Our look at the expansion of data analytics in the CPA industry continues with a look at how data is being protected. We spoke to NetCenergy, a leading local IT firm that has secured a niche in data security and protection services to firms in the CPA and financial services field. NetCenergy President Don Nokes, with several decades of experience in managing IT services, spoke to us about the protection programs he offers clients and the scope and nature of the cyber threat we face today.
Editor: As cyber threats and more sophisticated hacking has expanded in recent years, the number of IT protection firms has also dramatically increased. What do you believe sets you apart from other cyber security firms?
Don: It’s not just about security – it’s about security AND productivity… and finding the right balance for your firm. It’s easy to lock down your systems. We can make it very difficult for you to be hacked, but what good is it if your staff can’t be productive or if the cost is prohibitive? To get the appropriate mix of protection for our clients, we must first understand your business and assess your entire environment. Once we understand your processes and your current IT systems, we can then strategize with you to ensure that your systems are not only safe, but that they optimize your productivity. Are you storing information in the proper location? Do all users who are authorized to access the data need that access? We explore the possibilities of employing cost effective strategies to reduce your risk. Protection is first and foremost, but we are very cognizant of the fact that security budgets aren’t unlimited, and we need to balance protections with productivity in a pragmatic way that meets your current and future business needs. We believe that thoughtful business approach to understanding your business processes in combination with our vast experience and laser focus on the Professional Services market are some of the things that sets us apart.
Editor: Following an assessment, and once a CPA firm is certain that systems are safe and optimized, are they all set?
Don: I wish it was as simple as set and forget. Unfortunately, in today’s cyber world, increasingly sophisticated cyber-attacks are appearing every day. Ensuring that your network is secure and stays secure requires regular user security awareness training, comprehensive email security solutions, 24 x 7 x 365 active monitoring and management, regular security updates for anti-virus and web content filters, a full backup of your entire systems and a whole lot more. A quality, optimized program should meet or exceed the National Institute of Standards and Technology (NIST) best practice recommendations.
Editor: Do you find that CPA firms are especially susceptible to hacker attacks?
Don: Unfortunately, these attackers don’t discriminate based on the size of the firm. Hackers know that smaller firms may not be as well protected as the larger firms, so they don’t discriminate based on firm size. Safeguarding taxpayer data is extremely important, as the hacker only needs to be successful once. Your firm, on the other hand, must have protections in place 24 x 7 x 365. Just getting it wrong once can have a significant negative impact on your practice.
Editor: What are the top three things you advise any CPA firm to have to achieve the best protection?
Don: The top 3 priorities would be:
1. Implementation and regular updates of today’s most effective security tools, primarily email and anti-virus protection.
2. A regularly tested, full-recovery backup solution with a clear, documented recovery plan.
3. Regularly scheduled, company-wide, user awareness training with occasional controlled phishing attempts to test the training’s effectiveness.
Editor: Let’s briefly examine all three of these: Can you give us examples of what NetCenergy recommends for user awareness training?
Don: It is well documented that most security breaches are caused by user errors. Clicking on links that take the user to malicious sites, opening malicious attached documents or simply giving a caller critical information about the company network are some of the successful tactics used by hackers. New strategies and unique malicious software programs are developed at the rate of roughly 350,000 every day. User awareness training must occur every 90 days and the training must be attended by every user with access to the network. In addition to the training, it’s an important and effective practice to send controlled phishing emails out to verify that users are staying diligent and applying what they’ve learned at the training.
Editor: You describe backups as full-recovery and regularly tested. Explain what goes into having a comprehensive back-up system?
Don: Backup is critical. It’s your last resort to recover from a ransomware or a significant hardware failure. Instead of backing up only data, our support program includes a backup of your systems in their entirety, including data, applications and operation systems capable of running as a stand-in server with a redundant copy located in the cloud. Finally, fail-over capability should be tested annually to confirm it is ready when and if it is needed.
Editor: The third top priority you mention is the implementation and updating of security tools. What’s involved with that?
Don: There are a plethora of software and hardware utilities and appliances that can be employed to create a secure network. It’s critical that these products are vetted for effectiveness, cost and appropriateness for your business. These tools must be continually monitored as vendors update the product with new features and security patches. They must be able to function independently as well as work jointly or there could be problems with gaps in coverage. They are critical components and must be tested to ensure that they work together and function effectively within your environment given your unique set of application software.
Editor: These tools are designed to help prevent an attack but what happens when a cyber-attack has occurred. What should a user do?
Don: That’s a good question and it’s extremely important that each firm has a customized plan when an event occurs. This plan should list all the key players that need to be notified and consulted in the event of a security breach. It should identify the potential issues and what to do based on the specific event. This plan should be created in collaboration with your IT provider and then needs to be made available and covered as a topic at a security awareness training session. The actions to be taken to prevent any further damage is unique to each environment. Many support firms can provide tips that can be helpful, but it’s best to have a comprehensive plan designed for your organization.
Editor: You have said you offer customers a 5-year “Strategic Capital Plan” to implement a comprehensive IT program. Can you explain what goes into that plan, and how are long-term protection needs created for a 5-year plan for clients?
Don: Our support program is a very collaborative partnership. The Strategic Capital Plan is the tool we use to ensure that we understand a client’s long-term business plans so that we can create current and future IT investments to support those goals. We work closely with a firm so they can take full advantage of today's digital transformation trends to protect their client’s data, improve client satisfaction and maximize profitability. It’s our goal to work with a firm to help them maximize their technology investment.
For more information about Net Cenergy’s Managed Service Plans, visit www.NetCenergy.com