Investing in Cybersecurity as a Bookkeeper: A Discussion with Brent Panell, CEO of ControlAltProtectMar 20, 2023
Hi, everyone! Recently, I’ve been getting more and more questions about investing in cybersecurity as a bookkeeper. I’m not an expert on this, so I wanted to let someone who knows what they’re doing answer some of your questions. Please welcome Brent Panell of ControlAltProtect!
Introducing Brent Panell
Brent: Thank you, Katie. It's great to be here. For those who don’t know, I'm a forensic data security investigator, which includes digital forensics and mobile forensics.
I serve as CEO of ControlAltProtect, and I have an amazing team. We are contracted by the cyber insurance carriers, a lot of CPAs or tax preparers or attorneys, etcetera.
When breaches happen, we're often brought in to do the post-breach forensic analysis. So we get to see what really happened, what the “actor” did, how they gained entry, and how we can get them out. We also look to see how much milk has been spilled, so to speak—how much of what the law defines as personally identifiable information was actually extracted by the actor.
As bookkeepers, as tax preparers, you're touching significant amounts of data, and that data's very valuable. Our government has done a really poor job of educating small companies and service providers on the true risks that they're faced with every day and why they need to be investing in cybersecurity. This is not my opinion, this is from an investigator that's seen the worst side of this problem.
Even if you think you’re too small a business to worry about investing in cybersecurity, the reality is that hackers use small people and businesses to hit major targets. What we commonly see in our post-breach investigations is a small bookkeeper being used to target a larger CPA firm, followed by that CPA firm being used to target their largest customer.
As someone who's bookkeeping, it’s important to ask yourself…what risks are presented to you? Who is sending you data? What are you risking by not investing in cybersecurity? Because everything anyone is sending you—Word files, PDF files, Excel files, etcetera—can contain malicious payloads.
If you go back and trace the actual forensics and what actually happened in a particular cyber incident, it’s almost always a simple oversight by someone—a small person, respectfully—who's used to target a larger body or larger organization.
After reading this, you can't sit back and avoid investing in cybersecurity and say, “Well, I didn't know. I'm just a bookkeeper.” Now you do know. You should know, especially because—statistically speaking—over 40% of the people that will read this post or listen to the podcast episode have already been hacked. 20% have persistent hacking files within their network. Investing in cybersecurity is not optional.
Separate Personal And Business
One major thing you can do when investing in cybersecurity to stop data security attacks is protect yourself personally. Stop acting as though your cell phone and your Gmail and your Yahoo or whatever are any different than your business email.
In fact, a lot of you are using your personal email for business, and that's a major no-no in this industry. In today's volatile environment, you need to separate personal and business.
Why? Because when you do that, it's harder for an actor to trick you. If I have my personal things in one email and my business in another, and I get a Home Depot phishing attack or attempt from a nefarious actor to my business email, then I know I've never used that business email for a personal login.
It’s much easier to detect a phishing attack if you've segmented your business and your personal email. But who's protecting your emails?
Most people don't have remediation detection on their emails. They may have antivirus. Some of them may even have next generation antivirus, but their emails are not really protected.
Office365 is great, and we certainly recommend that. But part of investing in cybersecurity is investing in email remediation software that gets rid of those phishing attacks before they are even visible to you.
The next thing to think about when investing in cybersecurity would be multi-factor authentication.
It's 2023. If you're not using multi-factor authentication, respectfully, wake up. You need it on everything you have. It’s a non-negotiable piece of investing in cybersecurity.
Every eleven seconds, a business falls victim to ransomware. There's a reason for that, and the reason is that they don't have MFA in place.
You’re trusting your customers. You’re not scanning those word files. You’re still counting on Google or McAfee or Norton to protect you, and that's not working. If you’re using one of these, you’re not truly investing in cybersecurity.
Now, don't use the text message versions; use the authenticator apps. Google has one, Microsoft has one, there are tons of them. That’s the best way to set up multi-factor authentication.
Mark my words, if you don't heed the warnings, listen to the things I've explained, and start investing in cybersecurity…if you don't put multi-factor in place, if you don't use complex passwords and use something like 1Password instead of LastPass…you’re going to be in trouble.
Don't use LastPass when investing in cybersecurity. We recommend 1Password. That's a cloud-based, secure portal. Everywhere you log in, it's recording and encrypting that data. It’s an application on the Apple Store or on the Google Play Store, and you need that. You want to use that everywhere you log in, because from start to finish, it's encrypted. And just so you understand this piece of investing in cybersecurity, anything that's encrypted is like hieroglyphics to an actor. Even if they hack you, they can't unencrypt it unless they have the decryption code.
The reason I say you want to absolutely avoid LastPass when investing in cybersecurity is because it was recently compromised. They weren't honest about the compromise, and we now know that the actors had the decryption keys. So nothing is safe in LastPass. If you own LastPass, get out of it and don't use those passwords ever again.
Next Generation Antirvirus
One of the first steps everyone who reads this should be taking when investing in cybersecurity is critiquing the antivirus detection that they have. If you don't have next generation antivirus, you're in trouble. Bottom line.
Sophos Intercept X is good for mobile devices. Malwarebytes is good for mobile devices, but for Macs and Windows-based devices, we prefer Sentinel One Complete.
