7 minute read
kudos
Brad Baumann, CPA, has been advanced to the role of managing principal of the Southeast Wisconsin group by CliftonLarsonAllen (CLA) in Milwaukee.
Matthew Berry, CPA, has been advanced to the role of signing director by CLA in Milwaukee.
Lisa Cribben, CPA/ABV, ASA, CMA, has joined Hawkins Ash CPAs as a partner specializing in valuation, transaction advisory, business transition planning and litigation services.
Brian DelVecchio, CPA, has been advanced to the role of principal by CLA in Milwaukee.
Patrick Durch, CPA, has joined Northside Elevator in Loyal as financial controller.
Bryan Gerlach, CPA, has joined the Security Financial Bank as CFO.
Linda Gorens-Levey, CPA, CFA, a partner at General Capital Group in Fox Point, was listed in the Milwaukee Business Journal ’s 2023 list of top Milwaukee-area power brokers.
Robert Keebler, CPA/PFS, MST, AEP (Distinguished), received an award from CPAacademy for “Top Presenter 2022,” which honors those who are committed to the education of accounting professionals.
Peter Kopanon, CPA, has been promoted to senior financial analyst at Milwaukee Tool.
Rick Krueger, CPA, has been advanced to the role of managing principal in the firm solutions group of CLA in Milwaukee.
Allen LaCrosse, CPA, has been advanced to the role of tax principal by CLA in Milwaukee.
Kelley LeMay, CPA, has been advanced to the role of signing director by CLA in Eau Claire.
Martin Mathias, CPA, CFE, has joined Capital Valuation Group Inc. as a shareholder. He serves as a business valuation analyst and litigation expert in the firm’s Madison office.
Patrick McGarry, CPA, CFO & COO at Wixon Inc. in St. Francis, has been named to the 2023 class of “40 Under 40” professionals in Southeastern Wisconsin by the Milwaukee Business Journal
David Meicher, CPA, a partner with Meicher CPAs in Middleton, has been named to the 2023 class of “40 Under 40” professionals in the Madison area by In Business magazine.
Scott Menke, CPA, MBA, UW–Parkside’s vice chancellor for finance and administration, has been named as interim chancellor, effective Friday, June 9.
Adam Mleziva, CPA, has been advanced to the role of principal by CLA in Green Bay.
Eric Neuman, CPA, has been promoted to partner at Chortek LLP in Waukesha, where he will manage the operations of the Assurance & Accounting Department and be an active participant in determining the firm’s strategic direction.
Zach Newsome, CPA, has been promoted to manager of Huberty’s Fond du Lac office.
Dominic Ortiz, CPA, CGMA, CEO of Potawatomi Hotel & Casino, was listed in the Milwaukee Business Journal’s 2023 list of top Milwaukee-area power brokers.
Knute Pedersen Jr., CPA, has been named a partner at Esterbrooks Certified Public Accountants Ltd. He has 20 years of experience and was previously a shareholder in the firm’s Superior office.
David Ring, CPA, CGMA, CFO at Sentry Equipment Corp., was interviewed by CFO.com for a March 9 Q&A feature called “The 6 a.m. CFO,” in which finance chiefs share how they jump-start their days.
Jonathan D. Sherwood, CPA, has been advanced to the role of principal by CLA in Hudson.
Victoria Thayer, CPA, has been appointed to the AICPA’s Young Member Leadership Committee.
FIRM NEWS
Baker Tilly will move its downtown office this summer from the U.S. Bank building to BMO Tower at 790 N. Water St.
Several accounting firms have been named to the Wisconsin State Journal ’s list of Madison’s Top Workplaces 2023. They are: Wegner CPAs, Wipfli LLP, Deloitte Consulting LLP and Berndt CPA, which also took the #2 spot in the “New Ideas” category.
THE CURRENT CPE REPORTING PERIOD ENDS DEC. 31, 2023
Reporting Period: Jan. 1, 2022 – Dec. 31, 2023
CPE Requirement: 80 total CPE credits
By Mark R. Torello, CPA, CITP, CRISC, CFE, CISA
In the field of cybersecurity, most things we do to increase security have an equally significant “opposite” effect on productivity. Simply put, they make your life harder.
That’s because we cybersecurity professionals need to put hurdles in the way of the attackers to stop them — or at least slow them down. Many systems require long, complex passwords that must be changed frequently. This can really make life harder for users when we can’t remember our credentials or even get locked out of our systems.
Then there’s multifactor authentication, where users must prove who they are, using more than just a username or password — such as confirmation through a phone app, an additional code entered, or a fingerprint or face ID.
These safeguards are imperative to protect our online systems, but they can be a hassle and slow down users.
Challenges with passwords
Why are passwords so challenging? One reason is that every system has its own rules for what constitutes an acceptable password. Some require uppercase and lowercase letters, some require a number and a special character, while others just want a number.
