Security and Compliance

Security Series Part 4: Protect Internal Systems

James Sparrow
October 12, 2017

As your firm’s systems and processes become increasingly digital, computers are becoming an increasingly attractive target for online attackers, providing an entry point to access a variety of systems and accounts. There are multiple routes into these systems, from open network connectivity to targeted malware. Below we’ll share some simple advice for protecting against threats to your internal systems.

1. Keep your systems up to date

One of the greatest threats to your internal systems is malware—software that’s created specifically to damage or disable computers and their systems. Many malware threats operate and spread by taking advantage of weaknesses in software for which fixes have long been available. Unfortunately, oftentimes, these fixes were never applied to vulnerable systems.

Modern operating systems, like Windows and Mac OS X, support automatic installation of critical updates; you just need to enable it. Many application packages, like Microsoft Office and Adobe Acrobat, also support automatic updates. Given their widespread use in the business world, these applications offer a rich target for hackers. If the applications you use offer automatic updates, enable this feature now.

2. Install anti-malware software

Clicking a link in an email that looked legitimate, downloading a file from a site you thought was secure—you or other staff members at your firm take actions like these every day that could infect systems with malware. The damage can range from keyloggers stealing passwords to ransomware holding your data hostage.

Reduce your risk of falling victim to attacks like these by making sure antivirus or anti-malware software is installed and properly configured on all of your systems. Once installed, be sure to enable real-time checking so that security analysis is performed immediately, as actions are performed. You should also schedule full computer scans weekly at a time that doesn’t interfere with your work. If you’re using Windows 8 or later, Windows Defender antivirus is pre-installed and just needs to be configured.

3. Enable your firewall

A firewall inspects the communications coming into or out of your PC and determines whether to allow them to continue or block them. Firewalls can prevent attackers from gaining access to your computer and data, as well as halt the spread of malware from one computer to others. Windows and Mac OS X both have built-in firewalls that you can configure to meet the needs of your office.

Start by enabling your firewall, and then configure it to block all incoming connections except for applications you specifically enable. Typical exceptions include instant messaging and file-sharing applications. Some software applications may require specific exceptions to be configured to allow access from other computers on your network or the internet, but the vendor documentation should make this clear.

4. Limit access

One final recommendation for protecting your systems is to limit what users are able to access and modify. In computer security circles, this is known as the “Principle of Least Privilege” and states that users should have the minimum privileges needed to do their jobs. By limiting users in this way, you can ensure that confidential information is accessible to specific people and that non-administrative users can’t make system changes that could threaten the security of your office.

We suggest creating an administrator user with full privileges to configure your PCs and individual, non-administrator accounts for each user in your office, including yourself (avoid using an administrator account for your primary account). Then, share files and folders with specific users based on their need to access information.

Any weaknesses in your internal systems can expose a wealth of sensitive data to those looking to exploit it. Fortunately, by taking the steps above, you can help ensure systems are significantly less vulnerable to hacks and data exfiltration from both within and outside of your office.

To learn more about maximizing network and data security in your firm, download our latest e-book, “Building a Secure Practice: A guide for CPAs,” which offers step-by-step instructions for implementing security best practices.