What the 2021 Verizon-Data Breach Investigations Report Means for Your Business: An HBK Risk Advisory Services Webinar

Date May 21, 2021
Article Authors

What the 2021 Verizon-Data Breach Investigations Report Means for Your Business

Our April webinar covered the IT Risk Assessment process and its importance in mitigating cybersecurity risk. This month we will review the 14th annual Verizon Data Breach Investigations Report (DBIR), a tool businesses use to evaluate cybersecurity threats they face and determine ways to mitigate them.

We will cover the following:

  1. DBIR background

  2. Key takeaways from this year’s report

  3. Industry highlights

  4. Inputs to your IT risk assessment

  5. Risk mitigation recommendations


The Verizon DBIR provides valuable and actionable information that is relied upon by cybersecurity experts across the globe. The webinar will provide information you can use during the “Identify Risks” and “Analyze Risks” steps of your IT Risk Assessment process.

Watch Webinar.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cybersecurity: Expense or Investment?

Date November 11, 2019
Article Authors
HBK CPAs & Consultants

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Welcome to Cyber Security Awareness Month

Date October 1, 2019
Article Authors

October is Cyber Security Awareness Month, in accordance with the 16th consecutive year of the Department of Homeland Security’s (DHS) annual campaign. The goal of the initiative is to raise awareness about the importance of cyber security.

Did You Know? (From the 2019 Verizon Data Breach Investigations Report)

  • C-level executives are 12 times more likely to be targeted by social engineering campaigns.
  • Ransomware attacks are still going strong and remain a valid threat to all industries.
  • Mobile users are more susceptible to phishing attacks, likely due to their user interfaces, among other factors.
  • In 2019, 43% of cyber breaches involved small businesses.

Action Item Reminders:

  • Implement cyber security awareness training and associated programs to measure effectiveness.
  • Implement network vulnerability scans to identify security holes that a hacker could potentially exploit.
  • Back up your data and verify the completeness and accuracy of individual backups.
  • Implement vendor-supplied updates on both your hardware and software on a timely basis.

As always, HBK Risk Advisory Services is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. HBK is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cyber Laws & Best Practices: Getting Your Cyber House in Order

Date September 4, 2019
Article Authors
HBK CPAs & Consultants

Sir Winston Churchill’s definition of Russia as a “a riddle, wrapped in a mystery, inside an enigma” aptly describes the state of affairs between the bevy of cyber and data security laws and business enterprises forced to contend with the onslaught of cyber thieves and hackers. The “rock” of cyber thieves on one side and “hard place” of cybersecurity rules on the other can make life difficult for businesses.

Understanding the basics
When your business must adhere to disparate and fragmented cyber rules, regulations and laws, the first task at hand is to prioritize your needs, identifying, in effect, the “low hanging cyber fruit.” First, understand the requirements common to most cyber legislation. What are the states requiring a business such as yours to do in the event of a breach of “protected information”?

All 50 states and U.S. territories have laws mandating that businesses provide notifications to those whose protected information has been breached while in the care of the business. But each state has different requirements. It is conceivable that a single data breach will require a business to comply with 50 different sets of requirements. Consequently, a business should:

  • Take inventory of the states of residence of its clientele
  • Determine what it must do to comply with those states’ requirements
  • Prepare a plan to implement in the event of a data breach

Getting down to specifics
Following are details on the data breach notice laws for the states in which most HBK client reside: Florida, Ohio, Pennsylvania and New Jersey.

Florida Information Protection Act of 2014i: Any commercial entity that acquires, maintains, stores, or uses Personally Identifiable Information (PI) must notify affected Florida residents by written mail or electronic mail within 30 days of the breach.

  • If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, the business may use other means and methods of notifying those affected.
  • If the data breach involves more than 500 Florida residents, the business must report the breach to the Florida Department of Legal Affairs.
  • A breach affecting more than 1,000 Florida residents must be reported to credit reporting agencies.

