kept up-to-date. You don’t want to miss any security patches that address vulnerabilities that might make you an easier target for the bad guys. You also want to keep updated on the latest cyber threats, so you know what to watch for and protect yourself against.

Wi-Fi Wisdom
According to Cisco, experts estimate by 2020 there will be 432.5 million public Wi-Fi hotspots. While this relieves your data use when you’re out and about, cybercriminals love them because they can use such public networks to capture PII, credit card credentials, and other profitable data.

Avoid Email Scams
We have all seen them. Those incredible sales and deals that pique your shopping interest, especially during the holidays when we are looking for the perfect gift. Email security is particularly important during the holidays when email scams seem to multiply.

While it’s tempting to click away and open those emails, be careful. Those special offers can lead to computer viruses, malware, and much worse. Play it safe by deleting emails from unknown sources. If you don’t know the company or person sending you an email, simply trash it and definitely don’t open any attachments from unfamiliar businesses or individuals.

Extra Safety Tips for Holiday Shopping, Sharing, and Selling
Here are a few other professional tips to keep your data safer this holiday season:

• You are likely to find yourself in more crowds this time of year. Be careful not to discuss sensitive personal information or business in places such as stores, at parties, or on public transportation.
• Lock your computer screen whenever you walk away from your desk during the workday. When you leave for the evening, log out and shut your computer off as most companies run updates and security scans in off-business hours.
• Don’t disclose sensitive personal or business information on social media.
• Be sure to pick up printed documents immediately from the office printer and clear your desk before leaving it. Don’t leave papers lingering as data can fall into the wrong hands.

Get even more smart security tips online with the Pause, Think and Act security awareness video. You can also contact Oram at any time for extra assistance with ensuring a safe, smart, and successful holiday season for your business. Visit us online or call us now at (617) 933-5060.

Multi-factor authentication: A necessity for today’s businesses

July 9, 2018 by securewebsite

Just recently I had a client contact me here at Oram about a serious security issue. Another business they work with was hacked and it nearly ended up costing my client big money. The worst part about the whole situation is that with the right technology in place, it could have been easily prevented.

The Problem Hack

The client called in to say he had wired his travel agent about €1.4 million (or roughly $1.63 million U.S.) for an extended European family vacation. Well, lo and behold, the travel agency’s email was hacked. Turns out a hacker, not the travel agent, had been communicating with my client for the entire month. My client thought he was planning this event with the travel agent when, in fact, he was communicating with a cybercriminal. Everything culminated when the hacker, posing as the agent, sent my client the wiring instructions for the funds.

The way that this hack presented itself was that a person in Germany deployed a phishing scheme to compromise the travel agent’s email. The hacker had been monitoring the agent’s email for a number of weeks and was just waiting for some event like my client’s to occur so they could then interrupt the communications.

The reason the travel agent was none the wiser is that the hacker also set up rules in the mailbox so that any time a communication came in from my client, it would go straight into the deleted items. This made it so the travel agent had no idea that someone else was communicating by email with my client.

Luckily, this scenario ended on a positive note. My client was able to get all of his money back. The FBI is now involved with the situation to try and catch this criminal. Without Oram, the travel agency would never have been alerted to the hack and may have seen more of its customers defrauded of their funds.

Passwords Aren’t Enough

The reality is that the majority of data breaches occurring today are the result of compromised authentication. Though having a strong password is a great start for implementing security, just having this one step in place can leave your network incredibly vulnerable. That’s why multi-factor authentication (MFA) is so important, particularly for securing your business’s most valuable data.

According to the 2017 Cost of Data Breach Study by the Ponemon Institute, data breaches cost businesses millions of dollars each year in the U.S. alone. The study also shows the likelihood of a business experiencing a recurring material data breach within the next two years after an initial hack is nearly 28 percent. Data breaches are the most expensive to deal with in the United States and Canada, costing $225 million and $190 million respectively. The average total organizational cost of breaches in the United States found in the 2017 study was a whopping $7.35 million.

Why Your Email Is Key

The reason hackers want into your email is that it can lead to a huge payday. With access to your email, a cybercriminal can log into any account you have by simply clicking on “forgot my password.” This allows them to create a new password using your email.

Access to your email allows criminals to create new, fraudulent accounts in your name. They can use your identity and email address to open new accounts and create their own passwords. From there, the possibilities are limitless from ordering goods online to withdrawing your entire life savings.

In addition to your business being negatively impacted, the friends and connections in your email network can also be put at risk for infection. Or, in the case of my client, hackers can steal access to your clients and could possibly ruin solid business relationships. Many criminals even sell access to hacked email accounts on the black market. The amount of damage that can be done in less than an hour is astounding.

How It Works

Multi-factor authentication is a security system that requires more than one method of authentication to verify a user’s identity. This can range from requiring passwords that must periodically be changed by legitimate users to requiring a one-time PIN provided via smartphone for access.

Without having all of the required pieces of information, a user would not be able to log in successfully. This means better protection for you and your business. Multi-factor authentication can help secure everything on your business network from logging into your server to shared resources and employees who bring their own devices to work. Some larger organizations that use MFA that you are probably familiar with include Google and PayPal. Most financial and medical institutions also employ MFA as well.

Our Recommendation

The moral of the story is that whether you are using personal email or corporate email, you need MFA. Had my client’s travel agent employed MFA, this hack would likely have never occurred. The would-be criminal would have likely hit a brick wall of security and moved on to a less secure target.

While Oram already recommends multifactor authentication, going forward, we are requiring our clients to utilize MFA for everything possible from email and icloud accounts to banking and financial sites. The reasoning behind this is that MFA significantly reduces the risk that a cybercriminal could access your most important systems. Additionally, it adds extra layers of security that will make your network and other proprietary systems that much more difficult to breach.

If you would like to learn more about multi-factor authentication or other ways to better secure your business, we are happy to assist you. Call Oram today at (617) 933-5060 or visit us online.