Bolster your data defenses


As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.

Clean out the user access list. Many organizations already have a policy to review these lists periodically for terminated employees. Cleaning the list should also include determining who is accountable for the use of individual user IDs. For example, in the rush to get things done, user IDs are sometimes assigned generically. This can result in the sharing of user IDs and the reduction of accountability over use of those IDs. The review also should ensure that the list continues to enforce intended organizational segregation of duties.

Remove unneeded system administrators. Sometimes, to install software or remotely support technology operations, vendors or others may be given short-term system administrator privileges. All system administrators should be accounted for, be reconciled to approved use, have their activity monitored, and have their privileges promptly removed when the necessity expires.

Update software with critical security patches. Patches are typically fixes that a vendor provides to update or repair its software, often to close security holes that can be exploited. Yet the risk of not applying the patch needs to be weighed against the risk that, if the patch were applied, it could disrupt the availability of systems. This is why many businesses delay pushing out patches to a less busy time. But they should not be delayed longer than necessary.

Remove old or unused software and hardware. Many organizations have software on their system or hardware attached to their network that is no longer needed. These could be remnants of trial software, software with expired licenses, or hardware kept "just in case." These can create attractive cyberattack targets.

Test backups and update recovery plans. Current and effective backup and recovery strategies are a critical control to mitigate the risks from increasing cyberattacks. Backups and plans should be tested at least annually and more frequently as their risk impact dictates.

Update breach response and insurance coverage. Many industry breach incident analysis reports are issued in the first quarter of the calendar year, incorporating new breaches and preventive strategies from the previous year. Organizations should update their breach response plans to incorporate the latest practices and defenses. Additionally, insurance policies should be reviewed and company compliance with any underwriting assumptions or clauses confirmed.

Editor's note: This checklist is adapted from "6 Steps to Shore Up Your Technology Defenses," CPA Insider, May 31, 2016.

By Joel Lanz (, CPA/CITP/CFF, CGMA, founder and principal of Joel Lanz, CPA PC, in Jericho, N.Y., a CPA practice focusing on information assurance, technology risk management, and security. He also chairs the AICPA Information Management and Technology Assurance Executive Committee and has been an adjunct professor in the business school at The State University of New York at Old Westbury.


How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.


Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.


News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.