Security Beneath The Cloud: How To Protect Your “Non-Cloud” Assets From Data Breaches

Cloud accounting has become so prevalent that it’s easy to focus your cyber security efforts on your cloud apps alone.

But in reality, cloud security is just half of the picture.

Many accounting leaders are surprised to learn that not all cyber attacks stem from “the cloud”. Nor can they be prevented by cloud security best practices in isolation.

In this article, we’ll explain the 5 critical “non-cloud” areas you need to protect, plus give you practical tips on how to do that.

Quick Links:

  1. Endpoint Security
  2. Local Storage
  3. File Settings
  4. Network
  5. Remote Work

Cloud Security vs. On-Premise Security

There are two types of cyber security: Cloud Security and On-Premise Security. It’s important to take action on both (even if you’re “entirely cloud based”). 

Cloud Security

Cloud Security relates to the systems, tools and processes you use to access, share and protect data through third-party cloud-based applications.

Solutions like Practice Protect dramatically reduce your risk of cloud-related cyber attack by helping you manage permissions, protect passwords and control access to applications.

Example: Suppose you have a small offshore team and you want to grant them access to a client account in Xero. The processes and tools you use to share the password, monitor access history and revoke access to the account, are all Cloud Security considerations.

On-Premise Security

On-Premise Security relates to everything else “beneath the cloud”. This includes:

  • devices (e.g. staff computers and smartphones)
  • antivirus software
  • software updates
  • hardware (e.g. physical servers)
  • storage
  • network connections
  • file settings
  • Etc. 

Cloud security can be managed centrally. On-Premise assets need to be configured, updated and backed-up individually. It’s for this reason that this responsibility falls into the traditional realm of IT.

Real-Life Case Study: Newcastle Firm Hacked By Malware

A two-partner firm in Newcastle experienced a security hack that disrupted their operations for a month.

The firm in question was a 100% cloud accounting firm, with strong security measures in place. Despite engaging an IT person to help out, the focus of his work was almost entirely reactive.

One of the accountants made the mistake of installing a desktop app that contained malware. 

The app would take regular screenshots of the user’s screen and upload them to the criminals at the other end.

Then the bad guys would exploit that information to send ransomware attacks to clients. 

After this was discovered, the firm was required to notify all clients. They experienced a month of disruption dealing with the PR fallout of the breach. (Think about the cost of that!)

If they had followed the advice in this article, all of that could have been avoided.

What Areas To Protect And How To Protect Them

Here are the 5 key “non-cloud” areas you should be protecting in your firm:

1. Endpoint Security

“Endpoints” are any devices which are used to access data, including:

  • Desktops and laptops
  • Tablets and mobile phones 
  • Servers and printers

Here are the most important endpoint security tips to keep in mind:

  1. Install Antivirus software. There are many options available. We recommend either Vipre for networks, or Malwarebytes for individual machines.
  2. Keep Windows updated, because the updates fix the bugs which viruses exploit. We use Patch Manager in ConnectWise Automate to manage updates centrally.
  3. Configure access via your company network. There are two ways to log into a Windows computer – either locally or via a network. We recommend you connect devices to your office network. Employees will then log into the network to access shared drives.
  4. Be careful with local (individual) computer logins, as they can be accessed remotely. Let’s use an example: Jenny is using a weak password on her local machine. That password can be brute forced and then your whole firm’s data is at risk.
  5. Delete old user accounts. This reduces your risks by decreasing the target surface area.
  6. Restrict the number of admin users. Admin users are the keys to the castle. 

2. Local Storage

Next is local storage. In other words, how data is stored on your devices. If you have sensitive data on your devices, you need to take extra precautions.

  1. Don’t let your downloads folder be a target. Download folders and Recycle Bins are a gold mine for hackers. Clearing them out on a regular basis should be automated, either locally or via a group policy.
  2. Have policies around local software installation. Unauthorised software can unintentionally install malware. All firms are different, and you want to balance convenience vs security. One starting point is to “whitelist” legitimate updates to software such as Dropbox and Outlook.
  3. Set up software install notifications. Set up notifications to alert the practice administrator whenever someone installs software on a company device. Alternatively, require a password to allow installs.
  4. Review what’s installed on company devices. We use ConnectWise Automate to do this. Individuals can use the free tool Belarc Advisor to do the same.
  5. Set a policy to prevent passwords from being saved in browsers. Passwords saved in browsers prevent you from revoking access to that individual. They also and heighten the risk of outsiders obtaining those passwords.

It’s not that your employees intend any harm; they simply don’t realise the vulnerabilities of installing software on a device or saving passwords non-securely. They may install add-ons without even knowing they’re putting the firm at risk.

3. File Settings

Controlling access to your files is another way of ensuring that the right people have access to what they need, but not more than they need. 

  1. Control permissions to different types of files. Are your teams grouped by permissions? And are files then restricted? Groups should only have access to what they need. For example, someone in Marketing shouldn’t need to access finance files.
  2. Conduct an annual permissions review. It’s easy for access permissions to get out of date. An annual review is a useful prompt to help tighten them up.
  3. Entrust a limited number of people to be admin users. This is not because you don’t trust your people. Rather, it’s a useful precaution because when an admin account is breached, it causes significantly more damage than just a normal device user.
  4. Control which files are synced to the cloud. Note that both Sharepoint and Dropbox allow selective sync.

4. Network 

Your network is the doorway to the internet, and you have to protect your doorways.

  1. Update your router’s default password. Each router model has a default password. If you don’t update that password, hackers can potentially access both your internet router and everything connected to it. Bad news!
  2. Create a Guest network for non-firm devices. Have a separate network for non-firm controlled devices. That way, the firm’s network is protected from any potential malicious activity should a guest connect with an infected device.
  3. Avoid public WiFi at all costs (unless you connect via a VPN). Public WiFI connections at cafes etc. are notoriously insecure. If you must connect, use a VPN which provides end to end encryption. Use a VPN with a good reputation, like Nord VPN. Free VPN tools may cost you more than you bargained for.

5. Remote Work

Remote working and outsourcing are all growing trends in the accounting industry. While the flexibility is great, remote working does introduce some challenges when it comes to security. You can’t police peoples houses, nor tell them what they can and can’t do. 

Here are some best practices around remote work:

  1. Provide company devices where practical. We recommend you provide company devices, and put policies in place that only allow them to work on those.
  2. Ensure all devices are covered by your company-managed antivirus software. If it’s not practical to provide company devices, include personal devices on company managed AntiVirus software.
  3. Ensure you have a Staff IT and Internet Policy in place.
  4. Geo-fence remote work facilities using cloud security software (i.e. only allow access to your network and apps from approved locations at approved times.

Conclusion And Next Steps

Cloud security and cloud efficiency are critical. Practice Protect software can help you with that.

But equally important is what happens “beneath the cloud”. In particular:

  1. Endpoint Security
  2. Local Storage
  3. File Settings
  4. Network
  5. Remote Work

When you book a Free Demo with our team, we’ll be happy to audit each of these areas for you, and where appropriate, refer you to a cost-effective IT specialist to handle all your requirements.