Ohio Notification requirementsii: In Ohio, any business that experiences a harmful data breach must notify affected Ohio residents within 45 days by mail, telephone, or electronic mail.

  • Businesses can use public service announcements in the event than 500,000 Ohio residents are affected, if notification costs exceed $250,000, or the business has ten or fewer employees and notification costs exceed $10,000.
  • When more than 1,000 Ohio residents are affected by a breach, all consumer-reporting agencies must be informed.

Pennsylvania Breach of Personal Information Notification Actiii: When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email.

  • If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead.
  • When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

New Jersey Data Breach Identity Theft Prevention Activ: Businesses in New Jersey are required to respond to a data breach quickly. A business must first notify the Division of the State Police in the Department of Law and Public Safety, then alert the affected consumers through email or written notice.

  • If the breach affects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
  • A business that willfully, knowingly, or recklessly violates the New Jersey Consumer Fraud Act, including failing to adhere to the Theft Prevention Act, may have to pay the injured party three times the damages, plus attorney fees and court costs.

While the laws are similar, the nuances require businesses to attend to the particulars of each. And the nuances turn into stark reminders of the perils of cyber-crime. Having to author a letter to clients admitting their data was stolen while they entrusted it to your care can make for a formidable backlash.

We will explore various other cyber and data security laws that impact your business in our next article.

Sources:
i. https://www.flsenate.gov/Session/Bill/2014/1524/BillText/er/PDF

ii. http://codes.ohio.gov/orc/1349.19

iii. https://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=HTM&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0712&pn=0898

iv. https://www.njleg.state.nj.us/2004/bills/pl05/226_.htm

Speak to one of our professionals about your organizational needs

"*" indicates required fields



106 Million Endure Data Breach: A Costly Lesson

Date August 23, 2019
Article Authors
HBK CPAs & Consultants

On July 29, Capital One Financial announced that 106 million of its customers and applicants had their data breached while their data was in Capital One’s possession.

What went wrong?
Capital One Financial Corporation (NYSE: COF) announced that on July 19, 2019, there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products, as well as to Capital One credit card customers.

Basic Cybersecurity Truisms

  1. Bigger is not better. One fallacy related to cyber and data security is that if a large company is in possession of data, the data must be safe, since the assumption is the company has invested in the best of cyber theft prevention available. The truth is sobering. Big companies have the same vulnerabilities as small and mid-size companies: all are only as strong as their weakest link and weakest vendor.
  2. You are at the mercy of your vendor. In this case, an employee of one of Capital One vendors is accused of breaking through a Capital One firewall to access the customer data that the bank had stored on Amazon.com Inc.’s cloud service. The bulk of the stolen data includes data submitted by both customers and small businesses that applied for Capital One credit cards between 2005 and early 2019.
  3. Arresting a suspect after the data has been stolen doesn’t help retrieve it. The arrest of a suspect is of little consolation to those with missing data. The data is gone. The irony is that the customers whose data was stolen will pay the taxes providing room and board to the convicted and imprisoned data thief.

Lessons Learned:
Here are the takeaways from the Capital One Financial breach as we see them.

  • The size of the business harboring the data is irrelevant. All businesses are vulnerable.
  • Small and mid-sized businesses (SMBs) are particularly vulnerable since they are often both customer and vendor.
  • SMB’s are now viewed as potential weak cyber links and are under scrutiny by their larger customers.
  • Even the most expensive and intricate firewalls can be vaulted.
  • No senior level executive wants to make a public statement about a breach of data they held.
  • Executives at SMBs are called upon to take control of cybersecurity IF they care about their companies.

How can HBK help?
HBK offers three introductory levels of cybersecurity assessments designed specifically for SMB budgets and risks. We also offer SOC1 and SOC2 and SOC for cybersecurity reports in the event proof of your cyber preparation and state of being is requested.

