Coaxis

The FTC’s Safeguards Rule just got stronger - are you ready?

133345 — Thu, 19 Oct 2023 14:37:56 +0000

The FTC’s Safeguards Rule just got stronger - are you ready?

133345 Thu, 10/19/2023 - 10:37

October 18, 2023

The Federal Trade Commission (FTC) recently amended the Safeguards Rule, driving stronger regulations – most of which took effect on June 9, 2023 – requiring covered financial institutions to develop, implement, and maintain a written information security program (WISP) with administrative, technical, and physical safeguards to protect customer information. It defines a "financial institution" as any business that engages in financial activity, meaning CPA and accounting firms must comply with the new laws.

This information supports CPAs/Accountants in understanding how to better comply with the FTC’s new guidance by understanding the different types of protection and testing (such as Penetration Testing/Ethical Hacking) that are required to regularly monitor and assess the effectiveness of their firm's information security safeguards. Additionally, it will support understanding the new regulations and how to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards to protect customer information. By learning the different types of protections and testing (Penetration Testing/Ethical Hacking) required, firms will then understand how to regularly monitor and assess the effectiveness of their information security safeguards beyond just the need to comply.

In an era of digital transformation and an increasingly interconnected business landscape, protecting sensitive customer information has never been more critical. Certified Public Accountants (CPAs) and accounting firms entrusted with vast amounts of confidential financial data face the dual challenge of complying with evolving regulations and safeguarding against sophisticated cyber threats. The FTC has recently issued new guidance that underscores the importance of robust information security safeguards, pushing CPAs and accountants to enhance their practices.

This information is a compass for CPAs and accountants navigating this complex terrain. It offers a comprehensive exploration of how to comply with the FTC's new guidance and exceed the minimum requirements by understanding the various layers of protection and testing. We delve into advanced methodologies such as Penetration Testing and Ethical Hacking, shedding light on their pivotal role in regularly monitoring and assessing information security safeguards' effectiveness.

Moreover, we demystify the intricacies of the new regulations, providing a roadmap for developing, implementing, and maintaining an information security program fortified with administrative, technical, and physical safeguards. Beyond compliance, we emphasize the strategic imperative of safeguarding customer information in an environment rife with cyber threats. By mastering the diverse facets of protection and testing, CPAs and accounting firms will meet regulatory obligations and fortify their data defenses, ensuring trust, integrity, and resilience in an ever-evolving digital landscape.

Under the FTC’s Safeguard Rule, CPAs/Accountants regularly monitor and assess the effectiveness of their firm's information security safeguards. Penetration Testing, commonly known as ethical hacking, involves an authorized attempt to gain unauthorized access to a computer system, application, or data. These "white hat hackers" aim to duplicate the strategies and actions of malicious attackers to expose and remedy weaknesses in an organization's IT infrastructure.

Penetration testing is a crucial cybersecurity practice that provides a proactive element that complements annual security audits. While security audits are essential for assessing compliance and identifying potential vulnerabilities, penetration testing takes a more hands-on approach by actively attempting to exploit those vulnerabilities to determine their real-world impact.

Here's how penetration testing complements annual security audits:

Identifying Vulnerabilities
Security audits typically involve a review of policies, procedures, and configurations to identify potential vulnerabilities in an organization's IT infrastructure. Penetration testing goes further by actively seeking out vulnerabilities through simulated attacks. This proactive approach helps discover vulnerabilities that might be missed during a routine audit.

Real-World Testing
Penetration testing mimics the tactics of real attackers, attempting to breach systems and networks just as malicious hackers would. This real-world testing provides a practical assessment of an organization's security posture, whereas audits often rely on documentation and interviews.

Risk Assessment
Penetration testing not only identifies vulnerabilities but also assesses the potential impact of these vulnerabilities when exploited. This helps organizations prioritize their security by focusing on the most critical risks. Audits, on the other hand, may not always provide such a detailed risk assessment.

Testing Security Controls
Penetration testing evaluates the effectiveness of security controls and incident response mechanisms. It tests how well these controls can withstand actual attacks. In contrast, security audits may focus more on policy adherence and may not adequately assess the operational effectiveness of controls.

Timeliness
Annual security audits provide a point-in-time snapshot of an organization's security posture. However, cyber threats evolve rapidly, and new vulnerabilities emerge continuously. Penetration testing can be conducted more frequently, allowing organizations to adapt to changing threats and technologies in a timely manner.

Compliance Validation
Penetration testing can help validate the effectiveness of security measures required by regulatory standards and industry best practices. This can be especially important for organizations subject to strict compliance requirements.

Incident Response Preparation
Penetration testing can also serve as an opportunity to test an organization's incident response plan. It helps organizations understand how well they can detect, respond to, and mitigate security incidents in real time.

Developing, implementing, and maintaining an effective information security program with administrative, technical, and physical safeguards to protect customer information is crucial for organizations today.

This process involves several key steps:

Assessment and Planning
Begin by assessing your organization's current security posture and identifying the types of customer information you collect, process, and store. Determine the relevant legal and regulatory requirements (e.g., GDPR, HIPAA, etc.) that apply to your firm and location. Establish a security team or designate responsible individuals to oversee the program.

Policy and Procedure Development
Develop comprehensive information security policies and procedures that cover data classification, access controls, encryption, incident response, and more. Ensure that these policies align with industry standards.

Risk Assessment
Conduct a thorough risk assessment to identify vulnerabilities and threats to customer information. This includes assessing both internal and external risks. Prioritize risks based on their potential impact and likelihood and develop mitigation plans.

Access Control and Authentication
Implement strong access controls, limiting access to customer information on a need-to-know basis. Utilize multi-factor authentication (MFA) to enhance user authentication.

Data Encryption
Encrypt customer data both in transit and at rest to protect it from unauthorized access or theft. Implement robust encryption protocols like TLS for data in transit and strong encryption algorithms for data at rest.

Security Awareness Training
Train employees on security best practices and make them aware of their role in safeguarding customer information. Conduct regular security awareness programs and tests to reinforce good security behaviors.

Incident Response Plan
Develop a comprehensive incident response plan to promptly address data breaches or security incidents. Establish clear procedures for reporting and responding to security incidents, including notifying affected customers and regulatory authorities when necessary.

Physical Security Measures
Implement physical safeguards such as secure access controls, surveillance, and alarm systems to protect customer information stored in physical formats (e.g., paper records). Ensure that data centers and server rooms are secure and monitored.

Monitoring and Auditing
Employ security monitoring tools to detect suspicious activities and potential breaches. Conduct regular security audits and assessments to ensure ongoing compliance with policies and procedures.

Documentation and Reporting
Maintain thorough documentation of security policies, procedures, risk assessments, and incident reports. Report security incidents and breaches as required by regulations and notify affected customers promptly.

Continuous Improvement
Review and update your information security program to adapt to evolving threats and technologies. Stay informed about emerging security risks and implement necessary changes.

