Webinar: Top IT Considerations for Manufacturers in 2022

Date April 20, 2022
Categories

Highlights from the April 20, 2022 webinar featuring Bruce Nelson, president, and Justin Krentz, account executive, of Vertilocity, an HBK Company.

Your information technology systems are a critical piece—and increasingly an interconnected piece—of your manufacturing infrastructure. Their effectiveness and security are key to your day-to-day operations as well as your plans for the days, months, and years ahead. “Top IT Considerations for Manufacturers in 2022” addresses ways to improve your IT processes, security posture, disaster recovery planning, and ERP.

Recognizing cyber threats

Manufacturing is a targeted industry by cyber attackers because they can see that the disruption of a breach can be devastating to a manufacturer and that the threshold for downtime for manufacturers is practically zero. Manufacturing jumped from eighth in 2019 on the most targeted industry list to second in 2021. And according to the IBM Security Index, it is currently the most targeted industry.

  • Why? Primarily due to unpatched and outdated software. Many manufacturers are running antiquated systems and have for a number of years.
  • Manufacturing hasn’t had security measures legislated so it’s up to the companies to do it.
  • NIST cybersecurity framework

    The NIST cybersecurity framework helps organizations manage and reduce cybersecurity risks through a set of cybersecurity activities. The core elements of the framework: identify, protect, detect, respond, and recover.

  • Identify: the processes and/or assets that need protection; the resources and critical data that need to be protected. Need to identify the critical elements, such as data stored for conducting processes, or product recipes. Manufacturers need to be responsible for this element.
  • Protect: develop and implement the appropriate protections to ensure critical infrastructure services. Once critical elements are identified, put a program in place to protect them. As you take on additional infrastructure, like new equipment, you have to manage and secure those devices.
  • Detect: able to identify incidents. Develop an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities. Should be consistent with risk management strategy and include a process for determining what happened, what it affected, and to who to report it.
  • Respond: develop and implement appropriate activities to respond to a detected event. Support the ability to contain the impact of a potential event. Are assets prioritized correctly? Make sure there is a hierarchy and that someone is responsible for responding to an event. Do you have contact information on software providers and insurance companies? More events are generated from internal threats that you’re not aware of. You should have contingency plans for accessing email and other key business processes. Responding is a collaborative effort between the manufacturer and its business partners.
  • Recover: the ability to restore capabilities and services. Develop and implement the appropriate activities to maintain plans for resilience and restore capabilities or services that were impaired. Consider: if a device gets compromised, what effect does that have on your business? Empower those responsible for recovery; provide the support from leadership to be able to do and test these recovery processes. Consider the different requirements for restoring a file or a server or a cloud-type environment; think through what’s required and assign responsibilities.
  • Cybersecurity Maturity Model Certification

    CMMC Model 2.0: Three levels—foundational, advanced, and expert. The level required is currently based on the level of interaction with the Department of Defense, but requirements will be rolled out to the entire manufacturing industry.

    Cybersecurity Infrastructure & Security Agency

    The government agency whose purpose is to collect and analyze events from all industries. It works closely with all major publishers, such as Amazon, and are actively publishing industry-specific known threats and best practices. Takes a collective effort of software, hardware and cybersecurity firms to identify and publish threats and inform on different topics. Familiarize yourself with the website: www.cisa.gov

    16 critical items for your organization’s security posture

    • Ways to protect your organization from a cyber attack:

    – security assessment

    – span email

    – passwords

    – security awareness

    – industry expertise

    – advanced endpoint detection

    – multi-factor authentication

    – computer updates

    – dark web research

    – log management

    – web gateway security

    – response plan

    – firewall

    – encryption

    – backup

    How can a Managed Service Provider (MSP) help?

    • IT security is an increasingly collaborative effort. There are too many elements, technology is too ingrained in every aspect of the organization, to make a third party vendor solely responsible. So the trend is a co-managed model.

