August 2002

Internet Security and the CPA

By Marc Niederhoffer

More than ever, companies need to commit money and resources to the protection of their network systems. The 2001 Computer Crime and Security Survey, which included responses from 538 computer security practitioners in various institutions, contained some sobering figures:

Another survey found that U.S. businesses spent only 0.02% of their top-line revenue on data security and that 75% of business networks are wide open to hacking. Although smaller companies seldom see themselves as targets, experts say attackers scan entire networks and view any site as fair game.
A useful way to think of the Internet is as a series of smaller networks that anyone can access. Corporations or governments manage many of these smaller networks but no one has overall control. There are opposing views as to what role the government should play. In the meantime, nonprofit groups such as the Internet Society ( promote the cooperation and coordination of Internet applications and technologies.

Vulnerable Information

Numerous online databases (e.g., and provide access to considerable amounts of information, at no charge:

With so much information available online, individuals are right to think they need to take steps to protect themselves. Internet users should regularly delete their browser’s history lists and memory caches and use a pseudonym and alternate e-mail address when posting to newsgroups. They should consider using an Internet privacy service, such as Zero Knowledge Systems ( or Anonymizer (

Before entering credit card or similar information into a website, one should be certain that the website is secure. A secure site’s uniform resource locator (URL) will begin with “https” instead of “http.”

Businesses need to safeguard the company’s networks, workstations, e-mail systems, and software. A substantial loss in any of these areas could have a material effect on the value of the company’s goodwill. Properly designed safeguards will protect business data, customer lists, employee identities, bank data, proprietary information, account numbers, and financial assets.

Security Threats and Defenses

Networks need to be protected from both outsiders (hackers and crackers) and insiders (employees and other individuals with access to the network). The industry defines hackers as individuals with extensive computing knowledge that look for internal and external system holes, some for fun, others for a purpose. Crackers are individuals that try to break into a system by guessing or cracking user and system passwords. There are a variety of ways a hacker can attack a computer system:

Hackers use the following tools to enter networks:

Creating a secure network begins with the network architecture, which should include the following:

With the advent of the home office, many companies are creating virtual private networks (VPN), which are used to communicate with remote sites, usually over private leased phone lines. Information is kept secure, but the system is expensive and slow. The current trend is to move the VPN to network lines; however, they need to be properly designed to keep the information from being available through the Internet.

Setting Security Policy

A company security policy should establish employees’ use of the following:

The policy should define acceptable behavior and provide for adequate training and a method of monitoring adherence.

Detection Systems

Detection systems fall into two basic categories.

Although an NIDS can be more cost-effective, an HIDS may be more appropriate for organizations more concerned about legitimate information than about hackers.

Suggested Additional Reading (sidebar)

Marc Niederhoffer, CPA, is a partner of Buchbinder Tunick & Co. LLP, and a member of the NYSSCPA Emerging Technologies Committee.

Paul D. Warner, PhD, CPA
Hofstra University

L. Murphy Smith, DBA, CPA
Texas A&M University

This Month | About Us | Archives | Advertise| NYSSCPA

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2002 CPA Journal. Legal Notices

Visit the new