Cloud Accounting Practice Management

Mitigating Risks in the Cloud

Written by Randy Johnston

Are you suffering from breach exhaustion? In other words, so many organizations have experienced a data breach that this is “old news” and you just don’t pay attention any more? One example of an incident in the accounting profession that should refocus your attention on mitigating risks in the cloud is the Cloudnine Realtime data center outage that took place around Labor Day.

There are so many incidents in the news that it’s hard to estimate how many incidents occur that are not reported. Just in the recent past we’ve seen the Equifax breach of 145.5 million records, Uber attempting to cover up a 57 million record breach by paying $100,000 to a bad actor to delete the breach data, and various breaches in 2017 in healthcare following the Anthem 78.8 million record breached in 2015 that cost the company $115 million in lawsuits alone. If you want to keep an eye open for healthcare breaches, browse the portal of the Office of Civil Rights of the U.S. Department of Health and Human Services, where breaches of HIPAA information of more than 500 individuals must be listed.

Events & Incidents Versus Breaches

Let’s be clear about some terminology. If you have a breach of data in a regulated industry, you have reporting obligations. However, events and incidents are usually not reportable. Consider the following:

Mitigating Risks in the Cloud

If we reflect on Events, these happen every day. Security Incidents are occasional, Privacy Incidents are less common, and Breaches are rare. It is important that you refer to either events or incidents when they occur in your IT environment by one of those terms since a breach refers to a particular, reportable circumstance. According to the NIST Special Publication 800-61, rev 2 — Computer Security Incident Handling Guide:

  • An event is any observable occurrence in a system or a network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending e-mail, and a firewall blocking a connection attempt.
  • An adverse event is an event with a negative consequence. Adverse events include system crashes, packet floods, unauthorized use of system privileges, unauthorized access to system data, or execution of malware that destroys data.
  • A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples include:
    • An attacker uses a botnet to crash a web server;
    • Users are tricked into opening a “quarterly report” sent via e-mail that is actually malware;
    • An attacker obtains sensitive data and extorts money from the target in exchange for not releasing sensitive or embarrassing data;
    • A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
  • If a privacy incident meets specific legal definitions, per state and/or federal breach laws, then it is considered a data breach.
    • Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies or the media.
    • Additionally, contractual obligations require notice to business clients if the incident affected clients’ employees or customers.
    • A breach may lead to the application of computer forensics. The “application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.”
  • When are forensics needed?
    • Whenever your attorney advises you to use these techniques:
      • When it is reasonably foreseeable that a technology incident will result in litigation, a criminal investigation, or administrative proceedings;
      • There may also be a legal requirement to notify law enforcement of certain kinds of events;
      • When it is possible that there has been data loss or corruption and you want to use such techniques.
    • Forensic techniques take time and are expensive, but preserve data to support possible future litigation or criminal prosecution
    • The forensic process (Collection, Examination, Analysis, and Reporting) preserves the integrity of the data and uses legally justifiable techniques to create a fact-based report on an event or occurrence.

If we reflect on the breaches mentioned above, they should be “rare.” It is clear that errors were probably made, and bad actors were attempting to access data on the respective parties’ systems that had economic value. Various industries are targets for attack because the data has value if it can be obtained — particularly without company knowledge. In the case of Equifax, it is clear that the data stored has economic value because it can be used for identity theft, credit card applications, and bank loans. The owner of the information may not be aware that credit card or loan applications are being requested in their name, Social Security Number, and redirected to an alternate address. Clearly the Equifax breach is a fiduciary trust issue, too, not to mention the insider trading executed by top management before leaving the organization, such as that by Richard Smith, the former CEO.

Cloudnine Realtime Example

When bad actors try to break into hosting companies, their expectation is to gain access to information that has economic value. If we consider Cloudnine Realtime as an example, their clients are commonly accounting firms and legal firms. The bad actors know that the data that these professional firms have stored has value. If the bad actor can gain access to one or more companies in the hosted environment and transfer the files from the hosted providers to their own storage, they can act on this information for years and years in the future. The bad actors today are well funded and very patient. Whenever you hear of a security breach, you should consider the implication of this information being used one, two, or three years into the future after the immediate awareness of a breach is past.

