It usually starts with a client saying “I assume we’re protected”. The hairs go up on the back of my neck, and my pulse quickens. They don’t get it… those 4 words tell me some serious education is necessary.
We’re talking about computer viruses or malware and protecting your computer system. The danger of those 4 words is that they insinuate that some outside force or mechanism is responsible for protecting you from disaster, and it couldn’t be farther from the truth. The truth is that 99% of the protection comes from you and your staff, since most of the infections result from personal attacks against YOU. Computer hackers seldom directly attack computers, operating systems, or browsers any more. They’ve discovered it is far easier to trick you into attacking yourself. And if they can cause you to click on something, your antivirus/antimalware products cannot protect you.
Does that mean you can get rid of your antivirus or antimalware software? Probably not, as they might protect you from older viruses, or maybe new ones. And since the “standard of care” is still antivirus programs, it might be considered negligence if you didn’t have one.
Your best protection against infections and data breaches is education. Understanding that YOU are the first line of defense, and staying educated on the current nature of attacks. For instance, education would alert you to the fact that the attacks have recently been tailored for specific industries. CPAs get pop-ups or email links that seem appropriate for the accounting profession, like Emails saying they have tax information, invoices, or banking information. There are even malware scams embedded in fake messages from the IRS. Lawyers are now getting supposed bankruptcy notices, or fake messages about legal seminars.
The scams are continually evolving, but the target is still the same: Your money or your data. Most recently, they’ve combined into an attack called “Ransomware”, where you pay money to get your data back. It starts with one simple click in an Email message. The next thing you know, you can’t open files stored on the computer or even the firm’s server. All of your data, documents, spreadsheets, PDFs, pictures, videos, music, and even accounting data is encrypted and held for ransom. Pay $300-$1500 immediately or lose everything. And the price goes up as the deadline approaches, usually 24-48 hours.
These ransomware programs can also wreak havoc on systems that make use of “synchronizing” systems like DropBox or OneDrive. Now a local disaster can be spread, or synchronized, to other computers in the firm, city, or across the Country. An infection in the office can now affect home, and visaversa.
And here’s a chilling thought… As long as a bad guy is going through your data to encrypt it, what’s to stop him from stealing information about you or your clients? Names, addresses, account numbers, Social Security numbers, passwords, birthdays, you get the idea. If they don’t use it themselves, they’ll sell it to the highest bidding identity thief.
Which brings up the topic of backups. Depending on the infection, backups may be your only source of recovery. Therefore the importance of backups cannot be overlooked, and having backups that are “off-line” is essential. Some of the infections actually target your backups, too! Those 4 scary words “I assume we’re protected” are also applicable to backups, too. It is your duty to make sure backups are adequate and actually running. Never assume “someone else” is responsible. You need to know what is being backed-up, to where, and how to check the backups. Just because a person setup the backup routines, it doesn’t mean they are responsible for checking on them… make sure you know who is responsible for making sure the backup system is working.