Third-Party Assessments
If you use third-party vendors with access to customer information, ensure they meet security standards and regularly assess their security practices.

Developing, implementing, and maintaining an information security program with administrative, technical, and physical safeguards is an ongoing process that requires commitment, vigilance, and adaptability. Organizations can better protect customer information and maintain trust in an increasingly data-driven world by following these steps and staying attuned to the ever-changing threat landscape.

Companies should regularly monitor and assess the effectiveness of their information security safeguards for many reasons beyond mere compliance with regulations and standards.

These reasons are crucial for safeguarding their data, reputation, and overall business continuity:

Dynamic Threat Landscape
The cybersecurity landscape continually evolves, with hackers developing new attack methods and exploiting emerging vulnerabilities. Relying solely on static compliance requirements can leave an organization vulnerable to these constantly changing threats. Regular monitoring and assessments ensure that security measures are up-to-date and resilient against evolving attack vectors.

Proactive Threat Mitigation
Waiting for a compliance audit or a security breach to identify weaknesses is a reactive approach that can be costly and damaging. Regular assessments allow companies to proactively identify vulnerabilities and security gaps, enabling them to address these issues before malicious actors exploit them.

Effective Incident Response
Timely detection and response to security incidents are crucial for minimizing the impact of a breach. Regular assessments help organizations fine-tune their incident response plans, ensuring they can quickly and effectively respond to security incidents, thereby reducing downtime and damage.

Data Protection and Trust
Beyond compliance, companies have a moral and ethical obligation to protect their customers' and stakeholders' sensitive information. Demonstrating a solid commitment to data protection through continuous monitoring and assessments helps maintain trust, which is especially critical in industries that rely on customer confidence.

Business Continuity
Cyberattacks can disrupt operations, leading to financial losses and reputational damage. Adequate security measures, validated through regular assessments, help ensure business continuity by reducing the likelihood and impact of security incidents.

Cost-Efficiency
Addressing security vulnerabilities early in their lifecycle is often more cost-effective than dealing with the aftermath of a breach. Data breaches' financial and reputational costs can be substantial, far exceeding the investment in regular security assessments.

Competitive Advantage
Companies that prioritize security not only protect their assets but can also gain a competitive edge. Customers and partners are more likely to trust organizations prioritizing data protection and cybersecurity, potentially leading to increased business opportunities.

Adapting to Regulatory Changes
Data protection regulations and cybersecurity standards are subject to changes and updates. Regular assessments ensure that security measures comply with current legal requirements, reducing the risk of non-compliance penalties.

Third-Party Relationships
Many companies collaborate with third-party vendors and partners. Regular security assessments can verify that these third parties also adhere to necessary security standards, safeguarding the organization against vulnerabilities introduced by these relationships.

Cultural Emphasis on Security
Regular monitoring and assessment contribute to building a culture of security within an organization. Employees become more aware of security risks and their role in mitigating them, making security a shared responsibility.

While compliance is a crucial starting point, it should not be the sole focus of an organization's security efforts. Regularly monitoring and assessing the effectiveness of information security safeguards are essential for staying ahead of emerging threats, proactively addressing vulnerabilities, and maintaining trust with customers and stakeholders. An ongoing commitment to security helps protect sensitive data and contributes to the organization's long-term success and resilience in an increasingly digital and interconnected world.

The evolving landscape of data security and the recent guidance from the FTC underscores the critical need for CPAs and Accountants to go beyond mere compliance when safeguarding customer information. This article has shed light on the multifaceted approach essential for CPAs and firms in understanding and implementing comprehensive information security measures.

By comprehending the diverse types of protections and testing methods, such as Penetration Testing and Ethical Hacking, CPAs are better equipped to meet regulatory requirements and proactively secure sensitive data. The significance of developing, implementing, and maintaining an information security program with administrative, technical, and physical safeguards cannot be overstated. It is a box-checking exercise and a strategic imperative to safeguard clients' trust and uphold professional integrity.

Furthermore, staying informed about evolving regulations and continuously assessing the effectiveness of security safeguards is not just a regulatory obligation; it is a prudent business practice that can mitigate risks, enhance resilience, and bolster the competitive advantage of accounting firms.

In an era where data breaches are increasingly common, CPAs and accountants are pivotal in ensuring customer information's confidentiality, integrity, and availability. Embracing a proactive security mindset, adopting best practices, and leveraging advanced testing methodologies are essential for compliance and building a robust foundation for the future of accounting in a digital age.

Christophe Reglat is President/CEO of Coaxis Hosting, an endorsed program for the FICPA. Coaxis provides CPA firms with an affordable Compliance Portal designed to create and managed the FTC’s required Written Information Security Program (WISP) and Continuous Penetration Testing. For more information call 850-391-1022 or email [email protected]">[email protected]

Topics

Coaxis

FICPA Strategic Partners

Business email compromise scams and how to prevent them

133345 — Mon, 10 Jul 2023 13:26:00 +0000

Business email compromise scams and how to prevent them

Presented by Coaxis

133345 Mon, 07/10/2023 - 09:26

July 10, 2023

Business email compromise (BEC) is one of the most financially damaging online crimes today, according to the FBI. In fact, BEC attacks are at the top the Forbes list of the biggest cybersecurity threats for 2023.

These scams exploit the fact that so many of us rely on email to conduct business today. In a BEC scam, cybercriminals send fraudulent emails with a legitimate request that appear to come from a trusted source such as a company executive, employee or vendor. Examples include a vendor who sends an invoice with an updated mailing address or a homebuyer that receives a message from their title company with instructions for wiring their down payment.

BEC scams rely on social engineering to create a sense of urgency and manipulate victims into acting quickly. They typically ask the recipients to transfer funds, making the payouts on these scams highly attractive for cybercriminals. According to the most recent report from the FBI’s Internet Crime Complaint Center, BEC-related losses totaled nearly $2.4 billion in 2021.

Here are a few BEC scams that CPA firms need to know:

Tax season BEC scams

As the Internal Revenue Service (IRS), state tax agencies and the tax industry gain headway in thwarting identity theft, cybercriminals are forced to gather more and more data to impersonate real taxpayers. The IRS recently warned businesses and payroll service provides about a particularly dangerous BEC scam that involves Form W-2/SSN Data Theft.

Calling it one of the most dangerous phishing emails facing the tax community, the IRS explains how the scam works: Cybercriminals identify chief operating officers or others in positions of authority and pose as these executives to send emails to payroll personnel requesting copies of Forms W-2 for all employees. The cybercriminals then use the employees’ name, address, Social Security number, income and withholdings to file fraudulent tax returns or post the information for sale on the dark net. Other deadline-sensitive actions that are popular targets for BEC attacks include tax filings, benefits enrollment periods or an upcoming audit.

Supply chain BEC scams

A Toyota auto parts supplier became the poster child for BEC attacks in 2019 due to the company’s high-profile and its massive payout. It also showed how social engineering can bypass even the most sophisticated security programs by targeting people instead of infrastructures.