    • MSP services include:

    – Monitoring & maintenance support: Are we managing this proactively; automated systems should be in place.

    – Technical services: The people part of it: how are we supporting the teams responsible for cybersecurity activities?

    – Executive reporting: How are we reporting to management to show that we can identify and detect? Might not have the expertise in-house or bandwidth to do this without external support.

    – Network documentation: Document IT assets, site detail, and implement secure password management. Need to be sure these things are in place and up to date.

    – Recurring business reviews: Hold weekly or bi-weekly meetings for ticket review and forecasting. Are unknowns planned for? Can we adapt to address them?

    • Security services include: advanced threat protection, multi-factor authentication, dark web monitoring, enterprise mobility management, and disaster recovery planning

    Elements in the general framework of disaster recovery planning:

    – Implement full network discovery.

    – Define recovery objections.

    – Define applications, dependencies, and criticality.

    – Obtain licensing information.

    – Define physical location document call tree.

    – Document insurance contact information.

    – Test.

    Hot topics we’re seeing related to Enterprise Resource Planning (ERP):

    • Clients need to adapt and better align with partners. Focus used to be on getting data into systems, now it is how to get the data out, how to make it usable, how to get it from machines on the floor for better insights, how to plan better for supply chain deficiencies, and how to do more for less.

    • Process and workflow automation: there is an abundance of tools to automate IT systems, and to integrate people and processes. Solutions include Microsoft Dynamics 365 and Sage Intact, as well as five or six other top-tier solutions to build your foundation off of.

    • Elements of a power platform include:

    – Power BI: putting data-driven insights into everyone’s hands

    – Power Apps: custom apps that solve business challenges

    – Power Automate: the ability to automate organizational processes

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    Managed Services Provider Vertical Solutions Merges with HBK IT

    Date September 1, 2021

    HBK CPAs & Consultants, a Top 100 accounting firm, and Vertical Solutions, a Pittsburgh-based managed service provider (MSP), today announced they have entered into a definitive merger agreement. Upon closing of the transaction, Vertical Solutions will merge operations with HBK IT, an HBK company. The entity (Combined Company) will be renamed “Vertilocity” and operate out of Pittsburgh and Clark, New Jersey, and in the Denver, Colorado area. Vertilocity will be led by Bruce Nelson, president of Vertical Solutions. The Combined Company’s annual gross revenue is estimated currently at $10 million.

    “Digital technology is the most impactful disrupter in business today,” said Christopher M. Allegretti, CPA, HBK managing principal and CEO. “Everywhere and in every industry, companies are embracing digital transformation. The Vertical Solutions team is steeped in experience in organizational workflows, systems, and software, and will support our initiative to provide relevant, sophisticated technological support to our clients.”

    Founded in 1993 and acquired in 2007 by R.L. Nelson and Associates, Inc., a Pittsburgh-based information systems consulting firm founded in 1986, Vertical Solutions has established itself as a trusted advisor to companies on their technology-based business management systems. The firm was among the earliest entries in the field of managed services providers and offers a vast array of IT-related services and support, including proactive managed IT support, advanced threat protection, Office 365 management and support, technological tools and software designed to address an organization’s specific processes, and hardware procurement and installation. Vertical Solutions has specialized in working with healthcare businesses and institutions, and as such, the merger also serves to enhance HBK’s support of its more than 600 healthcare clients.

    “I’m extremely excited about what this merger brings to our team and the clients of both firms,” noted Bruce Nelson, president of Vertical Solutions. “HBK IT has extensive capabilities, and our firms share a vision for technical solutions, that they are built around solving business challenges. Our collective technical expertise along with the financial services offered by HBK combine for a unique, comprehensive, and extremely valuable offering to our current and future clients.”

    Vertical Solutions operates out of offices in Pittsburgh and remotely in and around Denver where about one-third of its clients are located. As such, the merger not only extends HBK’s reach in the West, but gives the Combined Company a significant IT services presence in three major markets: Pittsburgh, Denver, and New York Metropolitan Region. It also allows HBK to deliver comprehensive IT and MSP services, including cybersecurity support, to the firm’s accounting and financial services clients throughout Ohio, Pennsylvania, New Jersey, and Florida.

