Welcome to Cyber Security Awareness Month

Date October 1, 2019
Article Authors

October is Cyber Security Awareness Month, in accordance with the 16th consecutive year of the Department of Homeland Security’s (DHS) annual campaign. The goal of the initiative is to raise awareness about the importance of cyber security.

Did You Know? (From the 2019 Verizon Data Breach Investigations Report)

  • C-level executives are 12 times more likely to be targeted by social engineering campaigns.
  • Ransomware attacks are still going strong and remain a valid threat to all industries.
  • Mobile users are more susceptible to phishing attacks, likely due to their user interfaces, among other factors.
  • In 2019, 43% of cyber breaches involved small businesses.

Action Item Reminders:

  • Implement cyber security awareness training and associated programs to measure effectiveness.
  • Implement network vulnerability scans to identify security holes that a hacker could potentially exploit.
  • Back up your data and verify the completeness and accuracy of individual backups.
  • Implement vendor-supplied updates on both your hardware and software on a timely basis.

As always, HBK Risk Advisory Services is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. HBK is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



FaceApp & the Russians: Warning Signs?

Date July 23, 2019
Article Authors

You’ve likely heard of FaceApp, maybe you have even tried it. It is unquestionably one of the most popular Apps circulating today. It quickly went viral due to the “#AgeChallenge,” where celebrities as well as ordinary folks download it to use an old-age filter generating an image of what a user might look like in a decade or more. Launched by a Russian start-up in 2017, FaceApp has come under fire lately because of fears that user data was being sent to Russian servers. There are other potential privacy concerns as well, including some claims that the App has an ability to access a user’s entire photo gallery.

Is FaceApp safe to use? Probably; though I’m not planning on using it personally, as I have zero interest in seeing what I’ll look like in 20 to 30 years. But as I was watching a TV news report on FaceApp, it reminded me of an important Cybersecurity issue that might fall under the category, “Social Media: Be Careful What You Share.”

When you use FaceApp and agree to its user terms, what are you sanctioning? For one, the App is permitted access to your photos, location information, usage history, and browsing history. During a news report, an executive representing FaceApp told CNBC that it only uploads the photo selected for editing. Further, the FaceApp rep said it does not take other images from a user’s library, and that most images accessed by FaceApp are deleted from its servers within 48 hours. Still, the user agreement allows the developer access to a user’s personal data. And, again, the developers of FaceApp and its Research and Development team are all based in Russia.

The amount and type of personal data we share, especially online, is something to consider. By way of example, the Apple X phone offers facial recognition as an alternative to using a personal identification number or password; does that suggest the Russian FaceApp programmers have developed a way to access a user’s entire online account, since they have access to their photos? Remember that passwords are giving way to other log-in options, including biometrics. Consider the pace of technological development, including artificial intelligence when making decisions about where and how you share your personal information.

While Cybersecurity experts don’t appear particularly nervous about the FaceApp itself, the scenario should give us pause and prompt us to consider the potential ramifications of sharing our personal information.

HBK can help you with your Cybersecurity issues, including protecting your data. For assistance, call 330-758-8613 or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Is Your Computer System Protected by a Multi-Layered Defense?

Date June 28, 2019
Article Authors

You might have heard the phrase “multi-layered defense” in relation to protecting your computer system from a cyber-attack. A multi-layered defense is, essentially, what the term implies: a defense architecture consisting of multiple layers, from developing policies to monitoring systems, to implementing backup procedures. It is a sensible strategy for protecting assets, physical as well as digital.

For example, consider the protections in place to control access to your safety deposit box. To obtain the contents of your box, you must navigate several layers of security:

  • Enter the bank.
  • Enter the restricted zone – with an escort.
  • Enter the vault area.
  • Use your safety deposit box key in conjunction with a second key held by the bank to open the box.

Similarly, you should use a multi-layered defense strategy to protect your computer system. Implementing a firewall and antivirus software are two well-known components of a multi-layered defense. But there are additional components that could make sense for your organization, such as network segmentation, data encryption and two-factor authentication.

Here are a few things you can do to ensure an effective multi-layered defense:

  • Check to see that you have a firewall and an antivirus solution in place and confirm that they are working as intended.
  • Understand what types of data are stored within your computer system, such as:
    1. Company financial data
    2. Personal data (employees, customers & vendors)
    3. Propriety data (i.e. company trade secrets)
    4. Public data

  • Determine the perceived value of the various types of data stored in your computer system.
  • Understand how all of these data types flow into, through and from your computers – that is, where your data comes from, what you do with it, and who you share it with.
  • Determine if there are or should be restrictions as to who inside or outside your organization is allowed access to each type of data.
  • Check with your IT Department or managed service provider regarding the implementation of additional multi-layered defense components.
  • Lastly, conduct regular evaluations to ensure all of these mechanisms continue to operate efficiently.

HBK can help you develop and evaluate a multi-layered defense strategy. For assistance, email me at wheaven@hbkcpa.com. As always, we are here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Watch Out for Tax-Related Cyber Attacks as Deadline Approaches

Article Authors

Tax Day is nearly upon us. And as April 15 approaches, many of us may be multi-tasking even more than normal as we prepare our final tax forms and file returns. Unfortunately, this creates a unique opportunity for cyber criminals to try to entice electronic preparers and filers to click on links that look like urgent emails pertaining to income taxes … but are really scams and/or attempts at phishing.

