Create STRONG passwords that you won’t forget!

Monday, June 11th, 2012

Too often we are expected to create random, complicated passwords with special characters and lots of restrictions. Especially now, with all the security breaches, we recommend the following method to help you develop passwords that are strong and easy to create and remember:

For website passwords, use the first four or five letters of the website to start the password. For example: 

For added security, add the @ symbol and a number (1,2,3,4,5,6,7,8,9,0) to the first letters of the website. For example:

Pick a phrase that is easy for you to remember, but that no one else will be able to attribute to you. For example:

Passphrase: “My Wife’s Birthday Is April Twenty-Fifth Nineteen Sixty Six”

Use the first letter of each phrase to form an abbreviation. For example:

m – My
w – Wife’s
b – Birthday
i – Is
a – April
t – Twenty-
f – Fifth
n – Nineteen
s – Sixty
s – Six

Abbreviated pass phrase: mwbiatfnss

Add the passphrase to the first letters of the website, the @ symbol and number. For example:

Following this pattern will help you develop strong passwords that are easy to create and remember. Remember that at a minimum the passwords must:

• contain at least 1 letter
• contain at least 1 number or punctuation mark
• be at least 8 characters long

_____

Jorge Rey, CISA, CISM, CGEIT is an associate principal and the director of information security & compliance for Kaufman, Rossin & Co. Kaufman, Rossin is one of the top CPA firms in Florida. Jorge can be reached at jrey@kaufmanrossin.com.

How to choose the right Service Organization Controls report

Thursday, March 8th, 2012

If you provide outsourced services to your clients, an excellent tool to create trust and confidence is the service organization controls (SOC) reports. These reports can boost growth, win and retain clients and open new markets. 

But which one is right for your organization?

 The SOC reports replace and expand the previous standard, SAS 70.  We have seen a seamless transition from the old standard to its replacement, the SOC 1 report (or SSAE 16). This report examines internal controls at a service organization that impact a user entity’s controls over financial reporting.

However, we are still seeing some confusion with the new reports (SOC 2 and SOC 3). The new reports are designed to examine operational issues, such as security, availability, integrity, confidentiality or privacy. And, since both reports examine the same areas, many of our clients are asking us why they should get a SOC 2, SOC 3 or both.

To assess what report is right for you, ask:

• Do your customers have the need for/ability to understand the details of processing and controls at a service organization, the tests performed by the service auditor and results of those tests?  If the answer is yes, a SOC 2 report will be right for you.
• Do you plan to use the report to market your services?  Do you need to make the report readily available?  Does a certification seal add value? If the answer is yes, a SOC 3 report will be the right choice and not a SOC 2.

 Should you get both?

From the auditors’ perspective, the work we do to issue the SOC 2 and SOC 3 report is the same.  It’s the actual report and opinion that are different.  We are recommending our clients get a SOC 2 report and, since the work has been done, also issue a SOC 3 report. This way you will get the best of both worlds.

For more information on SOC reports, please refer our white paper New Tools Help Service Organizations Win Clients’ Trust.

Jorge Rey is Director of Information Security for Kaufman, Rossin & Co., one of the top CPA firms in the country. He can be reached at jrey@kaufmanrossin.com.

Hackers Target South Florida Businesses

Friday, February 3rd, 2012

Are you prepared for the financial loss and business disruption that would occur if a hacker grabbed $50,000 from your bank account?   Cyber criminals are targeting the bank accounts of small and medium sized businesses in South Florida and worldwide.  And in many cases, the banks aren’t liable for your loss.

How can hackers get into my account?

To obtain access to financial accounts, cyber criminals target your employees – often senior executives or accounting personnel. They steal their personal information and log-in credentials for your online bank account using one of many methods, including mimicking your bank’s website, or using malware and viruses to compromise your business’ system. Then the criminal transfers funds by ACH or wire transfer to the bank accounts of associates within the U.S. or directly overseas with wires. A business’ systems may be compromised by:

• An infected document attached to an email
• Employees visiting legitimate websites – especially social networking sites – and clicking on the infected documents, videos, or photos posted there
• An employee using a flash drive that was infected by another computer
• A link within an email that connects to an infected website.  

Think your employees don’t click on suspicious links?

If you’re  thinking your employees are too smart to click on a link that says “There is a problem with your banking account, please reconfirm your ID and password,”  you may be right. 