    Since the turn of the century, HBK has been investing in its own digital transformation.

    “We have been committed to enhancing our technological capabilities as well as technology-based services to our clients,” Mr. Allegretti said. “Internally, technological capabilities are key to being able to pivot quickly and effectively when it comes to unexpected challenges, as it did in 2020 in response to the unprecedented challenges associated with the COVID-19 pandemic.”

    HBK provides small to mid-market businesses and their owners and operators a wide range of financial solutions, including accounting, tax and audit services; wealth management; business valuation; corporate finance; forensic accounting; litigation support services; and business consulting, including specific expertise in a number of major industries. The CPA firm dates back to 1949 and added its wealth management practice in 2001. The financial professionals of HBK CPAs & Consultants and HBKS Wealth Advisors serve clients locally out of offices in Columbus, Youngstown and Alliance, Ohio; Pittsburgh, Philadelphia, Erie, Hermitage, Meadville and Blue Bell, Pennsylvania; Princeton, Cherry Hill and Clark, New Jersey; and Fort Myers, Naples, Stuart, Sarasota and West Palm Beach, Florida. HBK CPAs & Consultants and HBKS Wealth Advisors are both Top 100 rated firms. HBK ranks 52nd on Accounting Today’s list of the largest U.S. CPA firms with firm-wide revenues totaling more than $100 million. 

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    HBK IT Acquires Unicom Solutions Group

    Date November 1, 2019
    Article Authors
    HBK CPAs & Consultants

    HBK IT LLC, a member of the HBK family of companies, announced today it has acquired Unicom Solutions Group of Mountainside, N.J.

    Unicom is a technology-consulting firm established in 1991 offering a suite of services to small and midsize private companies, nonprofits and government agencies. The acquisition complements the offerings of HBK IT LLC, which provides various digital transformation, managed services, cybersecurity consulting and enterprise resource planning to clients in a variety of industries.

    “Bringing Unicom into the HBK family gives HBK IT even greater scale and technical expertise,” noted Tom Angelo, HBK Principal in the HBK Clark, N.J. office. “The merger will bring us a team of talented individuals as we continue to grow our advisory services and help our clients use technology to drive the growth of their business in an ever-changing digital world.”

    “We continue to seek out new and innovative ways to transform our organization in this digital world through modern cloud solutions, financial applications, messaging and communications as well as infrastructure and cybersecurity,” added HBK Managing Principal and CEO Christopher Allegretti, CPA.

    “Joining HBK was precisely the strategic move we were looking to make,” said Unicom founder Roman Sawycky. “It allows us to offer our staff more opportunities for personal development and professional training, and our clients a more complete set of products and services.”

    HBK provides small to mid-market businesses and their owners and operators a wide range of financial solutions, including accounting, tax and audit services; wealth management; business valuation; corporate finance; forensic accounting; litigation support services; and business consulting, including specific expertise in a number of major industries. The CPA firm dates back to 1949 and added its wealth management practice in 2001. HBK CPAs & Consultants and HBKS Wealth Advisors collectively have hundreds of financial professionals serving clients locally out of offices in Columbus, Youngstown and Alliance, Ohio; Pittsburgh, Philadelphia, Erie, Hermitage, Meadville and Blue Bell, Pennsylvania; Princeton, Cherry Hill and Clark, New Jersey; and Fort Myers, Naples, Stuart, Sarasota and West Palm Beach, Florida. HBK CPAs & Consultants and HBKS Wealth Advisors are both Top 100-rated firms.
    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    GRC: Just Another Acronym?

    Date October 8, 2019
    Article Authors

    Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

    • Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
    • Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats — in short, clearly establishing the company’s risk acceptance or risk avoidance.
    • Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level –or both.

    One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance — namely, fines or penalties.