The attackers contacted the finance and accounting department of a Toyota subsidiary posing as a legitimate business partner and convinced someone with financial authority to change account information on an electronic funds transfer. They also created a sense of urgency by claiming the transaction needed to be completed quickly to avoid slowing down production. It worked. The company transferred more than $37 million in a parts order to the scammers.

Gift card-related BEC scams

Gift card scams have long been popular with cybercriminals because the cards operate like cash. And while the money they make from these scams is substantially less than from wire transfers, there is a higher probability of success because the amount is often small enough to evade a company’s financial controls. In fact, a 2020 examination of BEC attacks by the Anti-Phishing Working Group found that 66% involved gift cards. By contrast, bank transfers made up 18% of attacks, followed by payroll diversions at 16%.

In a typical scenario, the attackers impersonate a trusted person like the CEO who asks the targeted victim to purchase and send them multiple eGift cards for a work-related function or other special occasion. One recent gift card scam targeted Jewish temples and synagogues. The cybercriminals impersonated rabbis in emails and asked congregants to purchase gift cards for a fundraiser and send them pictures of the serial numbers.

How To Protect Your Firm From BEC Scams

Employee training and education are essential to minimizing the risk of becoming the victim of a BEC scam. Make them aware of social engineering threats and train them to spot fraudulent email.
Don’t click on anything in an unsolicited email or text message that asks you to update or verify account information. Contact the company directly to determine if the request is legitimate.
Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight variations to trick victims into thinking fake accounts are authentic and gain their trust. For instance, [email protected]">[email protected] vs. [email protected]">[email protected].
Verify payment and purchase requests in person, if possible, or by calling the contact to make sure it is legitimate. This includes any change in account number or payment procedures.
Be especially wary if the requestor is pressing you to act quickly.
Make sure your IT infrastructure is protected. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is then used to time requests or send messages so accountants or financial officers don’t question payment requests.

Data from the Association of International Certified Professional Accountants (AICPA) cites an alarming 80% increase in reported data breaches by CPA firms between 2014 and 2020. To keep pace with the growing number of large-scale data breaches, including threats such as BEC scams, the Federal Trade Commission (FTC) recently amended its Safeguards Rule.

The stronger regulations – most of which took effect on June 9, 2023 – require covered financial institutions to develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information. It defines a "financial institution" as any business that engages in financial activity, meaning accounting firms must comply.

Now, more than ever, CPA firms need to understand the different types of infrastructure protections and testing that are necessary to fully assess their risk from cybersecurity threats and take steps to mitigate them. This includes regular penetration testing to monitor and assess the effectiveness of their information security safeguards.

Coaxis Hosting is an endorsed program for the FICPA that provides CPA firms with a fully hosted and managed network solution designed to remove the complexities of federal and industry compliances, curb the demands of maintaining an IT infrastructure, and greatly minimize the threat of cybercrime. The company partners with SXIPHER, a leading ethical hacking company that supports clients in shifting from a defensive to an offensive posture by providing in-house penetration tests. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected]">[email protected].

Topics

Coaxis

Top 5 cybersecurity threats of 2023: What you need to know

133345 — Mon, 05 Jun 2023 15:42:54 +0000

Top 5 cybersecurity threats of 2023: What you need to know

Presented by Coaxis

133345 Mon, 06/05/2023 - 11:42

June 5, 2023

“In this world, nothing can be said to be certain, except death and taxes,” wrote Ben Franklin 1789, nearly 200 years before the arrival of the internet in 1983. If Franklin was alive today, it is a safe bet he would add cybercrime to his list of certainties.

Cybercriminals are constantly evolving their attacks and innovating new ways to breach increasingly sophisticated cybersecurity defenses. Much like a game of whack-a-mole, CPA firms need to be equally diligent to identify and thwart these schemes wherever they pop up.

A good place to start is with this list of what we consider the top five cybersecurity threats in 2023:

1. Business Email Compromise Attacks

Responsible for nearly $2.4 billion in losses in 2021 alone, according to the FBI’s Internet Crime Complaint Center, business email compromise (or BEC) is a form of phishing attack where cyber criminals attempt to trick someone into transferring funds or revealing sensitive information. Unlike standard phishing emails that are sent randomly to millions of people, BEC attacks are crafted to appeal to specific individuals such as bank or credit card customers, making them even harder to detect. The National Cyber Security Centre recommends verifying important email requests using another method, such as a phone call or logging into an account, and being suspicious of urgent emails that contain a veiled threat such as “send these details within 24 hours” or “you have been a victim of crime, click here immediately.”

2. Malware and Ransomware Threats

Expect to see more of this type of activity, particularly related to the conflict in Ukraine and the associated sanctions, according to Forbes Advisor. “Russian state-sponsored organized crime teams that excel at ransomware will help sustain the war efforts.”

Due to the evolving and pervasive nature of malware and ransomware attacks, prevention must start with a cybersecurity risk assessment, according to BDO Digital, along with implementation of the following preventative measures:

Security software: Advanced anti-virus and anti-malware software is a must for all employee devices.
System updates: As malware attacks change daily, ensuring system software is always up-to-date and able to handle new challenges can protect against evolving threats.
Network security: Networks must be assessed regularly to identify weak points and scan for malware, and security must be upgraded regularly for maximum threat mitigation.
Employee security training: Data security breaches are often the result of human error. Educating employees about malware and how it enters computer systems can help them understand the risks and recognize malware attempts.

3. Zero-Day Attacks

A zero-day attack exploits a previously unknown hardware, firmware or software vulnerability before the vendor becomes aware of it. Since no patch exists yet, these attacks are more likely to succeed. Financial institutions are common targets for stealing sensitive financial information or carrying out fraudulent transactions.

Zero-day vulnerabilities can be challenging to detect. Telltale signs to look for include unexpected traffic or suspicious scanning activity originating from a client or service.

One recent example of a zero-day attack involved a vulnerability found in the popular video conferencing platform Zoom. Hackers used it to remotely access the PCs of users running an older version of Windows and, if the target was an administrator, they could completely take over their computer and access all their files.

4. Smishing

Smishing – a form of phishing that uses text messages or messaging apps instead of email – is on the rise in part because more people are shopping on their smartphones. Like phishing, it begins with an unsolicited message.

People are in the habit of opening each and every text message. But while most workplaces have sophisticated email systems that flag or quarantine suspected phishing emails, the same is not true for smishing. When these mobile devices are connected to a company’s network, the attacker can gain access, stealing customer and employee data.

Hackers have also found ways to get around two-factor authentication, explains a cybersecurity expert at the Healthcare Information and Management Systems Society (HIMSS). As an example, a user clicks on a text link that takes them to a decoy model of their bank’s homepage. As they begin entering their login information, hackers program software to simultaneously input the user’s login information into the real bank website. When the bank website responds with a two-factor authentication code via text, the victim will enter it into the fake website and then the software enters it into the real bank site to instantly gain access.