But what about one from the Better Business Bureau that says “A complaint has been filed against you,” one from UPS that says “There’s a problem with your shipment,” or one from the court system that says “You have been served a subpoena?”

But isn’t my bank responsible for the loss?

Actually, when you set up your online business account, you probably signed papers accepting responsibility for losses like these.  In some cases the bank will work with you, in the interests of good customer service.  But don’t count on it.

Most companies I visit think their anti-virus software is working.

Many times they are wrong!  To enhance the security of your computer and networks, you should:

• Install and maintain real-time anti-virus and anti-spyware desktop firewall and malware detection and removal software. Use these tools regularly to scan your computer.  Allow for automatic updates and scheduled scans. 
• Install routers and firewalls to prevent unauthorized access to your computer or network
• Perform IT Security evaluations periodically.

You can also enhance the security of your corporate banking processes and protocols by:

• Dedicating one highly secured computer exclusively to online banking and cash management activity.
• Not performing online banking and cash management activities in Wi-Fi hotspots, including airports or Internet cafes.
• Initiating wire and ACH files using dual control — for example, file creation by one employee and file approval and release by another employee on a different computer with a different user id.
• Reviewing accounts regularly.  This enhances the ability to quickly detect unauthorized activity and allows the business and the financial institution to take action to prevent or minimize losses.
• Discussing the options offered by your financial institution to help detect or prevent unauthorized payments or changes to your accounts.

—

Jorge Rey is Director of Information Security for Kaufman, Rossin & Co., one of the top CPA firms in the country. He can be reached at jrey@kaufmanrossin.com.

Professional..or entrepreneur?

Wednesday, August 31st, 2011

Attorneys, accountants, and physicians study for years to offer wise counsel and quality service to clients and patients.  But adding a course in entrepreneurship might have prepared us better for 2011!   The ongoing economic downturn, increase in competition, and ever-shifting technology landscape are just a few of the factors that professionals must contend with, particularly when managing small practices.

3 key competencies

You can’t afford to ignore these three areas.

1. Financial Controls.
   Do you work hard for your revenue?  Then make sure it’s protected.  According to the Association of Certified Fraud Examiners, the typical organization loses 5% of annual revenue to fraud, and small organizations are disproportionately affected.  People you’ve trusted for years who are facing harsh economic realities may find themselves tempted. If you aren’t sure you understand how your accounting system works, or whether your electronic transactions are secure, invest in an expert review of your procedures and controls.
2. Strategic marketing.
   Would you benefit from more business?  Don’t just wait for it to walk through the door.  Don’t think that what worked 20 years ago will work for you today.  And absolutely don’t think that using online media is unprofessional! More and more business decisions are made based on non-traditional marketing, including social media.  According to a new report from the Pew Research Center, 50% of adults use social networking sites. People trust personal recommendations (including from their Facebook Friends) and increasingly distrust paid advertising.  If you haven’t figured out how social media fits into your marketing strategy – or you don’t even have a strategy, seek professional help.
3. Intelligent Technology
   You don’t neglect your ongoing professional training, and you don’t let yourself fall behind as your field advances. But most professionals only think about their computer systems when they need tech support.  It’s like the furniture in the waiting room - if there are no holes in the upholstery, all is well.  If that’s your attitude, you may be exposing yourself to risk:  information security risk, compliance risk, and the ever-so-real risk of missed opportunities.  Choosing the right systems, implementing them properly, and training your staff is one investment you won’t regret.

These are just a few of the many entrepreneurial skills that today’s professionals can’t ignore.  What new skills are you learning?

—

Janet Kyle Altman is a principal with the entrepreneurial accounting firm Kaufman, Rossin & Co.  She provides marketing consulting, facilitates planning meetings, and offers training and coaching in leadership.  She can be reached at jaltman@kaufmanrossin.com.

CEOs and CFOs are more involved in security policy decisions

Monday, May 23rd, 2011

I recently read the article, Security Moves Center Stage, which highlights the results of Information Week’s 2011 Strategic Security Survey. To my surprise, the survey finds that CFOs and CEOs are getting more involved in security policy decisions and spending.

As a CEO or CFO, you should be able to answer the following questions:

• How vulnerable is your data to an attack?
• If your network or systems goes down, how much money can you potentially lose?
• What are your cyber liabilities?
• What is your exposure if your organization suffers a large financial loss due to a security breach?