Call Steve Franckhauser at 614.228.4000 extension 2415 to discuss cybersecurity options.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cyber Security: It’s Everyone’s Job

Date August 13, 2019
Article Authors
HBK CPAs & Consultants

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Is Your Computer System Protected by a Multi-Layered Defense?

Date June 28, 2019
Article Authors

You might have heard the phrase “multi-layered defense” in relation to protecting your computer system from a cyber-attack. A multi-layered defense is, essentially, what the term implies: a defense architecture consisting of multiple layers, from developing policies to monitoring systems, to implementing backup procedures. It is a sensible strategy for protecting assets, physical as well as digital.

For example, consider the protections in place to control access to your safety deposit box. To obtain the contents of your box, you must navigate several layers of security:

  • Enter the bank.
  • Enter the restricted zone – with an escort.
  • Enter the vault area.
  • Use your safety deposit box key in conjunction with a second key held by the bank to open the box.

Similarly, you should use a multi-layered defense strategy to protect your computer system. Implementing a firewall and antivirus software are two well-known components of a multi-layered defense. But there are additional components that could make sense for your organization, such as network segmentation, data encryption and two-factor authentication.

Here are a few things you can do to ensure an effective multi-layered defense:

  • Check to see that you have a firewall and an antivirus solution in place and confirm that they are working as intended.
  • Understand what types of data are stored within your computer system, such as:
    1. Company financial data
    2. Personal data (employees, customers & vendors)
    3. Propriety data (i.e. company trade secrets)
    4. Public data

  • Determine the perceived value of the various types of data stored in your computer system.
  • Understand how all of these data types flow into, through and from your computers – that is, where your data comes from, what you do with it, and who you share it with.
  • Determine if there are or should be restrictions as to who inside or outside your organization is allowed access to each type of data.
  • Check with your IT Department or managed service provider regarding the implementation of additional multi-layered defense components.
  • Lastly, conduct regular evaluations to ensure all of these mechanisms continue to operate efficiently.

HBK can help you develop and evaluate a multi-layered defense strategy. For assistance, email me at wheaven@hbkcpa.com. As always, we are here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Be a Boeing: Strengthen Your Cybersecurity

Date June 24, 2019
Article Authors
HBK CPAs & Consultants

There are no more excuses to bury your business’s head in the sand. The data and cyber theft threats are real. And imminent. And not just for big corporations or large government organizations. Attackers are at your front door … or worse.

There are three areas that need your consideration when it comes to protecting your data from cyber attack.

FIRST: To Error is Human: Have your processes and controls assessed and take stock of your level of cyber preparation. Pay special attention to your “human” vulnerabilities, as most cyber thefts are the result of someone either unwittingly or purposely allowing a breach to happen. The best software in the world can’t keep someone inside the organization from gaining access to your systems and processes.

Do it now. If you are defenseless you could have to pay ransomware to stay in business. Or worse, you might not be able to afford to stay in business.

SECOND: Assess your vendors and third-party providers. It’s much like going to a doctor’s office in the morning for a checkup, then having your immune system attacked by the malady of the day by a virus you picked up from someone sitting next to you in the waiting room. It’s the same with vendors and those who service them. They can infect your systems in spite of your best efforts. It was the root cause of the Target data breach in 2013 that extended to as many as 70 million customers. Boeing continues to struggle as its fleet of 737 Max passenger jets – and its stock price – remains grounded due to problems with third party software described as “fatally flawed” and that has been at the root of two major airline catastrophes.

THIRD: Assess the data you transmit, process and store. Make a pecking order of data to determine which are more critical to your operation, and start at the top. Then proceed through it all.

Cybersecurity is no longer a check-the-box process; it is a way of doing business, a part of your business that must be addressed continually and methodically. We can help. Contact HBK Risk Advisory Services at 614-228-4000 or email us at SFranckhauser@hbkcpa.com with your cybersecurity questions and concerns. We can meet with you to discuss precisely when, how, where and why you need to protect your data. You can take baby steps. The one thing you shouldn’t do is nothing.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Is Your Anti-Virus Software Functioning as Intended?