Steps for Mitigating Risks in the Cloud

So, what can we do to protect ourselves? Well, first, it should be unequivocally stated that using services like LifeLock is almost 100% worthless. These services prey on FUD (Fear, Uncertainty and Doubt) and are dependent on Equifax — yes, Equifax — to provide credit monitoring services. We suspect bad actors know that data stolen from Equifax has some short-term value, some long-term value, and will use the data in a discreet fashion to do quick “hit and run” loans for less than $1,000 (the legal limit of a felony) to capitalize on the information as well as make a plan for the use of the data in the future.

For the short-term, think in-store charge accounts from merchants or chains to get “on the spot” financing or credit. For long-term use, think about the bad actors building their own loan sharking operation or knowledge-based authentication service since they know who needs loans and is having trouble complying with payment terms.

There are no single solutions or one-time solutions to these types of attacks. We do recommend:

  1. User security training at least once/year but 2-4 times per year is better,
  2. Changing passwords on a regular basis, most likely every 30-45 days,
  3. Use of multi-factor authentication with products like Duo, and
  4. Acquiring Cyber Insurance.

Taking these steps is the best risk mitigation practice that you can choose today.

Have you noticed the breach reports? Have you taken any action? If your firm needs guidance on fraud prevention strategies, Accountex can connect you with resources to help you make the right decisions.

About the author

Randy Johnston

Randolph P. (Randy) Johnston, MCS has been a top rated speaker in the technology industry for over 40 years. He was inducted into the Accounting Hall of Fame in 2011. He was selected as a Top 25 Thought Leader in Accounting from 2011-2018. His influence throughout the accounting industry is highlighted once again this year by being a recipient of the 2017 Accounting Today Top 100 Most Influential People in Accounting award for the 14th consecutive year. Among his many other awards he holds the honor of being one of nine technology stars in the U.S. by Accounting Technology Magazine. Randy writes a monthly column for The CPA Practice Advisor, articles for the Journal of Accountancy, and creates articles for both accounting and technology publications, as well as being the author of numerous books. He has started and owns multiple businesses including K2 Enterprises in Hammond, Louisiana and Network Management Group, Inc. (NMGI) in Hutchinson, Kansas. NMGI has supported CPA firms for 30+ years and is the largest managed service provider serving the CPA profession in North America. His wife and four children enjoy many experiences together including theatre, music, travel, golf, skiing, snorkeling and model trains. Randy's experience as a college instructor, management and technology consultant, and advisor to the profession will be obvious to attendees at his conference presentations.

4 Comments

  • Even cloud breaches frequently begin with poor security on workstations, or mobile devices that connect to cloud resources. How those using cloud resources deal with the everyday routine of using their own equipment, from anywhere/everywhere they work is still one of the best mechanisms for protection of data regardless of where that data is resident.

    The same poor habits that have resulted in breaches of ‘local networks’ apply to cloud resources, and those not safeguarding how they maintain security relative to hardware and cloud based data are most often the cause of breaches regardless of where the data is housed.

  • Clarification regarding the Labor Day 2017 Cloud9 Realtime incident – it was a ramsomware attack. I don’t believe the bad actors were trying to steal data; instead, Cloud9 got locked out of their own servers, and either had to fix it themselves (which they opted to do), or pay the ransom. Either way, users were unable to access their own data for anywhere from 24 hours to over 7 days.

    People store their data in the cloud for many reasons, one of which is so they don’t have to have their own IT departments and servers. Part of the disappointment of Cloud9 users in the wake of this attack was Cloud9’s response that users are responsible for backing up their own data, while C9 clients felt that was the very reason why they had a Cloud9 account – for the rolling 30 day backup. Lesson learned – everyone needs a backup to their backup.

    • That is why you should always read the service agreement that you sign (or agree to), Jody. I believe that the service agreement for Cloud9 said that you were specifically responsible for making your own backups.

      In any case, I’ve always told people that even if they are using a hosted solution – in fact, even if they have a local server and the IT people say that they are making backups – you should always be making your own QB backups and moving them off site. If your server crashes, if your provider is out of service, then you have your own backup that you can use to restore on a local machine for temporary use. Server-based backups are for DISASTER RECOVERY, what people needed in this situation was CONTINUITY RECOVERY – a different kind of reason for a backup. You need a continuity plan so that if your server is out for several days, your business isn’t hosed.

Leave a Comment