    The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

    HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. As always, HBK is here to answer your questions and discuss your concerns.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    IT Governance: Generating Value & Mitigating Risk

    Date September 6, 2019
    Article Authors

    Many recent articles about cybersecurity include discussion of Information Technology (IT) Governance. What is IT Governance is and why is it important?

    The concept of IT Governance is not new. It gained visibility in the early 2000s along with the enactment of such regulations as the Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act,” which was developed on the heels of a series of financial scandals involving public companies, including Enron, Tyco International and WorldCom. In light of such legislation, and the increasing roles and costs of IT, companies were advised to implement IT frameworks to provide accurate, visible and timely information, and, most relevant to cybersecurity, ensure the protection, privacy and security of information assets.

    Gartner, Inc., a global research and advisory firm, defines IT Governance as, “the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.” In its intended function, IT Governance is a subset of Corporate Governance; together they establish the rules by which an organization operates. IT Governance plays key roles in both public and private companies, ensuring investments in IT generate value and mitigating risks associated with IT departments and operations.

    IT Governance can be mandated by regulation or voluntarily established to measure IT results or both. A key component of IT Governance is IT Policies, which convert the desired behaviors of IT team members relative to information security into a formal plan.

    To establish an IT Governance program, an organization should:

    • Obtain the commitment of its management
    • Identify and record stakeholder requirements
    • Align the IT security strategy with the business strategy
    • Determine the IT Security Principles that will guide the IT Security Function
    • Establish metrics to demonstrate the value of the IT Security Function

    HBK Risk Advisory Services can help you design and develop your own IT Governance program to protect your business. Call us at 330.758.8613; or email me at wheaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    New Bluetooth Vulnerability: Hackers Could Spy on You

    Date August 27, 2019
    Article Authors

    Millions of us use Bluetooth wireless communications every day—to make phone calls when driving, with our fitness trackers, streaming at work or play. Innocent enough, seemingly. But no technology comes without a warning: a recently discovered Bluetooth vulnerability allows hackers to spy on your conversations or take control of your smart phone. The vulnerability deals with the encryption between two devices. It even has a name—a KNOB hack (Key Negotiation Of Bluetooth).

    This is not the first time Bluetooth has been hacked and it likely won’t be the last. And this one has its limitations. To take advantage of the KNOB vulnerability the hacker has to be in close proximity of your phone. There is also currently no evidence that this vulnerability has been exploited maliciously.

    Still, for the sake of cyber hygiene, take the following steps to protect yourself from a KNOB hack:
    • Install updates for your smart phone as they become available.
    • Remove devices paired with your phone that you no longer need or recognize.
    • Turn off Bluetooth when you are not using it.

    iPhone users can manage Bluetooth from the Control Center or within Settings, including removing Bluetooth devices at the information icon under the “My Devices” section in the Bluetooth Setting. Android smart phones have similar capabilities.

    For more suggestions for strengthening your IT security postures, see our article “Cyber Hygiene: It’s a Real Thing”.

    HBK Risk Advisory Services can help you with your cyber hygiene. Call us at 330-758-8613 or email me at WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    Cyber Security: It’s Everyone’s Job

    Date August 13, 2019
    Article Authors
    HBK CPAs & Consultants

    HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

    Here are five reasons cyber security starts and ends in the business setting:

    1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

    Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

    2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

    Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

    3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

    4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

    5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

    We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

    For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    Cyber Hygiene – It’s a Real Thing

    Date June 14, 2019
    Article Authors

    In articles and presentations on Cybersecurity, it’s not uncommon to come across the term “Cyber Hygiene.” By default, it makes me think of human hygiene. At a detail or task level, there really isn’t much of a comparison. But think about the topic more broadly: If we take care of ourselves physically, we are likely to enjoy better health. Similarly, if you take good care of your IT systems, they will be apt to perform better – and you will be less likely to fall victim to a Cybersecurity breach.