So, be on the lookout for any seemingly urgent emails claiming problems with your tax return, “corrected” tax documents from financial institutions requiring immediate downloads or similar scam email messages.

To lessen the likelihood of falling victim to cyber crime, keep the following points in mind when scanning your email inbox this tax season:

  • The IRS and other legitimate financial institutions DO NOT send or request important information via email or phone calls.
  • Sending tax or other financial information via regular email is NOT considered secure. NOTE: E-file is not email and is thought to be safer than traditional/postal mail.
  • Safeguard your tax and associated financial information by following guidelines specified by the IRS and your CPA.

Action Items

  1. Go directly to the website of the sending entity or call an authorized phone number listed for them to verify the institution’s legitimacy rather than clicking on an email link. These are the safest ways confirm a valid tax-related email requests.
  2. Use a secure (encrypted) portal or message system provided by the sending entity.
  3. If you must send sensitive information via email, be sure to encrypt it. You should provide your public encryption key to the recipient in a SEPARATE message.
  4. Limit the amount of sensitive information you share via email or phone.
  5. Destroy (SHRED) excess or outdated copies of your tax information. Contact your CPA before doing so, to ensure that you don’t prematurely dispose of necessary tax forms.

HBK can assist you with these or cybersecurity topics or questions. Please contact Bill Heaven at 330-758-8613 or WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Are You Cyber Secure and Who Wants to Know?

Article Authors
HBK CPAs & Consultants

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

Security – The system is protected, both logically and physically, against unauthorized access.

Availability – The system is available for operation and use

Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



IRS Warning on Phishing Emails Demands Attention

Date December 27, 2018
Article Authors

Recently, the IRS issued a warning that internet hackers have stepped up their phishing campaigns. Specifically, the hackers are increasing the usage of business email spoofing and business email compromise phishing campaigns. A common variation of this type is known as CEO Fraud or Gift Card Fraud (which HBK Risk Advisory services warned clients and colleagues earlier this month – Don’t Fall for the Phish(ing) Bait).

The warning from the IRS highlights two versions of the phishing scam:
  1. Emails impersonating company employees to Human Resources staff members requesting changes to the “employees'” payroll direct deposit bank accounts.
  2. Emails impersonating company executives to the staff members responsible for wire transfers requesting a wire transfer to a specific bank account on the “CEO’s” behalf.
Tips for Identifying Phishing Emails:
  1. Look for clues such as poor spelling or grammar, these are common in phishing messages.
  2. Don’t fall victim to the “urgent request” prompt. Unexpected messages that requires “your immediate attention” or are earmarked as “emergency” emails are often phishing scams.
  3. Be VERY skeptical! Place a phone call to the requesting employee or executive to verify the request of payroll or banking account changes.
Reminders of How to Keep Your Company’s Electronic Messaging Cyber Safe:
  1. Implement a formal Cyber Awareness Campaign. It should include regular educational updates about the red flags of phishing email campaigns.
  2. Establish an inventory of your Information Technology (IT) assets (including data mapping).
  3. Implement or update IT Security Policies (including data classification).
HBK can assist with any of the above action items, as well as advise on additional cyber security topics. Contact Bill Heaven at wheaven@hbkcpa.com for details or to schedule a business consultation.
Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Understanding URLs to Identify Phishing

Date October 16, 2018
Having a general understanding of how Uniform Resource Locators or URLs are commonly formatted and utilized can be helpful in avoiding online scams, particularly phishing (deceptive practices to obtain sensitive user information such as logins, passwords, and credit card details). The main purpose of a URL is to help a user locate a specific website without being required to use its numeric IP (Internet Protocol) address. URLs refer to a “dot com” type of address versus one comprised of only numbers like 12.354.678.910. Please reference the following summary of URL components as a guide to help you to identify safe, secure websites. Common Protocols – http, https, ftp {Note: https is an encrypted session (i.e. secure)} Domain Names – Alphanumeric name for the server where the website is hosted such as LinkedIn or HBKCPA Sub-Domains – Sub-Domains are commonly used and are added right to left from the Domain Name instead of left to right. Common Top-Level Domains – .com, .org, .gov Pathnames – The directory/subdirectory name of where the information is located on the web server Filenames – The name of the desired filename on the web server Common Extensions – .html, .jpeg, .wav, .exe Here are two examples of URLs: https://support.microsoft.com/en-us/1234word.html This is a valid URL using a Sub-Domain of “support”. Don’t be thrown off when sub-domains read in the opposite direction of how we read words/text in English. http://rnicrosoft.com/support/1234word.html This is an example of an invalid URL that might be used for phishing. The hacker uses an “r” and an “n” to simulate a lower case “m” in the domain name “microsoft” in order to confuse users into thinking it is a legitimate URL. Remember that phishing attempts are on the rise and they are becoming so sophisticated that they constantly more difficult to identify. So, please take note of these tips in order to help you avoid links that may lead to phishing attacks. For this reason and many others, it is crucial to implement a Cyber Security Awareness Campaign within your organization. Contact HBK, if you would like assistance with implementing a Cyber Security Awareness Campaign. HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com or Bill Heaven at wheaven@hbkcpa.com for assistance.
Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.