| Aug-05-2021

Cyber Security for Professional Firms

In today’s era of digitization and automation, every business function is investing in transformation and upgradation. The pandemic and remote working requirements of today, have further accelerated the pace of this revolution. Professional firms are no exception to this. Many professional firms quickly started upgrading to remote working technologies within a short span of time. From remote audits to performing compliance on remote basis, professional firms have gone reasonably digital. But equally important is to understand the cyber security risks while we evolve using these technologies. While on one side these technologies have made life easier, but on the other side they come with considerable risks. This article explores them in detail and gives practical tips on securing remote working.

What are cyberattacks?

Cyberattacks are malicious and deliberate attempt by an individual or organization to breach the information system. Usually, the attacker seeks some type of benefit from disrupting the victim’s network. Every attacker works with a different malicious intention, but largely to make money exploiting the weakness. This sort of cybercrimes has increased over the years and even more during the last 2 years. According to various news reports, In July 2020, India recorded its highest number of attacks at 4.5 million. In February 2021—nearly one year from the start of the pandemic—there were 377.5 million brute-force attacks, a type of attack where multiple combination of passwords is used to with the hope of eventually guessing a combination correctly. This is a far cry from the 93.1 million witnessed at the beginning of 2020. India alone witnessed 9.04 million attacks in February 2021. Most of these Cyberthreats were also launched with ulterior motives. Some attackers look to obliterate systems and data as a form of “hacktivism.” Hacktivism is the act of misusing a computer system or network for a socially or politically motivated reason.

Impact of cyber-attacks:

We often come across the term cyber-attacks and cyber risks. They are closely interrelated but do not share the same concept. A cyber-attack is an offensive action, whereas a cyber threat is the possibility that a particular attack may occur, and the cyber risk associated with the subject threat estimates the probability of potential losses that may result.

For example, a Distributed Denial of Service (DDoS) is a type of a cyber-attack where multiple connected online devices, collectively known as a botnet, are used to overwhelm a target website with fake traffic, thereby making a genuine customer wait or deny the access of the website or application. This sort of a cyber-attack by a botnet is a cyber threat for many enterprises with online retail websites, ecommerce etc., where the associated cyber risk is a function of lost revenues due to website downtime and the probability that a DDoS cyber-attack will occur. The same can be related with that of a professional firm, where a Ransomware attack encrypts the entire office server and demands for a “ransom” in order to decrypt the server. These ransoms are often asked in methods which make it difficult to trace the origin with anonymous payouts.

Potential Cyber risks, Impact and Solutions

1. 1. Ransomware
      As explained earlier, this is a form of malware (malicious software) that attempts to encrypt (scramble) your data and then extort a ransom to release an unlock code. Most ransomware are delivered via malicious emails, or downloads from unauthorised sources.
      
      Impact: Typically, the attacker demands payment in a form of cryptocurrency such as bitcoin to ensure nobody can back trace him. Only then will the attacker send a decryption key to release the victim’s data. It may significantly impact in the financial capabilities of the concern and ultimately poses a threat in the organisation’s credibility and reputation. Further, it is to be noted that there is no guarantee that the attacker will share the decryption key even after making the payment.
      
      Solutions: Create employee awareness, Effective Malware protection, Regular Software updates, Regular Data backups, etc.
      
      Pro Tip: Most of these Malwares are in the form of “.exe” files which are executable in nature and will require “Administrator” Access to execute. Creating a new user without “administrator” access could help in reducing the impact. This should be coupled with effective backing up techniques to ensure that the data is safeguarded. Companies such as Vaulten, Carbonite, Acronis etc can assist in taking back up without human intervention at scheduled times.
      
      
   2. Phishing:
      Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine. Phishing is a common type of cyber-attack that everyone should learn about in order to protect themselves. The types include:
      
      
      • Deceptive phishing: An attacker attempts to obtain confidential information from the victims. Attackers use the information to steal money or to launch other attacks
      • Whaling: When attackers go after a “big fish” like a CEO, it’s called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means of stealing login credentials
      • Spear phishing: Spear phishing targets specific individuals instead of a wide group of people. Attackers often research their victims on social media and other sites
      • Pharming: Similar to phishing, pharming sends users to a fraudulent website that appears to be legitimate. However, in this case, victims do not even have to click a malicious link to be taken to the bogus site.
        
        
      Impact: Sometimes attackers are satisfied with getting a victim’s credit card information or other personal data for financial gain. Other times, phishing emails are sent to obtain employee login information or other details for use in an advanced attack against a specific company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing.
      
      Precautions: Suspicious of unexpected mails; use of anti-malware software; Using Spam Filters, usage of 2-Factor authentication
      
      Pro Tip: Educate employees and key stakeholders on what constitutes these attacks and how to distinguish a legitimate email from a fictitious email. Often phishing emails bring a sense of urgency or immediate action from the user or informal language or mismatch in the subject and object of the email etc.
      
