Non-Profit Notes Newsletter IT-Security- More than Just A Password

Thomas DeMayo, IT Manager

Just like any security professional, I stand firmly behind the principle that passwords need to have a minimum length and be complex. They should be hard to guess and, needless to say, never affixed to your monitor on one of those yellow sticky notes. In working with our clients and trying to guide them in the principles of information security and Information Technology (IT) governance, I notice that they often consider passwords alone as their best level of defense against cyber attacks and fraud. I cannot blame them. In everything you read there is another article on passwords.

212.876.8000

tdemayo@odpfk.com

Thomas DeMayo Director

Although I am an ardent believer in the importance of a strong password, this alone is not enough. IT security comes not just from a complex password, but rather from a solid foundation of controls designed to prevent, detect and, ultimately, correct soft spots in the IT environment. To paraphrase Johnnie Cochrane: If you cant prevent, you must detect; and, what you detect, you must correct. At the conclusion of an IT assessment assignment, the response I usually receive from the organization is, We had no idea! That is why the creation, implementation, and monitoring of meaningful IT policies and procedures are critical. Some organizations operate with a false sense of confidence with respect to their IT security. Their IT department may function smoothly and their IT personnel are skilled problemsolvers; however, just because things work, does not mean they work in the most secure manner. Sometimes functionality takes precedence over security. For example, the ability to work remotely and access internal network resources has become essential to the successful operations of an organization. Although critical and now commonplace, this functionality can pose a significant risk to the organization if not planned and configured properly. Electronic security is complex and not all IT professionals are trained to know what it means to be secure and how to get there. They do not see the entire picture and embrace the notion that a solid, well-communicated IT policy can be one of the greatest defenses against cyber attacks. With the high level of dependency on IT that organizations have for their daily business operations, the risk is great. Organizations of all sizes can be victims of cyber attacks. Usually the smaller ones are the most vulnerable because they do not have the human or financial resources to devote to IT security. The good news is that security does not have to be out of the reach of a smallorganization. Just as traditional auditors assess financial controls, organizations may consult with IT auditors to assess their information technology controls. With that said, I leave you with this question: When was the last time you had your IT controls checked? For more infromation or if you have any questions, please contact Thomas DeMayo at tdemayo@odpkf.com.

Contact: New York, NY (midtown) 212.286.2600 New York, NY (downtown) 212.867.8000 Harrison, NY 914.381.8900 Stamford, CT 203.323.2400 Paramus, NJ 201.712.9800 New Windsor, NY 845.220.2400 Wethersfield, CT 860.257.1870

About Our Practice: O'Connor Davies, LLP is a full service Certified Public Accounting and consulting firm that has a long history of serving clients both domestically and internationally and providing specialized professional services of the highest quality. With roots tracing to 1891, seven offices located in New York, New Jersey and Connecticut, and approximately 400 professionals including 70 partners, the Firm provides a complete range of accounting, auditing, tax and management advisory services. OConnor Davies is ranked as number 36 in Accounting Today's 2013 "Top 100 Firms" in the United States. The Firm is also within the 20 largest accounting firms in the New York Metropolitan area according to Crain's New York Business and the Westchester and Fairfield County Business Journals. OConnor Davies is dedicated to serving the not-for-profit sector and serves more than 1,300 not-for-profit clients. OConnor Davies is a member firm of the PKF International network of legally independent member firms, the tenth largest global network in 2011, with 440 locations in 125 countries. OConnor Davies, LLP is a member firm of the PKF International Limited network of legally independent firms and does not accept any responsibility or liability for the actions or inactions on the part of any other individual member firm or firms IRS CIRCULAR 230 DISCLOSURE: To comply with IRS regulations, we are required to inform you that unless expressly stated otherwise, any discussion of U.S. federal tax issues in this correspondence (including any attachments) is not intended or written to be used, and cannot be used, (i) to avoid any penalties imposed by the Internal Revenue Code, or (ii) to promote, market, or recommend to another party any transaction or matter addressed herein. Our firm provides the information in this e-newsletter for general guidance only, and it does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you shoul consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation.