ask questions about cyber security

A Cyber & Security Forum: Your Top Questions Answered

You can’t turn on the news these days without hearing something about a data breach.  The sheer volume of cyber attacks numbs the senses.

And therein lies the problem. The numbers are so massive as to be incomprehensible, and so, seemingly daunting. Cyber-crime is everywhere. It’s bound to catch up with you. It’s like trying to outrun your camping companion from a chasing Momma Bear.

The “problem” amounts to nothing more than a simple equation: Threat + Ignorance = Fear.  Fear freezes us in place; it leads to complacency upon which cyber and data thieves feast.

Small and medium-sized businesses (SMBs) are our firm’s focus. And we believe it is our job to lead those business owners-operators and their families – that is, our clients – through the maze of cyber and data security do’s and don’ts. Fortune 100, 200, 300 and 1,000 companies have armies of cyber soldiers poised to act. Yet they still suffer the same data breaches as the SMBs. Why is this and what can SMBs do differently or perhaps better than the corporate giants?

To begin to tackle these and other issues, we introduce the HBK Cyber and Data Security Forum. Our Forum is devoted to addressing the questions and providing answers and guidance to help assure our clients and their families are aware of cybersecurity issues and ways to protect themselves.

Therefore, our first feature, a Q & A:

Q: Why, despite billions of dollars invested by business and industry in cyber and data security, do hackers and their peers keep winning battles and stealing unfathomable amounts of data?

A: Hackers and data thieves take many forms and come in many shapes and sizes.  Whether they are sponsored by state sovereigns, rogue organizations seeking monetary gain or power, or small bands of cyber thieves, each has a trait common to all successful businesses: they re-invest in their business.  By re-investing, hackers effectively move the target, raise the competency bar and are able to pick their next target because they know where and how the battle will be fought. To the attackers, the billions of dollars being spent to thwart them simply means that the game is on.

Q: When you meet with SMB executives about cyber and data security measures, what is their level of understanding of the issue and what are some misconceptions?

A: On the bright side, there is a high level of appreciation of the dangers of cyber and data “insecurity.”  Because effective cybersecurity measures are a top-down activity, their heightened awareness translates into more effective action when and where it is needed most.

The challenges almost always begin and end with money. Budgets are stretched and little discretionary funding is available. Mix in the false belief that cybersecurity is an “IT” problem and you further narrow the scope of an already limited budget to a single department that technically does not create revenue. This creates tension in SMBs and leads to unrealistic expectations – expectations that can’t be, and aren’t, met.

Q: What makes you say that cybersecurity is not an IT-only responsibility?

A: Many SMBs outsource their data operations because it makes sense financially. But the effectiveness of third-party providers is limited by the scope of their work and costs. Task-specific functions are not the bedrock of sound cyber hygiene. Further, SMB IT departments hustle to handle day-to-day operations. And more importantly, even if IT runs perfectly, the single greatest threat to cyber and data security for SMBs comes from human error.

One common misconception is that having the right software/anti-virus/zero-day malware detectors means you are covered. These remedies work right up until the time a hacker discovers a method of intrusion and sells it on the dark web. Then the most popular software becomes the target du jour and “patches” are quickly devised and installed, usually just after the hacker has escaped over the Sunshine Skyway Bridge with your data.

Cybersecurity is about managing risk—and that’s not what you pay your IT service providers for. Nor is it necessarily what they’re good at. On the contrary, IT could actually pose a significant risk to your business and security efforts.

Q: What is your take on current cybersecurity laws and regulations, either those in place or pending legislative action?

A: The biggest risk is doing nothing. Conversely, passing a bill into law doesn’t guarantee a problem will be solved. The current fragmentation of state, federal, and international rules and regulations reflects both the infancy of the cybersecurity protection initiative and the tendency to try to stop something that has already happened.

In the United States and with the GDPR, the European Union’s data privacy regulation, the respective governmental entities are leveraging the resources of, and imposing restrictions on, those who use data to combat cyber theft. This places great financial strain on SMBs as they fend off hackers on one flank and seek to comply with regulations on the other.  “Leveraging resources” is a polite term to describe the process of making SMBs pay the cybersecurity freight or suffer the consequences.

