Encryption: A VPN Building Block

Date October 21, 2019
Article Authors

When working remotely to improve “cyber posture,” we typically recommend a Virtual Private Network (VPN) as an encrypted “tunnel” between sending and receiving networks to protect the confidentiality of data in the communication. A VPN would not be viable without encryption.

Encryption is a mathematical function. It is the part of a broad science of secret languages, called cryptography, that involves the process of converting plaintext into ciphertext, or “encryption,” and back again, known as “decryption.” Encryption has been around for centuries; one of the first examples dating back to ancient Rome, the Caesar cypher and uses the substitution of a letter by another one further in the alphabet to protect the secrecy of a message.

Central to understanding how encryption—and, indirectly, how VPNs increase security because of encryption—is the number of encryption “keys” that are used during the process of converting plaintext to cyphertext and back. At the highest level, there are two types of encryption:

  1. Symmetric, where the same key is used to both encrypt and decrypt the data
  2. Asymmetric, where “The Public Key” is used to encrypt, and “The Private Key” is used to decrypt. (The Public/Private Key Pair are “related” mathematically.)

Neither type of encryption is better than the other. In fact, both of these technologies are critical in achieving cybersecurity when utilized properly.

As always, HBK Risk Advisory Services (RAS) is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613 or via email at wheaven@hbkcpa.com. HBK RAS is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Be a Boeing: Strengthen Your Cybersecurity

Date June 24, 2019
Article Authors
HBK CPAs & Consultants

There are no more excuses to bury your business’s head in the sand. The data and cyber theft threats are real. And imminent. And not just for big corporations or large government organizations. Attackers are at your front door … or worse.

There are three areas that need your consideration when it comes to protecting your data from cyber attack.

FIRST: To Error is Human: Have your processes and controls assessed and take stock of your level of cyber preparation. Pay special attention to your “human” vulnerabilities, as most cyber thefts are the result of someone either unwittingly or purposely allowing a breach to happen. The best software in the world can’t keep someone inside the organization from gaining access to your systems and processes.

Do it now. If you are defenseless you could have to pay ransomware to stay in business. Or worse, you might not be able to afford to stay in business.

SECOND: Assess your vendors and third-party providers. It’s much like going to a doctor’s office in the morning for a checkup, then having your immune system attacked by the malady of the day by a virus you picked up from someone sitting next to you in the waiting room. It’s the same with vendors and those who service them. They can infect your systems in spite of your best efforts. It was the root cause of the Target data breach in 2013 that extended to as many as 70 million customers. Boeing continues to struggle as its fleet of 737 Max passenger jets – and its stock price – remains grounded due to problems with third party software described as “fatally flawed” and that has been at the root of two major airline catastrophes.

THIRD: Assess the data you transmit, process and store. Make a pecking order of data to determine which are more critical to your operation, and start at the top. Then proceed through it all.

Cybersecurity is no longer a check-the-box process; it is a way of doing business, a part of your business that must be addressed continually and methodically. We can help. Contact HBK Risk Advisory Services at 614-228-4000 or email us at SFranckhauser@hbkcpa.com with your cybersecurity questions and concerns. We can meet with you to discuss precisely when, how, where and why you need to protect your data. You can take baby steps. The one thing you shouldn’t do is nothing.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Watch Out for Tax-Related Cyber Attacks as Deadline Approaches

Article Authors

Tax Day is nearly upon us. And as April 15 approaches, many of us may be multi-tasking even more than normal as we prepare our final tax forms and file returns. Unfortunately, this creates a unique opportunity for cyber criminals to try to entice electronic preparers and filers to click on links that look like urgent emails pertaining to income taxes … but are really scams and/or attempts at phishing.

So, be on the lookout for any seemingly urgent emails claiming problems with your tax return, “corrected” tax documents from financial institutions requiring immediate downloads or similar scam email messages.

To lessen the likelihood of falling victim to cyber crime, keep the following points in mind when scanning your email inbox this tax season:

  • The IRS and other legitimate financial institutions DO NOT send or request important information via email or phone calls.
  • Sending tax or other financial information via regular email is NOT considered secure. NOTE: E-file is not email and is thought to be safer than traditional/postal mail.
  • Safeguard your tax and associated financial information by following guidelines specified by the IRS and your CPA.