Security-related risks are increasing daily and no company is immune. Businesses of all sizes face threats to the security of their information technology systems and sensitive information, and a security breach can result in irreversible damage to a company’s finances and reputation. If you were unable to answer the questions above, it might be time to call an information security professional to help you ensure that your information security policies are properly designed and operating effectively.

__________
Jorge Rey is Director of Information Security for Kaufman, Rossin & Co., one of the top CPA firms in the country. He can be reached at jrey@kaufmanrossin.com.

7 tips to protect your new venture

Monday, May 10th, 2010

New business ideas are hatching every day.  Whether you’re capitalizing on the Green Movement with a new solar-powered motorcycle or marketing the Fountain of Youth to aging baby boomers, starting a new venture brings  both opportunity and risk.   

One important risk area many entrepreneurs neglect is the risk to your data. Did you know that a business can be held responsible for identity theft if you don’t protect your clients’ sensitive personal information? This is no small matter: the chance of a data breach increases every day; the risks to your financial well-being and your reputation are enormous. 

What should an entrepreneur do to protect your data at this very delicate stage of the business lifecycle?   Here are some important tips for new businesses…and existing ones.

1. When you design your network, you’ll want to provide remote access. But make sure to protect sensitive data. Your network should be protected with firewalls. Publicly accessed servers should be segregated from the internal network. If you are planning to use a wireless access, take additional steps to protect this access point.
2. Install anti-virus software and update it regularly.  New viruses crop up daily – old software won’t protect you.
3. Implement a business continuity plan that takes into consideration business process priorities, maximum allowable downtime and cost associated with downtime.
4. Implement physical security devices (e.g. cameras, card readers).  If  your hardware leaves the building, your data goes with it!
5. Require strong passwords, and mandate frequent changes.  If staff will be using laptops outside the office, consider hard drive passwords that protect your data even if the hard drive is removed.
6. Develop and implement an Information Security Policy.   Make sure your employees are trained on the policy.  Include:
   • policy maintenance
   • asset management (including information handling)
   • physical and environmental security
   • communications and operations management
   • access control
   • information systems acquisition
   • development and maintenance (including vulnerability management)
   • information security incident management
   • business continuity management, and
   • compliance with legal requirements.
7. Outsource services that support your business but are not core to your organization.  These include  IT support, email messaging, on-line back-ups, and more. These disciplines change rapidly, so using outside professionals is the safest choice.  But perform the proper due diligence to engage the right vendor.   Review audited financial statements, service delivery capability, internal controls and security (e.g. SAS 70) and insurance.  Ask for references, and check them.

On yearly basis, review regulatory requirements and verify that your policies address them.   Make sure your procedures are updated as changes in your business occur.   Verify internal compliance with your policies and monitor third party vendors.  And train your employees — the new ones as they join you, and the existing ones annually!

Jorge Rey is Director of Information Security for Kaufman, Rossin & Co., one of the top CPA firms in Florida.  He can be reached at jrey@kaufmanrossin.com.
 

Think your funds are safe? Think again.

Thursday, September 3rd, 2009

If you’re in business, there’s an increasing chance that you’re being defrauded. It stands to reason: in tough times, people become desperate. And in times like these any loss can cripple a small business.

In fact, a recent report by the Association of Certified Fraud Examiners revealed that more than half of the experts surveyed believe fraud has increased during the recession — and, the report notes, there are always the unreported or not-yet-uncovered incidents.

The average fraud-related loss in the U.S. comes to about 7% of revenues — and small businesses suffer more.  Can your business afford a loss? 

There are some basic steps that every business should take to protect against employee embezzlement and other types of fraud.  (more…)

Law firms: Are your trust accounts secure?

Sunday, August 9th, 2009

Many law firms, large and small, hold funds in trust (or escrow) for their clients.  These funds can be entrusted to you for a very short term, or for quite a long time and the amounts can be substantial.   But whatever the circumstance, make no mistake, you are responsible for the security of those funds.

Are you sure that your trust accounts are secure?

Making sure those funds are properly safeguarded requires adequate internal controls. Internal controls are a process by which those charged with governance promote operational efficiency, help ensure the reliability of financial statements and compliance with laws and regulations, and (perhaps most important to a law firm’s reputation and profitability) reduce the risk of asset loss.    (more…)