5. Configuration Mistakes

Even the most sophisticated cybersecurity systems are likely to contain at least one error in how the software is installed and set up. The digitally-native business insurance company Embroker reports 80% of external penetration testing reveals exploitable misconfigurations.

Not knowing whether deployed solutions are working as promised is a largely overlooked security risk, according to the pre-eminent research center dedicated to privacy, data protection and information security policy. The Ponemon Institute found that half of IT experts admit to not having a clear picture of their organization’s cybersecurity posture, meaning they are not performing regular internal testing and maintenance.

Cyber risk is on the rise. Today’s hackers are working relentlessly to develop innovative, more sophisticated cyber-attacks faster than organizations can update their protections. Recognizing and defending against these malicious threats as they emerge requires an ongoing strategy of both internal and external testing and maintenance.

Topics

Coaxis

FICPA Strategic Partners

FICPA CEO Conversations: Shelly Weir and Coaxis CEO Christophe Reglat tackle cybersecurity

133345 — Mon, 27 Mar 2023 15:26:25 +0000

FICPA CEO Conversations: Shelly Weir and Coaxis CEO Christophe Reglat tackle cybersecurity

By FICPA Staff

133345 Mon, 03/27/2023 - 11:26

March 27, 2023

In the latest edition of FICPA CEO Conversations, Shelly Weir sits down with the President & CEO of Coaxis, Christophe Reglat.

Shelly and Christophe discuss the importance of cybersecurity, the threats faced by CPAs, and the value of penetration testing, otherwise known as "ethical" or "white-hat" hacking.

Click on the player above to enjoy the conversation, and click the link below to learn more about penetration testing from our Strategic Partners at Coaxis.

Coaxis: Ethical hacking is the magic bullet in your arsenal of cybersecurity protections

Topics

Coaxis

CEO Conversations and Podcasts

Coaxis: Ethical hacking is the magic bullet in your arsenal of cybersecurity protections

133345 — Thu, 23 Mar 2023 14:15:35 +0000

Coaxis: Ethical hacking is the magic bullet in your arsenal of cybersecurity protections

Presented by Coaxis

133345 Thu, 03/23/2023 - 10:15

March 27, 2023

In the latest edition of FICPA CEO Conversations, FICPA President & CEO Shelly Weir sits down with Christophe Reglat, the CEO of Coaxis. Shelly and Christophe discuss the importance of cybersecurity, the threats faced by CPAs, and the value of penetration testing, otherwise known as "ethical" or "white-hat" hacking. Click on the player above to enjoy the conversation, and scroll down to read more about the value of ethical hacking from our Strategic Partners at Coaxis.

The best defense is a good offense. Whether on the battlefield or football field, successful leaders from George Washington to Bill Belichick have deployed this combat principle to gain a strategic advantage. And, make no mistake, organizations today are under attack by cybercriminals like never before.

State of the industry

A deep dive into cybersecurity data and trends impacting the digital landscape reveals we are losing the battle against the growing number of cyber-threats targeting both industry and government, according to Forbes. Consider this alarming statistic: In 93 percent of cases, cybercriminals can breach an organization's network perimeter and gain access to local network resources. The finding is based on a penetration testing project conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.

In the past few months alone, active threats have ranged from attacks aimed at the U.S. healthcare system to legal and financial organizations. They include:

The U.S. Department of Health and Human Services (HHS) cautioned against ongoing Royal ransomware attacks targeting healthcare entities. The group relies on social engineering to trigger the infection by deploying a variety of methods to obtain access to a targeted environment. They range from malicious ads and fake forum pages to phishing emails that lead to rogue installer files for legitimate apps like Microsoft Teams or Zoom. To-date, payment demands have ranged from $250,000 to $2 million.
A hack-for-hire group called Evilnum is responsible for a broad campaign targeting legal and financial investment institutions. The attacks involve malware that leverages legitimate services like WordPress and YouTube as “dead drop resolvers” to host a target’s command and control infrastructure. This approach gives the bad actors greater resiliency since they can dynamically update and switch between a list of servers when the original one is taken down.

Conventional cybersecurity protections

Defending against the threat of cyber-attacks requires a multi-pronged approach.

1. Network security – Organizations must secure their IT infrastructures against both physical and cyber threats. This typically includes protecting both hardware and software assets such as end-user devices, data center resources, networking systems and cloud resources.

2. Employee training, policies and procedures – With employees considered the weakest link when it comes to cybersecurity, staff training and technology must go hand in hand. An organization can have the gold standard in IT infrastructure protections but still be vulnerable if an employee falls victim to social engineering and inadvertently clicks on a malicious link or responds to a fraudulent email.

3. Annual cybersecurity audits – These are designed to provide an in-depth assessment of an organization’s posture to defend against cyberattacks – from policies and procedures to security controls and action plans – and detect vulnerabilities that can pose a threat.

4. Business continuity and IT recovery plan – Whether it’s a ransomware attack or natural disaster, once catastrophe strikes, it’s too late to start planning. A proactive business continuity plan ensures an organization’s critical services can be delivered and essential operations continue to function.

5. Cybersecurity insurance – Also called cyber liability insurance, this is a policy that protects against a wide range of losses an organization may suffer directly, or cause to others, due to a cyber incident. It can include costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud and privacy violations.

“Unfortunately, all these layers of protection and responsive measures fall short if you are not validating their effectiveness,” warns Christophe Reglat, co-vice chair of the Florida Technology Council and CEO of Coaxis Hosting. “The only way to know if your cybersecurity practices and policies are working is to validate them through penetration testing.”

Ethical hacking: A proactive layer of protection

Today’s hackers can remain undetected in an organization's network for more than 200 days, on average, according to SXIPHER, a leading ethical hacking company that helps organizations shift from a defensive cybersecurity posture to an offensive one. “Given this unsettling statistic, it is impossible for organizations to know if their network is compromised,” explains Gabriel Reglat, SXIPHER’s managing partner. “As hackers become more brazen and lay dormant in networks, organizations must make a fundamental shift in how they ensure their network security.”

Penetration testing, commonly known as ethical hacking, involves an authorized attempt to gain unauthorized access to a computer system, application or data. The goal of these “white hat hackers” is to duplicate the strategies and actions of malicious attackers to expose and remedy weaknesses in an organization’s IT infrastructure.

Monthly penetration testing provides a proactive element that complements annual security audits. It typically encompasses four types of environments:

1. Network Penetration Testing – The most common method of penetration testing involves intelligence gathering, threat modeling and completing a series of network tests. Once a threat actor obtains access to a network, 90% of the obstacles are removed. A pentester will conduct internal and external network exploitations that mimic a successful hacker penetrating a network’s defenses. This enables them to explore all facets of an organization's security posture.

2. Cloud Penetration Testing – Public cloud services have become increasingly popular for computing, networking and data storage, making it a prime target for hackers. But the ease of cloud deployments comes with complexities such as handling security and legal obstacles. Many public cloud providers take a hands-off or shared responsibility approach to security, forcing organizations to take responsibility for their own cloud security.