Date June 4, 2019
Article Authors

Most people know basic information about anti-virus software and that it is crucial for cybersecurity. However, it’s often mistakenly believed that anti-virus software is the only cybersecurity defense component required to protect your computer system.

Anti-virus does play a very important role within a multi-layered cybersecurity strategy. However, we are providing this overview to underscore and verify that this component is merely one part of protecting your computer environment.

From a 50,000-foot view, anti-virus software operates in the following manner: it checks a table of known virus definitions with all the files stored on a computer system, in order to flag a potential virus. The flagging of viruses is achieved either through signature-based or heuristic-based analysis.

A file signature is a unique identifying number located in the file’s header that identifies the type of file and data contained within that file. Heuristics refers to an algorithm that is used to find previously unknown viruses (i.e. those not yet listed on the virus definition table).

There are two main anti-virus operational modes currently in use to check files on a computer system:

  1. Full System Scan. This mode also includes a “quick scan” or a check of files within which the file signature has changed since the previous Full System Scan, which runs on an automatic schedule or is manually enacted.
  2. Background Processing. This is the process that occurs (as its name indicates) and functions in the background on your computer by checking every file as it is opened. It is often referred to as “Real-Time Protection”.

There are many anti-virus options available to consumers, including both free and paid products. Virus detection rates vary among these choices and can fluctuate over time. Therefore, do not expect there to be only one solution that is consistently proven as the ultimate anti-virus product available. A consistent “Number One” has not yet materialized.

There are numerous anti-virus comparison sites searchable on the web. Also, it’s important to remember that if your anti-virus definition files are not updated regularly, or if the anti-virus function is disabled by users of your computer system, you may not be receiving the protection you assume.

Action Items:

  1. If you do not already use anti-virus software, research options within your price range and choose a solution that fits your needs.
  2. Implement the anti-virus software system on your network.
  3. Periodically ensure that your anti-virus software is running as intended. This means the virus definition table will be updated frequently and that it will be consistently used on all computers within your network.
  4. HBK Risk Advisory Services can assist you with your data backup or Cybersecurity questions and needs. Please contact Bill Heaven at WHeaven@hbkcpa.com

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Data Backup: Do You Have a Reliable Process in Place?

Date April 26, 2019
Article Authors

Most people know they should regularly backup their data. However, they often completely ignore this advice or, sometimes establish a data backup process without first verifying that the process works.

As our reliance on computers (and data) continues to increase, events such as an equipment failure, malware, a virus, ransomware, a user error or a disaster can result in significant data loss. The impact of a such a data loss could be devastating.

How long could your business remain profitable after a permanent loss of data?

According to a recent BBB survey of small businesses, only 35% of companies could remain profitable for more than three months following a data loss –and more than half would be unprofitable in less than a month.

There are two main backup categories: Onsite and Remote. Each contains multiple backup options. Within the main categories, the types of data backups are: full, incremental and differential. They are defined as:

  • Full Backup – A complete copy of all available data.
  • Incremental Backup – A copy of only the data that has changed since the last backup of any type.
  • Differential Backup – A copy of only the data that has changed since the last full backup.

Properly leveraging these backup strategies and solutions is critical to reducing exposure to potential data loss and disrupted operations. Additionally, periodic test your backups should be run to ensure that they are working properly and backing up data in its entirety.

Action Items:

  1. Research and choose the data backup category and type that you plan to use.
  2. Establish a data backup schedule (Backup Regularly).
  3. Periodically test your backup (Perform a Test Restore).

HBK Risk Advisory Services can assist you with your data backup or Cybersecurity questions and needs. Please contact Bill Heaven at BHeaven@hbkcpa.com

Speak to one of our professionals about your organizational needs

"*" indicates required fields