All posts by Nate Joy

About Nate Joy

Nate is the Co-founder and Owner along with his wife Terra. Nate joined the team full-time in Spring 2017 with 10+ years of Project Management/Business Analysis experience. He works with clients on process improvement and software implementation.

Demystifying Cyber Security for the Small Business

Seemingly overnight, the technology platforms we came to rely on became much more intelligent, creating a digital persona for each of us and leveraging our preferences to ‘serve’ us better. And although the intention may have been good at the start, the line between ‘serving’ and ‘manipulating’ has increasingly been crossed, highlighting the need to be watchful and vigilant. 

Admit it – if you are like I am (and probably 95% of the population), hearing the question ‘What are you doing to ensure your cyber security?’ simultaneously makes you throw up in your mouth and run off the nearest cliff. On the scale, it’s somewhere between the feeling you get when hearing Christmas music in a Walgreens before Thanksgiving has even occurred and yelling ‘Operator’ into your cell phone after being on hold with T-Mobile for 15 minutes. In other words – on the low end of desirable topics or activities.

Can you imagine explaining our digital world to a 1995 version of yourself? Over the course of the last several years our lives have become increasingly inter-connected via technology, sometimes in obvious ways (think advent of social platforms) and sometimes in much more subtle ways. Seemingly overnight, the technology platforms we came to rely on became much more intelligent, creating a digital persona for each of us and leveraging our preferences to ‘serve’ us better. And although the intention may have been good at the start, the line between ‘serving’ and ‘manipulating’ has increasingly been crossed, highlighting the need to be watchful and vigilant. 

This need to be vigilant has been highlighted by the seemingly incessant drumbeat of large corporations (or political establishments) being hacked. In other words, not only do we need to be careful about where our data lives – we also have to watch out for bad people who are trying to trick us into sharing that data. Just recently I received a note from a hotel chain; on a high level it read something to this effect (note that I’ve taken some liberty with this):

“Dear valued customer – I think you may have stayed in one of our hotels in the last 20 years. Your data (along with a small number of others in the neighborhood of, ahem, 500 million…no biggie), including email addresses, phone number, passport number, favorite NFL team, yada yada yada – has been compromised. The hackers may have gotten your payment information but probably not (and really we have no idea whether they did or not nor do we care to help you). We are so glad you spent money at our establishment (even if you don’t actually remember staying with us). Best wishes for a happy new year and please feel free to stay with us in the future at full cost!”

As a consumer, what do we do with this deluge of information about possible breaches? When you start to peel back layers and really think about our digital imprint as a whole – it can get quite overwhelming.

When you put on your small business owner hat this creates an entirely new layer – not only are you responsible for ensuring that your internal communications and assets are safe, but also those of your customers.

At Joy Accounting, there are a few basics that come to mind that we absolutely rely on. In no particular order, they are:

1) Working with reputable cloud-based technology (like QuickBooksOnline) with bank level security (companies whose entire business models rely on keeping others’ data safe)

2) A good VPN solution (we use VPN Land)

3) LastPass (see the password section below – LastPass is absolutely critical for ensuring our security)

4) Utilizing ShareFile – secure document storage which also allows us to send encrypted emails with sensitive information. This also ensures that no important documents live on our laptops or phones.

5) Reviewing insurance policies to ensure our company has cyber insurance coverage.

6) Being very vigilant about our communication, both with each other and our clients (you will understand how that relates to security as you read through the items below)

Below we have a few tips on some basic strategies that you can implement to create awareness within your team. This is by no means a comprehensive list, but starting with some basics will help you get to a place where your stomach doesn’t turn at the question “What are you doing to ensure your cyber security?”

Creating Awareness Within Your Team

Know what a ‘Whaling Scam’ is and how to handle it

What is it? Someone impersonates an authority figure to get privileged/confidential information or to steal money. For example, hacking an email over public WiFi and then using it to impersonate the email owner.

How do you avoid or minimize the impact?

Only use trusted (password protected) public WiFi. It’s better to use your cell phone as a mobile hotspot.

Have a secondary process to validate information with your staff and clients. If you receive an email (especially if it seems like an odd request or if it involves something important like a money transfer), respond by calling or texting the person to verify and talk through the request (versus just responding to the email).

Do a ‘gut check’ – does the request make sense?

Make sure you have information available on who to notify when there has been a breach – authorities, cyber insurance,banks, etc.

Understand what Ransomware is and how to spot it

What is it? Malicious email with attachment that’s been opened.  Ransomware locks down/encrypts all data until a ransom is paid.

How do you avoid or minimize the impact?

Keep your antivirus updated.

Be an aware user – do not click on attachments or links in emails.

Get cyber insurance.

Make sure you have information available on who to notify when there has been a breach – authorities, cyber insurance, banks, etc.

Understand what a phishing scam is and what to do

What is it? Fake emails sent in an attempt to steal sensitive information,typically passwords or credit cards. These scams have also been used to fake invoices and steal customer and billing data. (and note that they come from a lot more places than the King of Nigeria these days…)

What policies should be implemented?

Be aware – don’t click on links or attachments you weren’t expecting. It’s always best to go directly to a website and not click on the link in the email.

Phishing Testing – send emails to your employees and see who opens the links and who doesn’t

Gut check – were you expecting this? Even if you were, a good rule of thumb is to not click on the link. 