      
   3. Data Leakage:
      

      While cyber security in the office may seem challenging, it is essential to understand that security extends well beyond the office these days. The use of smart phones and tablets has become widespread. The ubiquitous and cheap nature of portable storage devices makes them a useful tool for the backup and transportation of data. Those features mean they are also a target for data thieves. The work from home has made many firms to download data either in the office laptops or personal computers of the employee which could be subject to attack.

      Impact: Financial Loss; Reputational Damage; Operational Downtime; Legal Action; Loss of Sensitive Data.

      Precautions: Passcode locks, 2 factor authentication for mobile devices; GPS Tracking and option of remotely wiping of device; use of encryption software etc.,

      Pro Tip: Ensure data always resides only in one premise. Office Servers or on Cloud Storage such as Google Drive, Microsoft OneDrive. SharePoint, Zoho WorkDrive, Dropbox etc. It is very critical to ensure that the download / sync access is restricted to the personal computers or laptops. Alternatively, Data Loss prevention tools (DLP) tools can be installed in all the end user machines which have capabilities to detect potential data breaches / data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

   4. Hacking:
      

      Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks. It is often done on publicly facing computers or those systems which are exposed to internet. For instance, if an office server is exposed to the internet where people can access on remote basis, there is certainly a risk of hacking.

      Impact: Outsiders may gain access to bank account information or credit card databases, office data including accounting and tax information, intellectual property and any other source of value.

      Precautions: Use of network Firewalls; Data access security; procedures for providing and removing access, and user awareness and training; ensuring usage of encrypted connections or virtual private networks etc.
      
      Pro Tip: It is highly recommended to use end to end encrypted connections or applications which provide such features. Zoho Assist and Unattended Access, for instance provides such a facility there by protecting the entire set up. In case the organization has set up a VPN connectivity, it is highly recommended to have a Firewall in place which can monitor the traffic and also prevent unauthorized users.

   5. Insider threat:
      

      Insider threats in cyber security are threats posed by individuals from within an organization, such as current or former employees, contractors, and partners. These individuals have the potential to misuse access to networks and assets to disclose, modify and delete sensitive information willingly or unwillingly.

      Impact: Financial Loss; Reputational Damage; Loss of Sensitive Data; etc

      Precautions: Proactively manage permissions and privileges; Implement a device management policy; Regular Staff training; Continuous Monitoring; Develop and incident response plan; Regular Backups, etc.

      Pro Tip: Keep a track of the access each employee has to the various IT resources and the privileges in place. Enable a log feature, which is available in most of the software. These should be regularly reviewed, by senior management. Further, the access to applications should also be disabled, on the last working day of the employees. It is also critical for professional firms to use password Vault Managers such as 1Password, Zoho Vault, LastPass etc., which enables to store credentials of clients safely without sharing them over excel sheets and unencrypted methods.

Importance of Data Protection:

1. Loss of Sensitive Information:
   There is the risk that a hacker might obtain sensitive information from systems such as confidential reports of clients and other highly sensitive data of clients. There are open markets for such information on the ‘dark web’. Considering professional firms deal with significant amount of confidential information this is very critical to secure the data.

2. Legal violations:
   Failure to protect the data may result in certain legal actions in case any compliance related were compromised. This may lead to hefty penalties considering the impact. Further Sec 43A of the Information Technology Act, 2000, read with Sec 72A of the said Act, explicitly provides that whenever an entity possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such entity shall be liable to pay damages to the person(s) so affected. The penalty can further go up to Rs. 5 Lakhs in case of such violation. In addition, contractual requirements, professional standards make it mandatory for professionals to ensure adequate protection of data.

3. Reputation in stake:
   When a hacker obtains sensitive information, the reputation is always at stake. Few small businesses can survive the damage to its reputation that such lost data might cause. The damage to business reputation and goodwill might be more crippling than the actual data loss itself.

4. Client action and other third parties:
   A third party might sue your business as they have themselves made a loss. In some cases, even if the court action against your business ultimately fails, the cost of defending against the action – and the associated distraction that causes – is a significant problem and a cost. Data loss may also result in a need to notify affected individuals under the proposed Personal Data Protection Bill.

5. Dent on Financial Capabilities:
   The increasing trend of ‘ransomware’ might pose as a significant threat. Once all data is encrypted by the virus, you will be contacted and asked to pay a ransom within a brief period. The key is sufficiently strong that ‘cracking’ the key instead of paying the ransom is uneconomic. Some estimate that an average desktop computer would take thousands of years to decrypt the data without the key.

How to protect Data in Offices?

A few regular and simple practices can prove to be effective on safety from Cyber Attacks and Risks. Following are practices:

1. Password Management:

• Ensure your passwords are strong and secure and use multi factor authentication where possible
• Regularly change passwords, and do not share them
• Consider using password Vaults for remembering multiple passwords for clients or self.

2. System Access:

• Remove system access from people who no longer need it, and limit access to only those needed to do their role
• Administrator privileges are provided on an “need to have” basis
• Regularly review the access

3. Secure Wi-Fi & Devices

• Secure your wireless network and be careful when using public wireless networks with mobile devices
• Avoid transacting online where you are using public or complimentary Wi-Fi
• Never leave your information physically unattended – secure your electronic devices
• Ensure employees have secured their home Wi-Fi devices
• Restrict guest access to only internet and not to the entire IT infrastructure of your office. A separate Wi-Fi profile may be created for the same.