3. Application Penetration Testing – In this testing, the simulated attack is designed to expose the deficiencies of an application’s security controls by identifying vulnerabilities and risk. While firewalls and other monitoring systems are used to protect an infrastructure’s security, this testing focuses on situations when traffic is allowed to pass through the firewall.

4. Physical Penetration Testing – Social engineering is one of the most prevalent ways threat actors use to infiltrate an organization’s IT environment. This penetration testing often involves the pentester deceiving or manipulating employees in order to obtain physical access to the facility.

Conclusion

A 2022 benchmarking study “Cybersecurity Solutions for a Riskier World” reveals that cybersecurity has reached a critical inflection point with 40% of chief security officers acknowledging their organizations are unprepared for a rapidly changing threat landscape. The highest percentages of unprepared organizations were in critical infrastructure industries: healthcare (35%), the public sector (34%), telecoms (31%), and aerospace and defense (31%).

Over the next two years, security executives expect an increase in attacks as nation-states and cybercriminals become more prolific. They anticipate the attacks will target weak spots caused primarily by software misconfigurations, human error, poor maintenance and unknown assets.

As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Identifying in advance the network and security vulnerabilities that can enable an attack is an important weapon to block or limit these cyber threats.

Christophe Reglat is CEO of Coaxis Hosting, Inc., a managed data hosting services provider delivering network solutions designed to curb the demands of information technology infrastructures, remove the complexities of federal and industry compliances, and greatly minimize the threat of cybercrime.

Gabriel Reglat is the managing partner of SXIPHER, a leading ethical hacking company that supports clients in shifting from a defensive to an offensive posture by going beyond the annual security audit and providing in-house penetration tests. The testing deploys current methods and tactics used by bad actors and are highly effective in determining if an organization’s IT infrastructure can withstand a similar attack in real life.

Topics

Coaxis

Coaxis: Six tips to help ensure your mobile devices are secure

133345 — Mon, 24 Oct 2022 16:30:12 +0000

Coaxis: Six tips to help ensure your mobile devices are secure 133345 Mon, 10/24/2022 - 12:30

October 24, 2022

October is National Cybersecurity Awareness Month, an opportunity to educate and inform individuals and business about the importance of making sure their online lives are kept safe and secure. At work, this means all employees share responsibility for protecting their company’s data and infrastructure, including using secure passwords.

Financial services organizations and other firms that are responsible for the security of consumer financial data must remain vigilant in their cybersecurity efforts. The warning comes from Security Magazine due to the high value of financial data, Including Social Security numbers, banking details, and more, makes it a lucrative target for cybercriminals.

In addition, the expanding adoption of cloud-based services and data storage, more companies implementing remote and hybrid work options, and the growing use of mobile devices for work are together giving cybercriminals and ever-expanding range of opportunities to exploit, explained Jonah Force Hill, executive director of the FBI’s Cyber Investigations Advisory Board created in September 2021 to fight cyber-enabled fraud. “Every organization – providers of financial services, in particular – must remain vigilant in the face of these evolving threats.”

Managing privacy and security risks is a top concern for CPA firms of all sizes, according to the AICPA’s 2019 PCPS CPA Firm Top Issues survey. One good precaution is to ensure your mobile devices are secure.

The “bring your own device” (BYOD) phenomenon continues to rise in the workplace, according to TechAdvisory.org, a blog that provides tech advice for small businesses. Whether employees are utilizing smartphones, tablets or laptops, there are data security risks companies need to consider.

A personal device that has been infected with malware can spread the malicious software to other devices that connected to the company network. Public Wi-Fi spots provide easy opportunities for cybercriminals to intercept data being transmitted over public networks. Finally, employees often bring their own devices wherever they go. This creates greater risk of them being lost or stolen, and the company data stored or accessed on the devices being compromised.

Among the top threats from mobile devices are:

Free mobile apps that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers, or worse, by cybercriminals.
Unsecured Wi-Fi and network spoofing, which is when hackers set up fake Wi-Fi networks in high-traffic public locations such as coffee shops, hotels, and airports.

Here are six tips to help ensure your mobile devices are secure:

1. Use long, complex passwords, instead of the standard four-digit code. A strong password is at least eight characters long and includes a combination of letters, numbers, and special characters. For added security, set-up thumbprint or face recognition. Additionally, make sure your device auto-locks when not in use.

2. Turn off Wi-Fi and Bluetooth when not in use. These platforms are essentially open connections to your phone. Only turn them on when you need to use them.

3. Only download apps from trusted sources such as the Apple App and Google Play stores. Malicious apps infected with malware are generally found in third-party app stores and often resemble legitimate apps such as games, instant messaging and even antivirus software. Look at the app’s reviews and star rating. Notice when the app was published and be wary of new apps or ones used by few people. Also, be cautious about using free apps. While it doesn’t cost money to use them, the app does want something in return – access to your personal information. Finally, set-up two-factor authentication, especially for apps that store your bank account or credit card information.

4. Don’t click on links in SMS messages from unknown senders. Much like email phishing, “smishing” uses fraudulent text messages to convince people to reveal personal information, such as passwords and credit card numbers. Mobile device users are especially vulnerable to these attacks because the smaller screen makes it harder to spot fake content. “Smishing” scams are on the rise, in part, because they appeal to cyber criminals who can enable geographic targeting; for instance, posing as a local bank or credit union to send messages to nearby mobile phone users. “Smishing” also poses risks to companies because it can trick users into downloading infected files, potentially exposing sensitive data.

5. Perform regular software updates on your device’s operating system (OS) and all of your apps to patch possible security vulnerabilities that can give malware access to your phone or tablet.

6. Make sure you have software installed on your mobile device that lets you remotely lock, and if necessary, wipe the data if it’s lost or stolen.

It is important for financial services organizations and other firms that are responsible for the security of consumer financial data to understand their cybersecurity risks. With nearly all firms relying on information technology to store, process, and transmit information, it is essential to protect these infrastructures from unauthorized access. And yet, firms often fail to understand their vulnerability to attack. Security risks are not always obvious and constant cybersecurity education is paramount.

Christophe Réglat is president and CEO of Coaxis, an endorsed program for the FICPA. Coaxis provides CPA firms with a fully-hosted and managed network solution designed to remove the complexities of federal and industry compliances, curb the demands of maintaining an IT infrastructure, and greatly minimize the threat of cybercrime. For more information, call (850) 391-1022 or email [email protected]">[email protected].

Topics

Coaxis

FICPA Strategic Partners

The growing vulnerability of social media platforms and how to reduce your firm’s risk

139094 — Thu, 14 Jul 2022 13:15:46 +0000

The growing vulnerability of social media platforms and how to reduce your firm’s risk 139094 Thu, 07/14/2022 - 09:15

July 14, 2022

Social media channels such as Facebook, Twitter, Instagram and YouTube have emerged as attractive gateways for cybercriminals. Other platforms are also becoming hotbeds for hacking, such as social news sites like Reddit and review sites like TripAdvisor and Yelp. Close to home in Florida, the Pentagon learned the perils of social media exposure when the Twitter and YouTube feeds of the U.S. Central Command in Tampa were breached by apparent sympathizers of an Islamic State militant group.