Action Items

  1. Go directly to the website of the sending entity or call an authorized phone number listed for them to verify the institution’s legitimacy rather than clicking on an email link. These are the safest ways confirm a valid tax-related email requests.
  2. Use a secure (encrypted) portal or message system provided by the sending entity.
  3. If you must send sensitive information via email, be sure to encrypt it. You should provide your public encryption key to the recipient in a SEPARATE message.
  4. Limit the amount of sensitive information you share via email or phone.
  5. Destroy (SHRED) excess or outdated copies of your tax information. Contact your CPA before doing so, to ensure that you don’t prematurely dispose of necessary tax forms.

HBK can assist you with these or cybersecurity topics or questions. Please contact Bill Heaven at 330-758-8613 or WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Pass on Password Managers

Article Authors

Recent Cyber Security industry statistics show that weak, default, or stolen passwords are involved in up to 80% of data breaches each year.

Passwords figure prominently in many areas of our daily functions such as logging onto work computers, doing online banking, sending email, accessing social media accounts and making most online shopping possible. A consistent, clear, repeated warning from Cyber Security experts and insiders is: creating complex passwords (i.e. comprised of both upper and lower case letters, numbers, and special characters) that are unique and lengthy is one way to ensure safe online activity.

Practicing healthy Cyber Security hygiene by implementing unusual passwords is outstanding in theory; it’s just that the average person has multiple password-protected accounts. Remembering which password aligns with each one of those accounts can be a challenge. That’s why using a password manager is helpful.

Advantages of Password Managers:

    1. It provides a centralized password storage location (i.e. vault) – with only a master password to remember.
    2. It is able to automatically generate strong passwords for all of your accounts requiring a password.
    3. It is equipped with strong encryption, which protects your vault.
    4. It can simultaneously support multiple devices.
    5. It offers the ability to safely store other sensitive information, such as credit card numbers, in the vault.

    There are several good, highly-recommended options to choose from such as LastPass, Keeper, Dashlane and 1Password. Be sure to research each of the tools you are considering before making your decision to ensure that you are comfortable with the features and capabilities of the password manager you ultimately pick.

    Action Items:

      1. Research and choose a reliable Password Manager.
      2. Choose a long and complex Master Password (Remember, with a Password Manager, you only need to remember one).
      3. Be sure to take precautions to remember your new Master Password such as selecting one that has meaning to you but does not necessarily lend itself to hackers.
        Note: This is important because most providers have little or NO ability to assist you with finding/resetting a lost or forgotten Master Password.
      4. Begin using your Password Manager as soon as possible and migrate all of your existing passwords to it.

      HBK can assist you with questions on this or any other Cyber Security topic. For more information, contact William Heaven at WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Are You Cyber Secure and Who Wants to Know?

Article Authors
HBK CPAs & Consultants

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

Security – The system is protected, both logically and physically, against unauthorized access.

Availability – The system is available for operation and use

Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



How to Check Embedded Links on Your Mobile Device

Date December 13, 2018
Article Authors

Most consumers have read various materials, articles, and postings warning about the perils of phishing emails. But in today’s fast-paced world, many of us use our mobile devices for a majority of our email and other online communication. For this reason, it’s crucial to know the proper method for checking the validity of an embedded link in an email via a mobile device.

Implementing the “Hover-Over” or “Mouse-Over” tactic on a mobile “Touch-Screen” device can be challenging. Here are some suggestions for proper usage. (Note: The displayed menus may vary based on the email platform used, such as Gmail, Outlook, etc.).

When using a mobile device (Android, Apple), evaluate an embedded link by pressing and holding it down with your finger or stylus. Wait until the embedded link is encapsulated in a “bubble shape”, then lift your finger or stylus from the link and a menu will display prompts such as these:

  • A display of the full URL of the destination of the embedded link
  • Open or Open in Browser
  • Add to Reading List
  • Copy, Copy Link Address, or Copy URL
  • Share or Share Link

Instead of holding the link for an extended time, a “quick” touch or tap will automatically execute the embedded link.

For those who may be uncomfortable using various mobile touch screen options, it’s possible to wait until they return to their office or work space in order to utilize standard “hover” capabilities offered through a computer, unless a response is required immediately through a computer.

