A remote working security checklist for accountancy firms

Covid-19 has forced the issue of remote working en-masse for almost every office-based business, accountancy firms included. The need to move swiftly during the first lockdown in March meant that, understandably, business cyber security may not have been front of mind during this workspace relocation process. Now that the initial panic has subsided and many of us have adapted to having a more flexible workforce, it is time to step back and assess the security impacts of any recent infrastructure or policy changes your firm may have made to ensure you’re not vulnerable to cybercriminals or accidental data breach. Here are some key areas to check to ensure your firm’s IT is secured and still home-worker ready. Remote Desktop Protocol (RDP) open to the internet This is a common mistake we have seen a lot of recently, the Remote Desktop Protocol (RDP) port being open to everyone on the internet. Remote Desktop itself is a well established and incredibly useful way to access your servers, applications, or computers remotely. However, it should be protected either via a VPN connection or by using the Remote Desktop Gateway functionality provided by Windows Server. A plain “port forward” to your server puts your firm at high risk of attack, as hackers target these RDP servers and will run continuous brute force attacks against your usernames and passwords to gain access. Not all VPNs are secure Virtual Private Networks – VPN for short – are an easy way to connect your staff into the office network. They are also a security nightmare if not configured properly. First, ensure you are using a secure VPN protocol or program. PPTP – the “go-to” Windows VPN option for many years has been long compromised by hackers and is considered insecure. Consider using SSTP, or an SSL VPN provided by your firewall instead. Second, make sure you have firewall rules in place to restrict the VPN traffic down to what is required for your remote workers to do their jobs and nothing more. Opening your firms’ network to your end user’s machines means you are opening your network to a higher risk of malware. This is less of a concern when employees are using corporate devices which adhere to IT policy, but a major issue when they are using their own personal machines. Secure your Cloud Apps Any cloud application containing accountancy, financial or client data should have 2FA or MFA enabled. This is two factor or multi factor authentication, and means you are prompted for another proof of entitlement to access the system other than just your password when logging in. Any cloud application without 2FA/MFA support should be locked down to only allow access from your office IP addresses, and if this is not possible then you should seriously consider changing provider. When accessing your client’s accountancy applications on the cloud, do not share their login details. Ask them to set you up with your own login to the system, and once again enable 2FA/MFA as your access level to their data will be at a high privilege level. Update your firewall firmware Your firewall is the security door restricting access to your data vault, but it is not infallible. There are often updates to the firmware, which is the programming logic that runs the device, released by the vendor to fix security problems with their products. Many IT teams have found it hard to patch firewalls with so many people working remotely, as not only does it disrupt the ability to work during the update, but a failed update can be a serious problem. However, leaving security vulnerabilities unpatched is a bigger issue, so make sure you are up to date. Secure the endpoints When everyone is working from company owned devices, security is straightforward. Secure the endpoints with your chosen security solution, monitor them for issues and security vulnerabilities, and enforce your chosen firewall and security rules via a policy system such as Group Policy. However, if you have allowed your staff to have access to your systems from their own personal devices then you should consider how to ensure they meet your IT security requirements. Often the best way to do this is to roll out the same provisions you would for a corporate owned device, but this may not sit well with your staff member who owns the computer. At minimum, look to roll out your security solution to their device to ensure the system is virus free and not a risk when it is connected to your network. If this is not agreeable, you should consider providing company owned and managed devices to your staff to allow enforcement of security policies. Unsafe user privileges Many cries of “It’s not working” or “I can’t access those files” have been placated by uplifting file permissions or security rights for staff. Often these uplifts are only supposed to be temporary, while IT work out how to fix the issue. Unfortunately these temporary permission “fixes” often end up being forgotten and can leave large gaps in security, either by inadvertently allowing staff to access files and data they should not, or giving ransomware the ability to encrypt many more files on your systems than it would or should have been able to – if it had even been able to run at all. Now is a great time to run an audit on file permissions, folder permissions and administrative rights and roles. Work to a system of least privilege – where people have just enough rights to do what they need to do, and ensure that none of your users have local administration rights on their computers as this is the common mistake that allows ransomware to run havoc in corporate networks. By Craig Atkins, managing director, 1-Fix Limited