What makes social media platforms so desirable? One easy answer, according to Chief Privacy Officer (CPO) magazine, is that “these sites make it very easy to share and pass on just about anything – and that includes malware.” On average, social media platforms have 20% more methods for scamming consumers than other internet sites; techniques like advertisements, sharing buttons and plug-ins. In addition, most people have hundreds to thousands of connections on social media making it very convenient to distribute malware to a wide audience with few negative consequences. Additionally, the same type of human error that causes people to click on links sent to them in emails is exponentially greater on social media platforms because people are more likely to consider themselves among friends.

Hacking social networks requires very little technical skill. Bad actors simply use the information available on personal profiles to win a complete stranger's trust. “Cybercriminals exploit the personal details we share online to trick or impersonate us—piecing together every photo we post, location we check into, person we tag, or pet photo we upload to build an understanding of their targets,” explains Fast Company, a business magazine that focuses on technology and business. “The social engineering scams they create are designed to entice people to download malware, send money, share personal information, or disclose log-in details.”

Examples of how hackers use social media to commit cybercrimes include:

Identity theft – Scammers use information and photos easily found online to create fake Twitter, Facebook and LinkedIn accounts, and then use these fake social media profiles to scam others out of money or to tarnish your firm’s reputation.
Malware – Social media is an effective way to distribute malware because the links, messages and posts come from a trusted source like a client, co-worker or friend. Chief Privacy Officer (CPO) magazine reports nearly 1 in 5 organizations worldwide are now infected by malware distributed by social media platforms.
Social phishing – Fun fact: 85% of people posting puppy photos on social media are trying to scam you. Much like the more traditional phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, social media phishing uses platforms like Facebook or Twitter to steal personal data or gain control of a person’s social media account. One example is a post that offers free vouchers and giveaways by clicking on a link that goes to a malicious website.
Data exploitation – Think about the information on social media platforms that could give hints to your frequently used passwords. While it’s considered a best practice to avoid using things like your child’s first name or birthday, many people still do so – and hackers know it. Think twice before taking that quiz that asks your mother’s maiden name or what high school you went to.

Social media hacking happens more often than you think, according to Dr. Aaron Brantly, director of the Tech4Humanity Lab at Virginia Tech who studies the impact of technology on the human condition. “The numbers are very hard to come by on almost all social media platforms because they keep those very close to their chest,” he said. The motivation is usually financial or malicious.

The scope of social media scams is limited only by the imagination of the cybercriminals and once your account is hacked, there’s not much you can do about it. Your best defense is a good offense. Here are some ways to protect your firm from social media hackers:

Know how your firm uses social media – Understanding which platforms your firm benefits from most can help determine the ones you need to secure. This protects not only your firm but also those who visit your pages and profiles.
Train employees on best practices for social media use – Educating new employees about your firm’s cybersecurity policies should be a standard component of the onboarding process and reinforced with constant training updates for all staff. This includes social media security training and making sure employees are aware of how important it is to the overall security of your firm. Kevin Mitnick, considered the world's most famous hacker, has often said the best security you can have is trained employees who are on their toes with security top of mind.
Create an effective password policy – Passwords have been called “the keys to the digital kingdom.” The strongest passwords are those that are eight or more characters long; contain a combination of upper and lower case letters, numbers and symbols; and use made-up phrases. Do not use common words or personal information like the name of a family member or pet.
The AICPA’s Director of IT Security Strategy recommends changing passwords at least once per year and having unique passwords for each website and application. Other tips include using two-factor authentication as an extra layer of protection and logging out of websites and devices when you are finished using them.
Employ strong security solution – The right security solution can protect your firm’s accounts and network from attacks like malware, phishing campaigns, malicious URLs and other evolving threats.

There are a reported 4.62 billion social media users today and 22% have fallen victim to a security-related incident. Many are businesses that use some combination of social media for recruiting, marketing and customer service purposes. Others could be your employees who use personal social media accounts on business devices and transmit posts, videos, and messages over your network. Now, more than ever, CPA firms should assess their cybersecurity risk from social media and take steps to mitigate it, from auditing social media use and deploying a cyber secure IT infrastructure to ongoing employee training.

As an endorsed program of the FICPA, Coaxis offers special member pricing for its CPA program package. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected]" rel="noreferrer noopener" target="_blank">[email protected].

Topics

Coaxis

FICPA Strategic Partners

How to protect your firm from growing cybersecurity threats

133345 — Mon, 06 Jun 2022 13:01:33 +0000

How to protect your firm from growing cybersecurity threats 133345 Mon, 06/06/2022 - 09:01

June 6, 2022

Cybersecurity attacks have become more widespread over the past year as demonstrated by the average cost for recovery more than doubling since 2020, increasing from $761,106 to $1.85 million, according to Business Insider.

Among the largest breaches of 2021:

In February, a plant operator for the City of Oldsmar, Florida saw his cursor moving around his computer screen, opening various software functions that control water treatment and boosting the level of sodium hydroxide – or lye – in the water supply to 100 times higher than normal. The breach alarmed state and local officials around the country, exposing growing cybersecurity vulnerabilities that threaten public health as systems become more computerized and accessible via the internet.
CNA Financial, one of the nation’s largest insurance firms, paid $40 million in March to regain control of its network after being hit by a sophisticated ransomware attack that disrupted employee and customer services for three days as the company shut down to prevent further compromise.
Also in March, a mass cyber-attack impacted millions of Microsoft clients when hackers exploited the vulnerabilities in its popular Exchange Server. Using security loopholes, cybercriminals gained entry to the networks of corporate clients to inject malware and ransomware, and steal patented technical documents, trade secrets and other sensitive information. The victims included nine government agencies and 60,000 private companies, mostly small and mid-sized businesses.

Damages from a cyberattack or data breach go far beyond the impact to a company’s computer system to also include financial repercussions and harm to the company’s reputation. The American Institute of Certified Public Accountants (AICPA) warns that CPA firms are of particular interest to hackers because of “the treasure trove of client financial data housed within firm networks.”