Q: Given the cyber threats, how can an SMB best defend itself and what are some good first steps?

A: For most SMBs, baby steps are a best start. Find out where you currently stand in terms of exposure. Have someone who studies processes and controls and financial systems look into how your company manages data. Companies that don’t know how they truly manage data are easy pickings for cyber criminals. With so many common operating systems worldwide, chances are good that hackers know your systems’ weaknesses. Get a check-up – and when you get the results you will have what you need to implement your cybersecurity strategy and accompanying tactics.

Q: Once the cyber “check-up” is complete, where do SMBs start the process of “cleansing” their cyber and data security practices?

A: A first step is to realize your business is a data business. A manufacturer of widgets is a data company in the widget business; a medical practice, a data company in healthcare. Once you appreciate that as an organization, leadership will more readily budget for cyber protection. Steps cannot be taken unless money is there to pay for them. Start with the low cost, low hanging fruit of employee behavior controls. Match needs with budgets and proceed on a “can afford” basis. Start with basic blocking and tackling and because cybersecurity is a process, you will not have to re-invent any wheels.

Q: How much does it cost to get a check-up and what all is involved?

A: SMBs need to examine the processes by which access to data is deployed and to determine what controls exist. Locking seven doors in a building is no good if an eighth door is open or a window ajar. Obviously, scopes vary with some systems being more critical, sensitive, and complex than others. Therefore, it wouldn’t be prudent to even estimate an expense. What’s most important is that after we assess the engagement we can provide a solution that will add value to your organization.

Q: Is a “check-up” or assessment the same as an SOC report?

A: System and Organizational Controls (SOC) reports are a formalized, independent audit of the effectiveness of your security controls. There are multiple versions of SOC reports, but each report acts to “assure” third parties or boards of directors and the like of the high stakes associated with information security. This type of report is becoming more common as large organizations turn to their vendors and third-party providers to ensure compliance with data security laws and to vouch to their customers that the product or service they deliver is delivered subject to sound cybersecurity practices.

Q: Is it better to get an SOC report or a check-up first?

A: SOC reports are not for every organization and each situation varies. As a general rule, starting your efforts by securing a technical assessment is more economical than launching into a security program assessment or independent SOC report. A technical assessment will identify vulnerabilities within your information technology that can be exploited at any moment—therefore it makes sense to prioritize this type of engagement and harden your systems immediately. Subsequently, or even concurrently, it’s prudent to undergo an assessment of your overall security program. This involves identifying and assessing governance and operational processes. The results of this assessment will allow you to implement any needed processes or strengthen weak ones. It’s not only critical to implement a security program, but to continually evolve and mature it. These assessments will allow our auditors to successfully perform the SOC audit which will provide the third party assurance many customers and business partners seek. SOC reports provide great value internally via routine audits, and externally by boosting credibility, reputation, and marketability.

Q: How long do you expect the phenomenon of cybercrime to continue?

A: As long as the human race continues to reduce aspects of life to data, there will always be people looking to pilfer that information and a matching need to apply vigilant measures to protect it.

About the Author(s)

Steven Franckhauser is a Senior Director working out of the Columbus, Ohio and Pittsburgh, Pennsylvania offices of HBK. He joined HBK in 2011 and works with both the Risk Advisory/Cybersecurity and Energy divisions of the firm.

He is an adjunct Professor of Law at the Duquesne University School of Law, where he teaches business planning and cyber security courses. Steve contributes to the Penn State Extension programs on Shale development, is an adjunct Professor at Penn State University's Beaver campus in Monaca, Penn., and has been a guest lecturer on shale energy and renewable energy at The Ohio State University Fisher School of Business and the School of Arts and Sciences. He is also a past recipient of the “Who’s Who in Energy” by the Pittsburgh Business Times.

He serves on various industry-related boards and is a frequent lecturer and speaker on the economic development and opportunities provided by shale energy, as well as on topics related to the importance and development of Cybersecurity best practices, regulations and standards as they relate to businesses and individuals.

Matthew J. Schiavone is a Senior Manager in HBK’s Quality Control department and works primarily in the Pittsburgh, Pennsylvania office. He specializes in risk advisory services, system and organization control (SOC) reporting, internal controls, IT audit, information security, and cyber security for all types of industries.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.