Cyber Security: It’s Everyone’s Job

Date August 13, 2019
Article Authors
HBK CPAs & Consultants

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Multi-Factor Authentications: A Waste of Your Time?

Date August 1, 2019
Article Authors

Cybersecurity is a multi-faceted initiative. Protecting your business – and your family – from cybercrime requires a wide range of oversight and activities. One process being broadly employed is known as “multi-factor authentication” (MFA). Technically defined as a “security system,” MFA requires a user to provide more than a single input or authentication before granting access to an asset, a location or an online account.

Such required authentications are typically categorized in three ways:

  1. Something you know (such as a password)
  2. Something you have (like a key fob)
  3. Something that uniquely identifies only you (such as a fingerprint)

The often-used term “two-factor authentication” is a subset of multi-factor authentication, which, as the name implies, allows access after two separate inputs.

MFA is not new; it has been in use for decades. One of the oldest applications is the bank ATM. To withdraw money from the ATM, you need minimally a two-factor authentication: your ATM card, which is the “something you have,” and your PIN (personal identification number); the “something you know.”

With the exponential growth of the internet and online accounts, MFA enhances protection beyond a password, that is, a single-factor authentication. Because people often use the same password for multiple online accounts, hackers have a much easier time gaining access to single-factor authentication online accounts than MFA accounts. MFA provides a much-needed additional layer of protection to compensate for the bad habit of repeatedly using the same password. (See our article, “Don’t Pass on Password Managers”, to learn about another layer of protection.)

The next time you are frustrated with the extra time it takes to enter multiple authentication factors, take heart. Your business or organization has deployed an additional layer of protection for you. It might be a little inconvenient, but it is hardly a waste of time.

MFA is one aspect of a multi-layered cybercrime defense strategy. We can help you develop your own strategy to protect your business and family. Contact Bill Heaven at 330-758-8613; or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Cyber Hygiene – It’s a Real Thing

Date June 14, 2019
Article Authors

In articles and presentations on Cybersecurity, it’s not uncommon to come across the term “Cyber Hygiene.” By default, it makes me think of human hygiene. At a detail or task level, there really isn’t much of a comparison. But think about the topic more broadly: If we take care of ourselves physically, we are likely to enjoy better health. Similarly, if you take good care of your IT systems, they will be apt to perform better – and you will be less likely to fall victim to a Cybersecurity breach.

    What can you do to improve your cyber hygiene? Exercising these action items will get you off to a great start:
  • Make sure that you have an up to date inventory of your IT assets (i.e. hardware, software and data).
  • Regularly patch and update your IT assets.
  • Regularly backup your data; test your backup process to ensure it is working as intended.
  • Limit the number of user accounts that have administrator privileges on your IT systems.
  • Implement an antivirus solution and make sure you receive regularly updated virus definitions.
  • Use a firewall to protect your system.

Cybersecurity experts often talk about situations of vulnerability where a fix, that is, a patch, has been released. But most companies don’t regularly apply the necessary updates or patches, or mitigate their vulnerabilities in any other way. Hackers have been known to exploit vulnerabilities, especially those where security measures aren’t taken or are more than a decade old. When I speak to clients or conferences about Cybersecurity, I point out that hackers are a lazy bunch. They attack the weak, not the strong. Improving your Cyber Hygiene will help you avoid becoming such a target.

HBK can help you with Cyber Hygiene. Call me at 330-758-8613 or email me at WHeaven@hbkcpa.com with your questions and concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.