New Year Ushers in Enhanced Cybersecurity Threats

Date January 15, 2020
Article Authors

The new year brings with it an opportunity for a fresh start. From a cybersecurity perspective, a new year is also a typically dangerous time. Cyber hackers and cyber criminals often take advantage of the opening of tax season—January 7 for businesses, January 27 for individuals—to unleash social engineering campaigns. The campaigns can be digital, or phone based. They’re looking to steal login credentials or PII and will stress the need for you to respond urgently to an important communication, typically from your financial institution or accounting firm, about a problem with your account, a law you may have violated, or something else that requires your immediate attention.

As if such risks are not enough to wrestle with, the dawn of 2020 brings with it additional cyber worries rooted in the recently increased tensions between the U.S. and Iran. The Iranian government suggested its response to the killing of General Qasem Soleimani “concluded” with its January 7 missile launch. But according to The New York Times, cybersecurity experts are picking up on ongoing malicious cyber activity from pro-Iranian forces. And while Iranian cyber capabilities are not on par with those of Russia, China or the U.S., Iran does have the capability to inflict damage via a cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA), which was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, is charged with protecting the nation’s critical infrastructure from physical and cyber threats. The agency’s January 6 Alert AA20-006A “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad” suggests that employees as well as the IT departments of organizations adopt a heightened sense of awareness and increase organizational vigilance.

What you should do:
*Use known contact methods instead of those provided in an email or voicemail
*Do not open attachments or click links unless you are certain they are from a verified “trusted source”
*Do not divulge sensitive information unless you have verified the recipient
*Be sure to use approved solutions for transmitting sensitive information with clients or third parties

Cyber criminals continue to ramp up efforts to disrupt organizations and their ability to function in a digital society. Organizations must continue to enhance their efforts to keep themselves from becoming victims of cyber crimes.

Attend Our Cybersecurity Webinar
On Wednesday, January 22 join HBK Risk Advisory Services Director Matt Schiavone for our first webinar of 2020, “Security Awareness Programs: What You MUST Know to Protect Your Company & Workforce” at Noon EST. Register for the free webinar here.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cybersecurity Insurance: Consider Your Options

Date November 26, 2019
Article Authors

As a cybersecurity professional, I’m often asked by clients if they should buy cybersecurity insurance. My answer is “definitely,” but not without considerations. For one, you should determine the value of what you are trying to protect. And when evaluating a policy, ensure that you are clear on exactly what the policy covers—and maybe more importantly, what it doesn’t.

Cybersecurity insurance policies come in many forms, from a “quick” cyber policy, where applying requires you only to answer three or four questions, to a full-length application policy. The protection level and policy costs vary accordingly; quick policies may include multiple coverage exclusions or costly gaps. For example, lack of applying security patches may trigger an exclusion pertaining to your coverage. If you implement a recognized cybersecurity control framework, you will likely be able to find policies with more coverage at lower costs. This could also help lower your probability of later being denied coverage under your cyber insurance policy by inadvertently answering a crucial application question incorrectly.

A follow-up question I often get: Can I mitigate my business’s cyber-risk through a cyber policy, or should I implement cybersecurity controls to improve my cybersecurity posture?

I posed the question to Joseph Brunsman, author of multiple published cyber insurance articles, and a book on cyber insurance, he stated, “Cyber insurance is a crucial component – but arguably the last component – in the defensive posture of business. I would prefer, as would the regulators who can bring sizable fines and consent orders, cyber insurers, and attorneys who specialize in post-breach litigation, that businesses do everything in their power to avoid a breach. After that first breach occurs, insurance companies begin to take a hard look at internal cybersecurity postures. Increasingly insurers are demanding specific controls be implemented as a prerequisite to coverage. If businesses fail to adopt the correct posture, they could quickly find themselves with no recourse but to pay for every breach out of pocket. Taken as a whole, businesses need to consider their cybersecurity posture now; while it’s convenient, and before it’s mandatory.”

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call us at 330-758-8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.
Speak to one of our professionals about your organizational needs

"*" indicates required fields



Understanding URLs to Identify Phishing

Date October 16, 2018
Having a general understanding of how Uniform Resource Locators or URLs are commonly formatted and utilized can be helpful in avoiding online scams, particularly phishing (deceptive practices to obtain sensitive user information such as logins, passwords, and credit card details). The main purpose of a URL is to help a user locate a specific website without being required to use its numeric IP (Internet Protocol) address. URLs refer to a “dot com” type of address versus one comprised of only numbers like 12.354.678.910. Please reference the following summary of URL components as a guide to help you to identify safe, secure websites. Common Protocols – http, https, ftp {Note: https is an encrypted session (i.e. secure)} Domain Names – Alphanumeric name for the server where the website is hosted such as LinkedIn or HBKCPA Sub-Domains – Sub-Domains are commonly used and are added right to left from the Domain Name instead of left to right. Common Top-Level Domains – .com, .org, .gov Pathnames – The directory/subdirectory name of where the information is located on the web server Filenames – The name of the desired filename on the web server Common Extensions – .html, .jpeg, .wav, .exe Here are two examples of URLs: https://support.microsoft.com/en-us/1234word.html This is a valid URL using a Sub-Domain of “support”. Don’t be thrown off when sub-domains read in the opposite direction of how we read words/text in English. http://rnicrosoft.com/support/1234word.html This is an example of an invalid URL that might be used for phishing. The hacker uses an “r” and an “n” to simulate a lower case “m” in the domain name “microsoft” in order to confuse users into thinking it is a legitimate URL. Remember that phishing attempts are on the rise and they are becoming so sophisticated that they constantly more difficult to identify. So, please take note of these tips in order to help you avoid links that may lead to phishing attacks. For this reason and many others, it is crucial to implement a Cyber Security Awareness Campaign within your organization. Contact HBK, if you would like assistance with implementing a Cyber Security Awareness Campaign. HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com or Bill Heaven at wheaven@hbkcpa.com for assistance.
Speak to one of our professionals about your organizational needs

"*" indicates required fields