Then there are the systems that track the last password you used and won’t let you re-use it. Blasphemy! When you say “I forgot my password,” it allows you to reset it but forces you to change it again — adding yet another iteration of your favorite word. Yet this password is no harder to be cracked than the last word you used, even with adding a number and special character like *1 after it. We may think we’re being crafty, but it’s not making things any harder for the hackers!
Why do passwords get compromised so often?
The simple answer is that businesses that are responsible for the safekeeping of your credentials are not doing enough to adequately protect them. Once they are compromised, login credentials are sold quickly. That means that other websites and systems you use those credentials for can also become compromised. This is the reason you should not use the same password for more than one online system. That is challenge number one.
Other top difficulties include:
• Remembering complex passwords
• Remembering many different passwords
• Accessing saved passwords that are not always available on all of your devices
• Deciding where to save your passwords. Web browsers? Contacts? Sticky notes? Notebooks?
The risk with the current password convention
In the past, we would all select a password plus a required number and capital letter. So if I liked summer, I might select “Summer2022.” This would clear the requirements of “complexity” rules built into most systems. But as you can see, it’s not the strongest password by far. And on the next password change mandate, there’s a good chance you might change that to “Summer2023.” That’s not any more secure in the eyes of a hacker.
Use a passphrase instead!
Password hacking systems look for dictionary words first and then append numbers to them in an automated approach that is very quick. Once all dictionary words with numbers are exhausted, the process of “brute-forcing” a password made up of multiple words (called a “passphrase”) can take a long time — even centuries!
For that reason, the process of putting more than one word together into a passphrase has been determined by the National Institute of Science & Technology (NIST) to be much more secure than the best complex password plus numbers and characters. NIST Special Publication 800-63B (June 2017 but updated through 2020) introduced this concept with other unexpected changes in guidance on digital identity.
The most surprising change in guidance was NO requirement to change passwords or passphrases unless the credentials were involved in a compromise. [Note: This author’s guidance is to still change passwords or passphrases annually in case a compromise in another system is missed. This is still much easier than changing it every 60 or 90 days.]
Why did NIST make this change? Because changing passwords every 90 days just makes it more challenging for us to remember our passwords, so we end up doing foolish things like putting our credentials on a sticky note on our desks or making them too simple.
Thou shalt not share thy passphrase!
Certainly, you understand the importance of not sharing passwords or passphrases with others. It’s a big no-no for several reasons. Lack of audit trail is one. You should also not share that same passphrase between online accounts either. This is where it gets rough! How are you supposed to remember so many unique passphrases and which accounts they belong to?
The answer to all these challenges and requirements? The password manager!
Password managers are a unicorn in the security world. They are one of the very few systems that help improve productivity and make your life easier while also increasing cybersecurity.
Here’s how using a password manager addresses challenges:
• Remembering long passphrases — A password manager can save them so you don’t forget them and don’t get locked out.
• Using unique passphrases for each online system — A password manager can help you keep them organized and speed up the process by logging you into each site automatically.
• Sharing certain company-level login credentials with staff — A password manager can make this happen securely without divulging the actual passphrase to staff.
• Logging into various sites between phone and computer — A password manager makes this quick and seamless by working on multiple devices.
How to get started
It’s important to start protecting your accounts, pocketbook, and credit rating today. The first step is to stop using all the unsecure means of storing and remembering your passwords and installing a good password manager. You will be surprised at how fast it is to learn how to use it and how quickly it can make your life easier and more secure at the same time. While there are many good options, the leaders in the industry include:
• Lastpass (author’s choice) — $36 per year
• Roboform — $24 per year, $48 per year for a five-user family plan
• Dashlane — $6.49 per month ($60 per year)
• 1Password — $3 per month ($36 per year, $60 per year for families)
• NordPass — $36 per year
All have free versions (not just trial versions) that limit the product’s functionality. These free versions are a great way to get to know the product by actually using it for a while. Once you’re ready to take the full plunge, upgrades are typically easy.
I like LastPass’s feature of having one login that gets me access to my free personal account as well as our paid business account (enterprise account) with company passwords in it, all while keeping them completely separate from each other. I also like how I can share passphrases to different groups of staff in the office.
Selection tips:
• Make sure the password manager you select has an app that works well with your phone and other devices.
• See if the product has an enterprise version that provides more benefits in a business environment.
• Do your vendor due diligence and request their Service Organization Control (SOC) 2 Type 2 report. Ask your IT vendor to help you review it if necessary. Pay attention to the “User Entity Control Considerations.”
Use tips:
• Download the plugin that works with your favorite browser (e.g. Google Chrome). This will help achieve login efficiencies.
• In your browser settings, disable the “Prompt to Save Passwords.” Once you have all of your credentials in your new password manager, delete the passwords in the browser.
• Download the app for your mobile devices and configure them to use it.
• All good products will offer two-factor authentication — be sure to enable it during your initial setup.