Double-check the email address that the email came from. Does it look legit? Google, Paypal, Yahoo, and Apple are the most impersonated websites. The phishing scams are becoming so good that it’s very difficult to tell a real email/website from a scam.

Know how to spot and how to handle privilege misuse

What is it? Use of employee rights to access data that is abused either accidentally or maliciously to steal private data. For example, an employee leaves a firm and downloads client data before leaving. Or an employee downloads data legitimately to work on a mobile device and the device is stolen. Both situations have legal implications!

What policies should be implemented?

Communicate privilege/confidentiality policies with staff and have employees sign a policy every year.

Take training on data security and the proper use of client data.

Use Share File to request sensitive information such as tax returns, W-2’s, bank statements, etc.

Use “technical fences” such as bitlocker on laptops to encrypt hard drive data.

Know who to notify when there is a security breach: Clients, the State Attorney General and the U.S. Attorney General.

Know good password practices and how to avoid weak passwords

Why is this important? Weak passwords can lead to a network breach allowing hackers to obtain sensitive financial information and forcing owners to provide credit monitoring for all clients for the next year.

What are some policies to implement?

Use strong, complex passwords. 

Do not use the same passwords for multiple sites. If one site gets compromised, then they all get compromised.

Use longer passwords, 20+ characters.  Passphrases are better and stronger than passwords and easier to remember.

Don’t use easily identified personal information in your password – family names, pet names, street names, birth dates, etc. Avoid simple, sequential, or repetitive numbers and simple, obvious terms.

Don’t share passwords, even to websites like Netflix, especially if you use the same password (or a version of the same password) to multiple sites.

There are software programs used to just break passwords, don’t make it simple for the hackers. 

Change the SSID (name) and password on your WiFi router. 

Use LastPass and let LastPass create the password for you.  Do not keep LastPass signed in when you turn on your browser or it defeats the purpose of using the software.

Use multi-factor authentication such as a password and a text when a service or website allows you to. Two-factor verification should be 1) something you know and 2) something you have. For instance, when using an ATM, use your PIN (something you know) and your card (something you have). When using a website, use your password and a text message with a code to enter.

Change passwords regularly – every 60-90 days, especially when using banking websites.

Change passwords immediately upon staff turnover.

Be alert and aware. If you notice a breach or hear of one in the media, take action quickly. Change your passwords, change your security questions, or contact the owner of the website.

Secure your security. Use strong security questions so a hacker can’t easily reset your password. Don’t use your mother’s maiden name. If you have to, make one up. Just don’t forget what it is!

Don’t allow your credit/debit card or banking information to be stored on websites. If there’s a breach, you’ve now made it easier for the hackers to access that information. 

Cooking our Way to QuickBooks Connect

Since starting Joy Accounting four years ago, Terra and I have had the opportunity to travel to QuickBooks Connect in San Jose on three occasions. QuickBooks Connect is a three-day event put on by Intuit every November with (seemingly) a million classes on all things accounting and so much more. 

The main stage at QB Connect

What is the ‘so much more’ I’m referring to? Copious amounts of classes taught by industry leaders on everything from maximizing the value we offer to our clients to understanding latest trends in cryptocurrency. Amazing keynote speakers such as Oprah, Shonda Rhimes, and Alex Rodriguez (Oprah was definitely the best of that group!). Lots of opportunities to connect with representatives from a ton of QuickBooks partner apps. Oh – and in our first year we were even treated to a Goo Goo Dolls concert. Seeing over a thousand accountants rocking out to Goo Goo Dolls is about as nerdy – and awesome – as it sounds. 

Proof that Goo Goo Dolls really happened

This year, however, was the absolute best, because we brought our team along with us. What an amazing experience it was! 

Connecting Through…Cooking?

One of the cool things about building a business in the digital age is that your team can be ‘location independent’. I plan on writing posts in the future about how we make our remote business work, but for now suffice it to say that our team represents 3 states (Washington, Minnesota, and Pennslyvania). So while we connect all the time via tools such as Zoom and Slack, prior to Quickbooks Connect we had never actually met together as a team. 

I (Nate) was tagged with the unofficial ‘MC of Activities’ role for the week, so naturally I started planning an activity for our first day together intended to be fun and not too business-oriented – something that would bond us together as a team. And because I love eating good food, I landed on cooking together! I found a great service, Cozymeal, who were willing to send a trained chef to our AirBnb for a 4-hour experience involving making (and, of course, eating) a several-course meal. (Note: if you decide to do this in San Jose area definitely ask for Chef Joni…she was fabulous!)

On the edge of our seats ensuring that we understood Chef Joni’s instructions

We laughed, we ate, we laughed some more, and we learned a lot about each other in the space of just a few hours! For example, everyone got to see how little I knew my way around a kitchen and I was pretty quickly given appropriate tasks for my skill level!

This activity set the stage for what ended up being a fabulous week at QuickBooks Connect (expect many more posts from this conference!). 

What was our main takeaway from the team-building part of our experience? As a small business owner, there are only so many different balls you can juggle at once, and it’s easy (and necessary) to let some things go by the wayside. Creating memories and connections with your team is absolutely not one of these things! 

At Joy Accounting, we are so lucky and grateful to have some intelligent, creative, problem-solving team members. We truly believe that the connections we made throughout this experience will help us collaborate even better in 2019. Watch out world!!!

We even made it to the beach on Laura’s birthday!