background image
26
www.ctcpas.org
Mark R. Torello, CPA, CFE, CISA
founded The Technology Group,
LLC, a subsidiary of Whittlesey &
Hadley, in 1997. The Technology
Group provides IT services, software
and hardware solutions, consulting,
and data security services to non-
profit, medical, financial, and other
businesses.
Mark is a Certified Fraud Examiner
and Certified Information Systems
Auditor and chair of the CTCPA
Technology Interest Group.
He can be reached at 860-524-4433
or mark@ttgct.com.
paid advertisement
(continued)
To get started, appoint a privacy and
security officer at your firm to, at a
minimum, conquer the basics:
Understand where and how
personal information is kept.
Protect and limit access to
personal information.
Destroy digital information
properly.
Store records securely and make
sure your vendors (including
cloud storage locations) do
the same. Request their SOC
reports.
Weekly security patching is now
mandatory for operating systems as
well as third-party applications that
work with the operating system such
as Flash, Adobe, and Java; ensure
your systems comply. It is not safe to
assume patches are getting deployed
just because they are scheduled or
"automatic updates" was selected.
Real-time monitoring is the only way
to ensure systems are up-to-date on
security patches and are, as a result,
as secure as possible. This applies to
servers and workstations.
Train users (including partners!) on IT
security. Phishing emails are an effec-
tive strategy for criminals to focus on
smaller groups and certain industries.
Hackers learn details and company
specifics to trick employees into click-
ing on malware or sharing sensitive in-
formation.
How do we keep our staff and ourselves
from falling victim? Continual learning.
Learning management tools, such as
KnowBe4, can help teach employees
what to look for and how to identify
phishing emails before it's too late.
Consider a layered defense with
firewalls and spam filters, designed
for businesses to proactively filter out
phishing emails before they reach your
staff. Don't go it alone; this is where
professional guidance can be worth
the investment.