Continue to be a healthy skeptic and don’t fall for the phishing scam de jour.

Remember to avoid strange websites or URLs (Uniform Resource Locator) and continue to be VERY skeptical! If it looks suspicious, it likely is.

HBK can assist you with questions you have on this or any other cyber security topic. For more information, please contact Bill Heaven at wheaven@hbkcpa.com

Speak to one of our professionals about your organizational needs

"*" indicates required fields



New Ohio Cyber Security Law to Take Effect November 2nd

Date October 30, 2018

Ohio Senate Bill 220 goes into effect on Friday, November 2, 2018.

The new law incentivizes businesses for implementing cyber security programs. Companies and corporations with a written cyber security program may assert “affirmative defense” to a tort claim related to a data breach.

To be eligible, a business must create, comply with, and periodically maintain a cyber security program that contains safeguards protecting both personal and restricted information, and which complies with at least one of the following three stipulations:

1) If a business institutes a policy that reasonably complies with at least one of the six industry-recognized cyber security frameworks.
2) If a business is regulated by the state or federal government, or both, and complies with HIPAA, GLBA, or FISMA guidelines.
3) If a business falls under PCI-DSS and reasonably complies with PCI-DSS guidelines and adopts one of the six industry-recognized frameworks.

If any one of these platforms are revised after implementation, the business in question has one year from the date of the latest revision to amend its cyber security policy in order to maintain the guidelines of that framework.

HBK can help with the creation and implementation or update of a cyber security program, as well as addressing other cyber security concerns or questions.

HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Do You Have a Strong Password?

Date October 23, 2018

A password is arguably the single most crucial component for cyber security.

According to a recent version of the Verizon Data Breach Investigations Report “DBIR”, 63% of all reported breaches (regardless of size) involve weak, default or stolen passwords.

A password/pin number is a string of characters, numbers, or symbols (or a combination of all three) used in verifying identity to permit access to a computer-based resource.

We use passwords for entry to home and work computers, social media accounts, online banking, email and many other functions/accounts requiring login. The password equivalent a personal identification number (PIN) allows secure use of mobile phones (including voicemail functions), tablets, and banking at remote locations such as automatic teller machines (ATM).

The best way to create a secure password or PIN is to follow the old adage, “Easy to Remember, Hard to Guess.” As a nation, we are doing less than stellar in selecting secure passwords and PINs.

Last year the most common password, “123456”, was used by 17% of the entire population. The word itself, “password”, came in eighth place in the list of most-commonly used passwords.

Obviously, the more unique a password or PIN is, the harder it will be for a hacker to determine.

Password Tips:
• Don’t share your password with anyone
• Don’t use simple dictionary words, family names, pet names or key dates like a birthday or anniversary
• Don’t repeat password usage for multiple computer resources
• Use a long password, one containing 14-25 characters (incorporate letters, numbers and symbols)
• Use a password manager (such as “LastPass”)
• If possible, implement dual factor authentication

Action Items:
1. Implement a Cyber Security Awareness Campaign
2. Implement / Update IT Security Policies
3. Analyze password usage within your organization

HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



October is Cyber Security Awareness Month

Date October 2, 2018
Article Authors
HBK CPAs & Consultants

2018 marks the 15th consecutive, annual observation of October as Cyber Security Month, as sponsored by the Department of Homeland Security.

The goal of the campaign is to raise awareness about the importance of cyber security.

Did You Know:

1. Last year, employee errors were at the heart of 17% of breaches (including: failing to shred confidential information, sending an email to the wrong person, or misconfiguring a web server).

2. Ransomware, which initially appeared in 2013, is the top variety of malicious software prevalent today.

3. Statistically, about 22% of people click on phishing emails sent to them. Unfortunately, those who opt to click on phishing emails are highly likely to continue doing so.

Important Steps to Take:

1. Implement a Cyber Security Awareness Campaign within your organization.

2. Back up your data and verify the completeness and accuracy of individual and company backups.

3. Update your hardware and software with vendor-supplied updates on a timely basis.

HBK can assist you with any cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Source of Statistics – 2018 Verizon Data Breach Investigations Report (DBIR)

Speak to one of our professionals about your organizational needs

"*" indicates required fields