So, how can you protect your firm against today’s growing cyber threats? Here are six steps to mitigate the risks:

Password policy and controls – Much like employees have an office key or card reader to access your physical space, proper password policies and procedures must be implemented to prevent unauthorized access to your digital space. A password policy should include the following: Use complex passwords. Set a minimum password length. Require regular password resets and send reminders to your employees. Restrict password reuse. To further make your firm less vulnerable to hacking, add multiple-step authentication to accounts requiring password access.
Be careful about what you download – When downloading Word documents, PDFs, photos and other files, make sure your firm has updated antivirus software and an effective firewall. Only use trusted download websites, rather than peer-to-peer systems, to obtain programs. If you must use file-sharing software, consider paying for the premium version that is not funded by advertising to reduce the risk of adware being installed.
Be cautious about clicking on unfamiliar links – Newsweek reported that more than 50% of people will click on an unknown link out of curiosity. Don’t be that person. Opening unknown links in emails (a cyber-scam known as “phishing”) or on unfamiliar websites puts you at risk of downloading malicious ransomware that can infect and restricts access to your computer or malware that allows cybercriminals to retrieve your passwords, access your files, and even switch off your anti-virus software.
Use HTTPS on all websites – A website that uses “HTTPS” at beginning of its URL instead of “HTTP” is safer and more secure because it uses a widely-adopted encryption protocol to ensure privacy and data security for communications over the Internet. Think “S” = Secure. Considered a standard practice for most websites today, it is also easily identifiable by the padlock icon.
Educate, educate, educate – Employees are the weakest link when it comes to cybersecurity. You can have the best IT infrastructure in the world, but your firm is still vulnerable if an employee inadvertently clicks on a malicious link or responds to a fraudulent email. Proactive and ongoing cybersecurity training should be part of every firm’s CPE curriculum. This includes providing annual updates on IT policies and educating employees on current social engineering threats designed to make them download malware that can compromises the firm’s security or inadvertently give out sensitive information.
Back up your data offsite – This is an important component of any business continuity and disaster recovery plan. What happens to your data in the event of a ransomware attack or natural disaster like a hurricane or fire? A fully managed cloud hosting service is an ideal solution. Not only does it provide a secure, reliable and remote connection to your IT infrastructure and data, but it also delivers the peace of mind that comes with knowing that damage to your company’s office or other cyber disruption will not impact the ability to access your protected data or your employees’ ability to do their jobs.

The AICPA further advises that it is “imperative that firm owners realize they have a fiduciary responsibility to protect the data clients have entrusted to them and that this information is being directly targeted by hackers.” If all of this seems overwhelming, consider hiring an outside consultant who can review your firm’s network security and provide direction and implementation support to achieve an optimum level of cybersecurity to protect your firm.

For more cybersecurity best practices, the AICPA offers this checklist on how CPAs should consider protecting their firms and client data.

As an endorsed program of the FICPA, Coaxis offers special member pricing for its CPA program package that provides secure, fully managed data hosting services. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected]" rel="noreferrer noopener" target="_blank">[email protected].

Topics

Coaxis

FICPA Strategic Partners

FICPA negotiates affordable solution for sole proprietor CPAs to protect their IT infrastructures

133345 — Mon, 23 May 2022 19:58:05 +0000

FICPA negotiates affordable solution for sole proprietor CPAs to protect their IT infrastructures 133345 Mon, 05/23/2022 - 15:58

May 23, 2022

Cyber threats pose a growing risk for small businesses, including accountancies that typically lack the security infrastructures of larger CPA firms. Yet, many small businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity and do not know where to begin.

Cyberattacks are a growing threat for today’s small businesses

The findings from a 2021 report on the impact of cyberattacks and identity crimes on small businesses are sobering. It found that 58% of small businesses have experienced a data breach, security breach or both. Of those businesses, three-fourths have experienced at least two breaches and one-third at least three breaches. Moreover, 36% incurred debt to cover the breach costs and 34% had to dip into cash reserves.1

Cyber threats are constantly evolving. Among the most common types are malicious software (malware) and phishing scams. Malware can include viruses – harmful programs designed to give cybercriminals access to IT systems – and ransomware that infects and restricts access to computers and infrastructures until a ransom is paid.

Phishing scams are one of the biggest threats facing small businesses. Attackers use emails that appear to be from a legitimate organization or known individual to trick users into divulging confidential or sensitive information, or clicking on a malicious file or link that contains some sort of malware.

Compounding the problem is the pandemic’s lasting impact on how companies conduct business. After more than two years of successful remote working, more than 90% of employers are planning to adopt a hybrid workforce model for knowledge workers in 2022, according to the Harvard Business Review.2 But, questions remain about implementation, long-term sustainability and how to overcome challenges like data security.

Hosted cloud environments can help protect IT infrastructures and data

A reported 61% of businesses migrated their workloads to the cloud in 2020 as companies pivoted to the “new normal” of remote working, making it more important than ever for employees to be able to access secure networks from any geographic location.3 It’s no wonder then that the cloud market is forecasted to double in size over the next three years with the consumer, financial services and professional services sectors leading the growth.4

Cloud services hosted by a third-party or external provider offer a secure, reliable and remote alternative to on-site data centers and IT infrastructures. These managed hosting service providers – also referred to as Cloud providers – can offer partially-hosted solutions for specific applications (like Thomson Reuters) or fully managed solutions.

Fully managed cloud hosting service providers provide many advantages. They include:

Security – Protected cloud hosting of software programs and data files greatly minimizes the risk of cyber threats. In addition, some cloud hosting providers also offer a secure portal for clients to connect and share information with your firm.
Business continuity – Business disruptions come in many forms, from hurricanes and other natural disasters to cyber-crimes. The impact of data loss or corruption can be costly and significant.
Mobility – Even before the pandemic, today’s mobile world transformed how people do business. Mobility can enhance productivity, communication and workforce flexibility. Cloud solutions provide an in-office desktop experience – including software, apps, files and permissions – that allow employees to securely work from any device that connects to the Internet.
Cost and efficiency – Maintaining an onsite server can divert both money and human resources away from other parts of a business that produce revenue growth. Cloud hosting reduces IT costs by curbing the demands of maintaining an IT infrastructure and eliminating the significant capital expenses for hardware upgrades.
Scalability – The workforce and IT requirements of accounting firms often fluctuate in size and seasons. A cloud hosting service offers network scalability that can be tailored to a business’s changing requirements. IT resources (hardware and software) and users can be added to or removed from the network without wasted investment or time to scale.

An affordable IT solution is now available for FICPA members

Sole proprietor CPAs need the same level of security and protection as mid- and large-size firms. However, in nearly all instances, the cost has been prohibitive. Not any longer.

Coaxis, an endorsed program for the Florida Institute of Certified Public Accountants (FICPA), has developed a solution designed specifically to meet the budget needs of sole proprietor CPAs at a price point that does not exist anywhere else in the cloud hosting space.

Coaxis CPA provides cloud-protected accounting in a private, hosted environment customized for sole proprietors. The solution supports up to two users for $249/per month and includes a file server; an application server; 250 GB of storage; multi-factor authentication; anti-virus, anti-malware and anti-ransomware software; 10 hours of application support by phone or email and more. 

Other features include:

QuickBooks® hosting – Intuit® authorized provider
Financial software hosting expertise: Thomson Reuters (CS Professional Suite), Wolters Kluwer (CCH Solutions), Intuit®, Drake Software and others
Compliant with GLBA, HIPAA and CJIS
SOC 2 Type 2 Unqualified Audit Opinion
Secure remote access
Data backup

This solution requires sole proprietor CPAs to have a functional workstation running Windows 10 or the latest MAC IOS, a TWAIN-compliant printer/scanner, Microsoft Office 365 (E3 or ProPlus with email) and a high-speed Internet connection.