4. Legitimate Software:

• Only download/install programs from a trusted source
• Consider using application whitelisting so only authorised software applications run on your computer
• Disable untrusted Microsoft Office macros and block or uninstall Flash and Java
• Use only licensed software, as free software may open pandora’s box.

5. Patches and Anti-Virus:

• Ensure all mobile devices/operating systems/software have the latest software updated
• Only legitimate and genuine licenses should be in place, and auto update features must be enabled
• Certain Anti-virus software or End point management software have facilities to track application updates and inform the administrator.

6. Clean devices:

• Do not use USB or external hard drives from an unfamiliar source
• Preferably block USB usage and use only in restricted machines for the purposes of digital signature and encrypted USBs
• Prefer sharing data over encrypted channels such as Secured file transfer protocols, or secure Cloud applications.

7. Social Media:

• Be vigilant about what you share on social media – try to keep personal information private and know with whom you interact online
• Disable locations sharing, third party access to your profile and regularly verify your Privacy controls.

8. Email:

• Use a spam filter for your email and use email carefully - be wary of downloading attachments or opening links in emails you have received in case it is a ‘phishing’ attempt
• Using paid and encrypted email accounts can be more beneficial.

9. Regular Backups:

• Use off-line, incorruptible, and disconnected backups
• Prefer the usage of automated back up in addition to external hard disks backing up the data.

10. Bring Your Own Devices:

• In case of employees bringing their own device, it is highly recommended that a thorough checks are performed on those systems prior to giving access. Such checks include checking if the laptop is genuine, the operating system, anti-virus software is in place and unsolicited software are not downloaded
• Declaration may be taken from employees regarding the careful usage of the data and adherence to office policies
• Separate user account may also be used, and data loss prevention tools may be deployed.

How to secure work from remote locations?

The pandemic times has made the work from remote locations, the new normal. To ensure that remotely work is secured, the following measures can be followed:

Virtual Private Network (VPN): Using a VPN will bypass geographic restrictions on streaming sites and other location-specific content. A VPN encrypts all of your internet traffic, making it unreadable to anyone who intercepts it. Make sure employees exclusively use the VPN when working and when accessing company information systems remotely.

Wi-Fi Connections: Most Wi-Fi systems at home these days are not fully secure. Enable encryption of home Wi-fi connections, changing default username (admin, 12345, user etc.), hiding Wi-Fi from view or visibility, Enabling MAC Address Filtering are few things worth considering. In case of accessing outside the home, employees should be aware that unsecured public Wi-Fi networks in restaurants and public spaces are prime spots for malicious parties to spy on internet traffic and collect confidential information.

Home Routers: Many people don’t change their home router password when it is first installed, leaving their home network vulnerable. It’s important for employees to take simple steps to protect their home network in order to prevent malicious parties having access to connected devices. Changing the router password and firmware updates are necessary.

Passwords: It’s as important as ever to ensure that all accounts are protected with strong and different passwords.

Two-factor Authentication: Two-factor authentication and two-step verification involve an additional step to add an extra layer of protection to an employee’s accounts. The extra step could be an email or text message confirmation, or a biometric method such as facial recognition or a fingerprint scan.

Firewalls: Firewalls act as a line of defence to prevent threats from entering your company’s system. They create a barrier between your employees’ devices and the internet by closing ports to communication.

Antivirus Software: A good, advanced antivirus software can act as the next line of defence by detecting and blocking known malware. Even if malware does manage to find its way onto an employee’s device, an antivirus may be able to prevent it.

Locking Devices - If employees have to work in a public space, then it’s important for them to keep their device secure. Password protecting their device will usually protect its contents until someone enters the password. A policy requiring them to do this should be in place.

Conclusion:

The significance of Cybersecurity is almost inevitable across all domains of the industry considering the pace and requirement of the needs of digitization. On a statistical note, The Kaspersky Security Network (KSN) report showed that its products detected and blocked 52,820,874 (37% Increase) local cyber threats in India between January to March 2020. So, cybersecurity risk management is vital for professionals and to be secure.

Stay Safe. Stay Protected.

This article was originally published in the Karnataka State Chartered Accountant Association, July 2021 Edition.

About the author

CA Narasimhan Elangovan - Partner, KEN & Co.
B.COM, FCA, CS, DISA, DIPIFR(UK), CISA(USA), LLB, CDPSE (USA), ISO 27001 Lead Auditor
Email: narasimhan@ken-co.in

Sources:

https://www.cisco.com/c/en_in/products/security/common-cyberattacks.html

https://www.icaew.com/-/media/corporate/files/technical/business-and-financial-management/smes/bas-for-pba/top-five-cyber-risks.ashx

https://www.cpaaustralia.com.au/

https://www.accountancyage.com/2017/04/18/making-cyber-security-your-business-and-your-firm-cyber-secure/

https://www.cybereason.com/blog/cyber-security-tips-for-allowing-employees-to-work-from-home