Katie: You also mentioned cyber insurance. Does a specific insurance company come to mind for that?
Brent: A lot of the big names would be Travelers, Beasley, Chubb, but generally speaking, for those in tax preparation or in the tax world, I would recommend starting with your ENO and find a broker. You don't have to buy these massive amounts of cyber insurance, but what you do need to understand is that if you're not going to commit to data security minimum practices, and you're not going to have a written information security plan, what's the point in buying cyber insurance?
They're never going to pay if your day-today does not adhere to the policy sample language requirements.
All major providers are sending ransomware questionnaires out at policy renewal. The cyber insurance companies have formed a conglomerate, and they know where the pitfalls are. They're banking on you lying and saying that you have MFA in place and that you have a security awareness training plan and that you've hardened your endpoints. They're hoping that you will say you've done this, and when you have a claim, they're going to come back and say, “No. On this day, you said that you had this safe started. You didn’t properly disclose this. This is an exclusion. We're not paying.”
Katie: I'm curious about file-sharing. What are your thoughts on that?
Brent: One of the ones that we like is Citrix Share File. It’s powerful, secure. They have folders within folders. There are sub-folders that you can designate, and what happens within the folder is fully encrypted. From a sharing perspective, you can set very high password complexities. It enforces multi-factor authentication, and Citrix does a great job of scanning for malicious content within everything that's based within their cloud.
We use Citrix Share File. We're forensic data security investigators. If it's good enough for us, it's good enough for you.
Katie: Do you have thoughts on the the highly popular Dropbox and Google Drive?
Brent: Don't use it. I don't use it. Never will.
Dropbox has had a significant amount of vulnerabilities over the years. If you search “Dropbox vulnerabilities in the past five years”, you'll come up with a cesspool of things. They've certainly made strides, but the reality is that Dropbox in general is one of the more common areas for nefarious activity to occur.
What ControlAltProtect Does
Katie: So what do you do exactly, and how can people find and work with you?
Brent: Well, we work with CPAs, with tax preparers, and folks like yourself. I work with bloggers, believe it or not. For people who blog on Instagram, if they get their Instagram taken over, that’s their whole life.
We've made cutting-edge hacking detection and hacking prevention affordable for mom and pop shops. We always tell clients that when the hackers arrive, we're there to greet them. We've made a name for ourselves by doing so, so we don't have to break the bank.
You can find us on Instagram, Facebook, LinkedIn, etcetera. But if you want someone to audit your technology, we have our own suite of products and our own system. We call it Threatswipe.
We are true partners with every client. We're very picky. We do not work with companies that are not committed, but if you're serious about security and you want someone that's honorable, that you can trust, that will guide you and treat you like family, then that's what we do.
Start Investing in Cybersecurity!
Katie: So for somebody to connect with you, where they go?
Brent: They can go to the website and head to our Contact Us section, or they can email me directly if they want. It’s [email protected]
Katie: Thank you so much, Brent! This has been really, really helpful. I’ll be linking all these resources at the end of the blog. I know a lot of people will be grateful to hear all this. Thanks for coming on!
CONNECT WITH BRENT:
Email: [email protected]
Next Generation Antivirus Recommendations:
Sophos Intercept X: https://www.sophos.com/fr-fr/products/endpoint-antivirus?&cmp=85160&utm_campaign=GPD-2020-Americas-NA-Paid-Search-Google-FR-SCH-B_Product_Intercept-X-DG-85160&utm_medium=cpc&utm_content=B_Product_Intercept-X&utm_term=sophos+intercept+x&utm_source=google&gclid=EAIaIQobChMIwvrFv53k_QIVdcmUCR3LcgYJEAAYASAAEgInYfD_BwE&gclsrc=aw.ds
SentinelOne Complete: https://www.sentinelone.com/?utm_content=demo-request&utm_medium=paid-search&utm_source=google-paid&utm_campaign=brand-nam-cl-s1-dg-nam-us-en-g-s&utm_term=sentinelone%20products&utm_campaignid=11854731743&utm_adgroup=126719497094&utm_target=kwd-942617628410&utm_device=c&utm_type=e&utm_creative=635524101042&utm_network=g&utm_location=9016854&utm_adposition=&utm_aceid=&utm_adgroupname=features_products&gclid=EAIaIQobChMI6_PN3p3k_QIVJMmUCR1P0wplEAAYASAAEgI4CfD_BwE
Password Sharing Recommendations:
Cyber Insurance Recommendations:
File Sharing Recommendations:
WORK WITH KATIE:
Learn how to take your bookkeeping skills and turn them into a business that allows you to replace (or surpass) your corporate salary, be present for your life, and profoundly impact your clients without selling your life in the process by joining Life by the Books (LIBBY).
If you're looking for more tips for bookkeeping, insight on how to become a bookkeeper, and how to say hello to a more confident business model, enroll in Become A Bookkeeper (BABs).
To learn about the programs and get a peek behind the curtain, head to www.katieferro.com/6-secrets.
If you have enjoyed this episode, head on over to Instagram, share your IG stories, and tag me: @orderlyaccountingbykatie
CONNECT WITH KATIE: