The new year brings with it an opportunity for a fresh start. From a cybersecurity perspective, a new year is also a typically dangerous time. Cyber hackers and cyber criminals often take advantage of the opening of tax season—January 7 for businesses, January 27 for individuals—to unleash social engineering campaigns. The campaigns can be digital, or phone based. They’re looking to steal login credentials or PII and will stress the need for you to respond urgently to an important communication, typically from your financial institution or accounting firm, about a problem with your account, a law you may have violated, or something else that requires your immediate attention.

As if such risks are not enough to wrestle with, the dawn of 2020 brings with it additional cyber worries rooted in the recently increased tensions between the U.S. and Iran. The Iranian government suggested its response to the killing of General Qasem Soleimani “concluded” with its January 7 missile launch. But according to The New York Times, cybersecurity experts are picking up on ongoing malicious cyber activity from pro-Iranian forces. And while Iranian cyber capabilities are not on par with those of Russia, China or the U.S., Iran does have the capability to inflict damage via a cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA), which was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, is charged with protecting the nation’s critical infrastructure from physical and cyber threats. The agency’s January 6 Alert AA20-006A “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad” suggests that employees as well as the IT departments of organizations adopt a heightened sense of awareness and increase organizational vigilance.

What you should do:
*Use known contact methods instead of those provided in an email or voicemail
*Do not open attachments or click links unless you are certain they are from a verified “trusted source”
*Do not divulge sensitive information unless you have verified the recipient
*Be sure to use approved solutions for transmitting sensitive information with clients or third parties

Cyber criminals continue to ramp up efforts to disrupt organizations and their ability to function in a digital society. Organizations must continue to enhance their efforts to keep themselves from becoming victims of cyber crimes.

Attend Our Cybersecurity Webinar
On Wednesday, January 22 join HBK Risk Advisory Services Director Matt Schiavone for our first webinar of 2020, “Security Awareness Programs: What You MUST Know to Protect Your Company & Workforce” at Noon EST. Register for the free webinar here.

Microsoft executives take security and privacy initiatives seriously. Not just their own, but those of their vendors, as well.

Microsoft is committed to Vendor Risk Management (VRM). Suppliers and business partners are often required to undergo varying levels of attestation to their information security initiatives, including SOC 2 or Microsoft’s Supplier Security and Privacy Assurance (SSPA).

Microsoft has established data protection requirements (DPRs) for suppliers who process Microsoft personal or confidential data. More often than not, suppliers must undergo annual attestation as to their ability to meet the requirements defined in Microsoft’s DPR.

“Process” in Microsoft’s DPR refers to any operation or set of operations performed on any Microsoft personal data or confidential data—and whether or not operations are by automated means. Processes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, and alignment or combination, restriction, and erasure or destruction.

SSPA is a Microsoft program that involves not only making sure that suppliers understand these requirements but ensuring their compliance. The program combines Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to make certain that suppliers follow privacy and security principles when processing Microsoft personal data or Microsoft confidential data. It covers all global suppliers processing Microsoft personal or confidential data.

Suppliers considered high risk are required to provide independent verification of DPR compliance. Such companies are asked to select an independent auditor affiliated with the American Institute of CPAs (AICPA) or the International Association of Privacy Professionals to assess DPR compliance; that auditor is responsible for providing an unqualified letter of attestation to the Microsoft SSPA.

At HBK, our affiliation with the AICPA is merely one aspect of our capabilities. Our auditors have years of experience performing attestation engagements, including extensive SOC 2 work. We have intimate knowledge of security and privacy best practices and hold these critical credentials: Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Most importantly, we are experienced in navigating businesses through Microsoft’s SSPA and compliance with the company’s Data Protection Requirements.

We can help you if Microsoft is on your business horizon and you want to maximize the value of these efforts–or if you’re preparing for a security audit. Call us at 724.934.5300 or email me at MSchiavone@hbkcpa.comand let’s get started.