Conclusion

Just like large firms, sole proprietor CPAs need sophisticated cybersecurity protections. Cloud hosting services can provide firms of any size with a secure and reliable defense for their IT infrastructures and remote connections.

“The FICPA is proud to offer our members access to the cutting-edge managed cloud hosting and cybersecurity protections that our endorsed partner Coaxis provides,” said FICPA President and CEO Shelly Weir. “Never before has it been so important to have a secure and reliable IT infrastructure. I encourage all of our members, large and small, to take advantage of the solutions Coaxis has to offer.”

In addition to sole proprietor CPAs, the Coaxis endorsed program also offers special pricing for all other FICPA members. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected]" rel="noreferrer noopener" target="_blank">[email protected].

Topics

Coaxis

FICPA Strategic Partners

Busting the top seven myths about cloud computing

133345 — Thu, 18 Mar 2021 15:20:29 +0000

Busting the top seven myths about cloud computing 133345 Thu, 03/18/2021 - 11:20

March 18, 2021

It may surprise you to learn that the concept of cloud computing has been around since 1996 (the same year Time Magazine named the Nintendo 64 “Machine of the Year”) when a small group of technology executives at Compaq Computer were writing a business plan for the future of Internet business. However, many credit Google CEO Eric Schmidt with first using the term in its modern context in 2006 at an industry conference.

“What’s interesting [now] is that there is an emergent new model,” Schmidt said. “I don’t think people have really understood how big this opportunity is. It starts with the premise that the data services and architecture should be on servers. We call it cloud computing – they should be in a ‘cloud’ somewhere.” Who Coined 'Cloud Computing'?

At its essence, cloud computing provides easy, scalable access to computing resources and IT services, allowing users to focus on their core business without having to worry about infrastructure obstacles and expenses. Yet, 15 years later, many people still don’t fully understand the realm of opportunities that cloud computing provides.

Conversations with hundreds of CEOs and CIOs by global consulting firm McKinsey & Company and others reveal a consistent set of myths about cloud computing that have led to more questions than answers and hampered adoption. Companies that have effectively overcome these myths are the ones who are gaining the greatest rewards from their move to the cloud.

Here are the facts regarding some of the more common myths about cloud computing:

1. Cloud migration is difficult

Cloud migration involves moving data, applications and systems from an onsite infrastructure to a cloud service provider's infrastructure. While it may sound complicated, most experienced cloud hosting providers can make the migration seamless, with marginal downtime.

2. Transformation is required for cloud benefits

Many executives mistakenly believe they must completely transform all of their apps into a cloud-native model to realize any benefits, according to the TechTarget network. Untrue.

Simply put, with the right provider, moving your current infrastructure to the cloud – including migrating apps, data, software programs or the entire IT infrastructure – should be efficient and seamless. You’ll want a provider who can build your new system to replicate your current one as closely as possible. When your firm moves to the new system, workflow disruption and your staff’s learning curve should be minimal.

3. The cloud is less secure than on-premises infrastructures

False. Securing an organization’s IT infrastructure – whether it’s on an onsite external hard drive or in the cloud – requires two elements: physical security and cybersecurity. Rarely can a business enterprise match the resources of a qualified cloud-hosting provider’s data center.

Ideally, you want a data center that has redundant capacity components, multiple independent distribution paths serving the computer equipment, protections against most physical events, and supported by IT and security expertise. Examples include:

Security monitoring with motion, video and infrared detection devices that cover both the property and premises.
Multiple levels of security for entry to the data center, including biometric access partitions.
Numerous HVAC units and fiber-optic internet connections from major Internet Service Providers (ISPs).
Natural gas generators and separate fuel sources for backup power to both the data center and entire facility.
Adherence to the highest specifications for security and regulatory compliance.
Full-time chief security officer and IT director on staff.

4. Cloud data is public

This is a common misunderstanding about the cloud. There are public clouds (shared environments) and private clouds (dedicated environments), and it’s important to know the differences. Public clouds, such as Microsoft and Google, are typically a multi-tenant, pay-as-you-go model where your server shares the same hardware, storage and network devices with the other tenants in the cloud.

Conversely, a private cloud is a single-tenant environment where the hardware, storage, and network are dedicated to a single client and designed to assure high levels of security that cannot be accessed by other clients in the same data center.

5. All clouds have the same security

Wrong. All clouds are not created equal. For instance, two private cloud environments managed by the same provider can have very different security measures in place, depending on the Service Level Agreement (SLA) between the cloud provider and the client. When entering into a SLA with a cloud-based data hosting provider, it’s important to verify what security measures will be used for your specific cloud environment.

6. We have a cloud implementation/adoption/migration strategy

A plan to shut down the data center is not a cloud strategy, explains Gartner, a technology and business research and advisory company. Rather, the cloud should be considered a means to an end, and the end must first be defined.

A sound cloud strategy should be based on an organization’s business goals, followed by mapping the cloud’s potential benefits to support those goals. It needs to be comprehensive, clearly stated and distinct from an implementation plan.

7. You cannot meet compliance requirements on the cloud

This myth is absolutely false. At a minimum, an experienced managed cloud hosting provider will offer CPA firms government and industry compliances relevant to financial services, such as SOC 1 or SOC 2. Others will take it a step further to include adherence to the Gramm Leach Bliley Act (GLBA), Sarbanes Oxley Act and the Bank Secrecy Act (BSA).

There are also cloud providers who take the compliance needs of your clients into consideration. For example, if you serve clients in the medical field, the HIPAA HITECH Act mandates audits of health care providers to determine if they are in compliance with the privacy and security rules for protecting personal health information. The U.S. Criminal Justice Information Services Security Policy (CJIS) is important for CPAs working with criminal justice clients, as it outlines security precautions to protect sensitive information like fingerprints and criminal back ground checks gathered by the local, state, and federal criminal justice and law enforcement agencies.

An estimated 85 percent of businesses already have the majority of their workloads running in the cloud. If misperceptions are keeping your firm from developing a cloud strategy, you are likely falling behind your competitors, Gartner warns.

Now that you know the facts, here are seven truths about the advantages of migrating to a cloud-based IT infrastructure:

Security
Compliancy
Business continuity
Mobility
Cost and efficiency
Scalability
Ease of implementation

Coaxis is one such provider. It provides CPA firms with a fully-hosted and managed network solution from its privately owned, single tenant data center in Tallahassee, Florida that is built, operated and maintained to the highest industry standards. The Coaxis team has extensive experience in supporting a broad range of tax and financial reporting software applications, and its services are compliant with GLBA, HIPAA HITECH, CJIS, and an Industry Audit SOC 2 Type 2- Unqualified Audit Opinion.

Topics

Coaxis