      What can you do to improve your cyber hygiene? Exercising these action items will get you off to a great start:
    • Make sure that you have an up to date inventory of your IT assets (i.e. hardware, software and data).
    • Regularly patch and update your IT assets.
    • Regularly backup your data; test your backup process to ensure it is working as intended.
    • Limit the number of user accounts that have administrator privileges on your IT systems.
    • Implement an antivirus solution and make sure you receive regularly updated virus definitions.
    • Use a firewall to protect your system.

    Cybersecurity experts often talk about situations of vulnerability where a fix, that is, a patch, has been released. But most companies don’t regularly apply the necessary updates or patches, or mitigate their vulnerabilities in any other way. Hackers have been known to exploit vulnerabilities, especially those where security measures aren’t taken or are more than a decade old. When I speak to clients or conferences about Cybersecurity, I point out that hackers are a lazy bunch. They attack the weak, not the strong. Improving your Cyber Hygiene will help you avoid becoming such a target.

    HBK can help you with Cyber Hygiene. Call me at 330-758-8613 or email me at WHeaven@hbkcpa.com with your questions and concerns.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    Start 2019 Off Cyber Secure

    Date January 24, 2019
    Article Authors

    Cyber Security impacts almost everyone and in many facets of our personal and professional lives.

    Whether you run a large corporation, operate a small private business, manage a home-based budget, utilize any types of professional or private services, are active in your community, or simply have hobbies and purchase essential products needed for daily life, your private information is online somewhere in cyber space. And since Identity Theft is a common sub-component of Cyber Security, HBK CPAs & Consultants’ (HBK) Risk Advisory group wanted to kick off 2019 with some reminders for our clients and colleagues about how to avoid Identity Theft and remain Cyber Secure.

    The most common types of identity theft are as follows:

    1. Social Security Number Identity Theft
    2. Medical Identity Theft
    3. Financial Identity Theft
    4. Driver’s License Identity Theft
    5. Character/Criminal Identity Theft

    These types of identity theft involving data that are often referred to as PII because they contain Personally Identifiable Information. PII is essential to both personal and professional activities because of the huge number of computer databases where this type of information is housed, such as a electronic medical records, online banking, shopping, or utility accounts, etc.

    Here are some suggestions to help to protect your identity, though the list is hardly all-inclusive:

    1. Review your annual free credit report via the Annual Credit Report website. This is why you should:
      • It’s authorized by federal law.
      • You are entitled to one free report from each of the following credit bureaus every year.
        – Equifax
        – Experian
        – Trans Union
    2. Regularly monitor your credit cards online.
      • If you have the ability to do so, enable text message alerts for:
        – Purchases over X dollars (You can decide the amount based on your personal financial situation.)
        – Online purchases
        – Periodic account balances
    3. Enable two-factor authentication for all of your online financial and medical accounts.

    4. Consider freezing your credit files. Here are some details about/suggestions for doing so:
      • Evaluate the practicality of taking this step personally because in some states, there is a cost to unfreeze and then refreeze your credit files.
      • Consider how often your information is public and vulnerable and what purchases may be impacting your credit or that would warrant a credit check.
      • Learn more about freezing your credit files at the Annual Credit Report website. Follow these prompts:
        – Choose the “Protect Your Identity” tab,
        – Then choose “Security freeze basics” on the left-hand side of the screen.

    The HBK Risk Advisory group can assist you with questions about Identity Theft or any other Cyber Security matters. For more information, please contact Bill Heaven at WHeaven@hbkcpa.com.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields



    Are You Cyber Secure and Who Wants to Know?

    Article Authors
    HBK CPAs & Consultants

    This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

    System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

    No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

    To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

    HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

    In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

    Security – The system is protected, both logically and physically, against unauthorized access.

    Availability – The system is available for operation and use

    Confidentiality – Information designated as confidential is protected as committed or agreed

    In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

    A cybersecurity risk management examination report includes the following three key components:

    Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

    Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

    Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

    Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

    All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields