Encryption: A VPN Building Block

Date October 21, 2019
Article Authors

When working remotely to improve “cyber posture,” we typically recommend a Virtual Private Network (VPN) as an encrypted “tunnel” between sending and receiving networks to protect the confidentiality of data in the communication. A VPN would not be viable without encryption.

Encryption is a mathematical function. It is the part of a broad science of secret languages, called cryptography, that involves the process of converting plaintext into ciphertext, or “encryption,” and back again, known as “decryption.” Encryption has been around for centuries; one of the first examples dating back to ancient Rome, the Caesar cypher and uses the substitution of a letter by another one further in the alphabet to protect the secrecy of a message.

Central to understanding how encryption—and, indirectly, how VPNs increase security because of encryption—is the number of encryption “keys” that are used during the process of converting plaintext to cyphertext and back. At the highest level, there are two types of encryption:

  1. Symmetric, where the same key is used to both encrypt and decrypt the data
  2. Asymmetric, where “The Public Key” is used to encrypt, and “The Private Key” is used to decrypt. (The Public/Private Key Pair are “related” mathematically.)

Neither type of encryption is better than the other. In fact, both of these technologies are critical in achieving cybersecurity when utilized properly.

As always, HBK Risk Advisory Services (RAS) is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613 or via email at wheaven@hbkcpa.com. HBK RAS is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



A (Technological) Change Will Do You Good

Date October 15, 2019
Article Authors
HBK CPAs & Consultants

Adapting to technological change is a challenge all businesses face. Some changes force the matter — like required compliance with privacy and cyber regulations — while others, such as implementing a vendor risk management program, may seem less urgent. Regardless, businesses must recognize the need for a particular change and act accordingly.

A recent study conducted by the Information Systems Audit and Control Association (ISACA) and the global consulting firm Protiviti revealed the top five technology challenges faced by businesses today as:

  1. IT security and privacy/cyber security
  2. Data management and governance
  3. Emerging technology and infrastructure changes
  4. Resource/staffing/skills
  5. Third-party/vendor risk management

While all organizations face the same challenges, small and medium-sized businesses can find them more difficult to overcome, especially as they relate to number four on the list: a lack of resources, staffing and skills.

Monetary considerations aside, it is difficult to find qualified personnel. Addressing security, privacy, governance and infrastructure (effectivel, numbers one through three on the list) requires professionals with sophisticated skill sets. The difficulty and expense associated with trying to meet these demands internally make it more reasonable to outsource them.

We are here to help. HBK offers cost-effective solutions to address these challenges. We have IT professionals across numerous disciplines, from specialists in privacy regulations to technicians who facilitate infrastructure changes. Get access to the specific skill sets and resources you need when you need them. For more information or to schedule an appointment, call (724) 934-5300; or email me at MSchiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



IT Governance: Generating Value & Mitigating Risk

Date September 6, 2019
Article Authors

Many recent articles about cybersecurity include discussion of Information Technology (IT) Governance. What is IT Governance is and why is it important?

The concept of IT Governance is not new. It gained visibility in the early 2000s along with the enactment of such regulations as the Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act,” which was developed on the heels of a series of financial scandals involving public companies, including Enron, Tyco International and WorldCom. In light of such legislation, and the increasing roles and costs of IT, companies were advised to implement IT frameworks to provide accurate, visible and timely information, and, most relevant to cybersecurity, ensure the protection, privacy and security of information assets.

Gartner, Inc., a global research and advisory firm, defines IT Governance as, “the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.” In its intended function, IT Governance is a subset of Corporate Governance; together they establish the rules by which an organization operates. IT Governance plays key roles in both public and private companies, ensuring investments in IT generate value and mitigating risks associated with IT departments and operations.

IT Governance can be mandated by regulation or voluntarily established to measure IT results or both. A key component of IT Governance is IT Policies, which convert the desired behaviors of IT team members relative to information security into a formal plan.

To establish an IT Governance program, an organization should:

  • Obtain the commitment of its management
  • Identify and record stakeholder requirements
  • Align the IT security strategy with the business strategy
  • Determine the IT Security Principles that will guide the IT Security Function
  • Establish metrics to demonstrate the value of the IT Security Function

HBK Risk Advisory Services can help you design and develop your own IT Governance program to protect your business. Call us at 330.758.8613; or email me at wheaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



FaceApp & the Russians: Warning Signs?

Date July 23, 2019
Article Authors

You’ve likely heard of FaceApp, maybe you have even tried it. It is unquestionably one of the most popular Apps circulating today. It quickly went viral due to the “#AgeChallenge,” where celebrities as well as ordinary folks download it to use an old-age filter generating an image of what a user might look like in a decade or more. Launched by a Russian start-up in 2017, FaceApp has come under fire lately because of fears that user data was being sent to Russian servers. There are other potential privacy concerns as well, including some claims that the App has an ability to access a user’s entire photo gallery.

Is FaceApp safe to use? Probably; though I’m not planning on using it personally, as I have zero interest in seeing what I’ll look like in 20 to 30 years. But as I was watching a TV news report on FaceApp, it reminded me of an important Cybersecurity issue that might fall under the category, “Social Media: Be Careful What You Share.”

When you use FaceApp and agree to its user terms, what are you sanctioning? For one, the App is permitted access to your photos, location information, usage history, and browsing history. During a news report, an executive representing FaceApp told CNBC that it only uploads the photo selected for editing. Further, the FaceApp rep said it does not take other images from a user’s library, and that most images accessed by FaceApp are deleted from its servers within 48 hours. Still, the user agreement allows the developer access to a user’s personal data. And, again, the developers of FaceApp and its Research and Development team are all based in Russia.

The amount and type of personal data we share, especially online, is something to consider. By way of example, the Apple X phone offers facial recognition as an alternative to using a personal identification number or password; does that suggest the Russian FaceApp programmers have developed a way to access a user’s entire online account, since they have access to their photos? Remember that passwords are giving way to other log-in options, including biometrics. Consider the pace of technological development, including artificial intelligence when making decisions about where and how you share your personal information.

While Cybersecurity experts don’t appear particularly nervous about the FaceApp itself, the scenario should give us pause and prompt us to consider the potential ramifications of sharing our personal information.

HBK can help you with your Cybersecurity issues, including protecting your data. For assistance, call 330-758-8613 or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Be a Boeing: Strengthen Your Cybersecurity

Date June 24, 2019
Article Authors
HBK CPAs & Consultants

There are no more excuses to bury your business’s head in the sand. The data and cyber theft threats are real. And imminent. And not just for big corporations or large government organizations. Attackers are at your front door … or worse.

There are three areas that need your consideration when it comes to protecting your data from cyber attack.

FIRST: To Error is Human: Have your processes and controls assessed and take stock of your level of cyber preparation. Pay special attention to your “human” vulnerabilities, as most cyber thefts are the result of someone either unwittingly or purposely allowing a breach to happen. The best software in the world can’t keep someone inside the organization from gaining access to your systems and processes.

Do it now. If you are defenseless you could have to pay ransomware to stay in business. Or worse, you might not be able to afford to stay in business.

SECOND: Assess your vendors and third-party providers. It’s much like going to a doctor’s office in the morning for a checkup, then having your immune system attacked by the malady of the day by a virus you picked up from someone sitting next to you in the waiting room. It’s the same with vendors and those who service them. They can infect your systems in spite of your best efforts. It was the root cause of the Target data breach in 2013 that extended to as many as 70 million customers. Boeing continues to struggle as its fleet of 737 Max passenger jets – and its stock price – remains grounded due to problems with third party software described as “fatally flawed” and that has been at the root of two major airline catastrophes.

THIRD: Assess the data you transmit, process and store. Make a pecking order of data to determine which are more critical to your operation, and start at the top. Then proceed through it all.

Cybersecurity is no longer a check-the-box process; it is a way of doing business, a part of your business that must be addressed continually and methodically. We can help. Contact HBK Risk Advisory Services at 614-228-4000 or email us at SFranckhauser@hbkcpa.com with your cybersecurity questions and concerns. We can meet with you to discuss precisely when, how, where and why you need to protect your data. You can take baby steps. The one thing you shouldn’t do is nothing.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Watch Out for Tax-Related Cyber Attacks as Deadline Approaches

Article Authors

Tax Day is nearly upon us. And as April 15 approaches, many of us may be multi-tasking even more than normal as we prepare our final tax forms and file returns. Unfortunately, this creates a unique opportunity for cyber criminals to try to entice electronic preparers and filers to click on links that look like urgent emails pertaining to income taxes … but are really scams and/or attempts at phishing.

So, be on the lookout for any seemingly urgent emails claiming problems with your tax return, “corrected” tax documents from financial institutions requiring immediate downloads or similar scam email messages.

To lessen the likelihood of falling victim to cyber crime, keep the following points in mind when scanning your email inbox this tax season:

  • The IRS and other legitimate financial institutions DO NOT send or request important information via email or phone calls.
  • Sending tax or other financial information via regular email is NOT considered secure. NOTE: E-file is not email and is thought to be safer than traditional/postal mail.
  • Safeguard your tax and associated financial information by following guidelines specified by the IRS and your CPA.

Action Items

  1. Go directly to the website of the sending entity or call an authorized phone number listed for them to verify the institution’s legitimacy rather than clicking on an email link. These are the safest ways confirm a valid tax-related email requests.
  2. Use a secure (encrypted) portal or message system provided by the sending entity.
  3. If you must send sensitive information via email, be sure to encrypt it. You should provide your public encryption key to the recipient in a SEPARATE message.
  4. Limit the amount of sensitive information you share via email or phone.
  5. Destroy (SHRED) excess or outdated copies of your tax information. Contact your CPA before doing so, to ensure that you don’t prematurely dispose of necessary tax forms.

HBK can assist you with these or cybersecurity topics or questions. Please contact Bill Heaven at 330-758-8613 or WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Pass on Password Managers

Article Authors

Recent Cyber Security industry statistics show that weak, default, or stolen passwords are involved in up to 80% of data breaches each year.

Passwords figure prominently in many areas of our daily functions such as logging onto work computers, doing online banking, sending email, accessing social media accounts and making most online shopping possible. A consistent, clear, repeated warning from Cyber Security experts and insiders is: creating complex passwords (i.e. comprised of both upper and lower case letters, numbers, and special characters) that are unique and lengthy is one way to ensure safe online activity.

Practicing healthy Cyber Security hygiene by implementing unusual passwords is outstanding in theory; it’s just that the average person has multiple password-protected accounts. Remembering which password aligns with each one of those accounts can be a challenge. That’s why using a password manager is helpful.

Advantages of Password Managers:

    1. It provides a centralized password storage location (i.e. vault) – with only a master password to remember.
    2. It is able to automatically generate strong passwords for all of your accounts requiring a password.
    3. It is equipped with strong encryption, which protects your vault.
    4. It can simultaneously support multiple devices.
    5. It offers the ability to safely store other sensitive information, such as credit card numbers, in the vault.

    There are several good, highly-recommended options to choose from such as LastPass, Keeper, Dashlane and 1Password. Be sure to research each of the tools you are considering before making your decision to ensure that you are comfortable with the features and capabilities of the password manager you ultimately pick.

    Action Items:

      1. Research and choose a reliable Password Manager.
      2. Choose a long and complex Master Password (Remember, with a Password Manager, you only need to remember one).
      3. Be sure to take precautions to remember your new Master Password such as selecting one that has meaning to you but does not necessarily lend itself to hackers.
        Note: This is important because most providers have little or NO ability to assist you with finding/resetting a lost or forgotten Master Password.
      4. Begin using your Password Manager as soon as possible and migrate all of your existing passwords to it.

      HBK can assist you with questions on this or any other Cyber Security topic. For more information, contact William Heaven at WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Start 2019 Off Cyber Secure

Date January 24, 2019
Article Authors

Cyber Security impacts almost everyone and in many facets of our personal and professional lives.

Whether you run a large corporation, operate a small private business, manage a home-based budget, utilize any types of professional or private services, are active in your community, or simply have hobbies and purchase essential products needed for daily life, your private information is online somewhere in cyber space. And since Identity Theft is a common sub-component of Cyber Security, HBK CPAs & Consultants’ (HBK) Risk Advisory group wanted to kick off 2019 with some reminders for our clients and colleagues about how to avoid Identity Theft and remain Cyber Secure.

The most common types of identity theft are as follows:

  1. Social Security Number Identity Theft
  2. Medical Identity Theft
  3. Financial Identity Theft
  4. Driver’s License Identity Theft
  5. Character/Criminal Identity Theft

These types of identity theft involving data that are often referred to as PII because they contain Personally Identifiable Information. PII is essential to both personal and professional activities because of the huge number of computer databases where this type of information is housed, such as a electronic medical records, online banking, shopping, or utility accounts, etc.

Here are some suggestions to help to protect your identity, though the list is hardly all-inclusive:

  1. Review your annual free credit report via the Annual Credit Report website. This is why you should:
    • It’s authorized by federal law.
    • You are entitled to one free report from each of the following credit bureaus every year.
      – Equifax
      – Experian
      – Trans Union
  2. Regularly monitor your credit cards online.
    • If you have the ability to do so, enable text message alerts for:
      – Purchases over X dollars (You can decide the amount based on your personal financial situation.)
      – Online purchases
      – Periodic account balances
  3. Enable two-factor authentication for all of your online financial and medical accounts.

  4. Consider freezing your credit files. Here are some details about/suggestions for doing so:
    • Evaluate the practicality of taking this step personally because in some states, there is a cost to unfreeze and then refreeze your credit files.
    • Consider how often your information is public and vulnerable and what purchases may be impacting your credit or that would warrant a credit check.
    • Learn more about freezing your credit files at the Annual Credit Report website. Follow these prompts:
      – Choose the “Protect Your Identity” tab,
      – Then choose “Security freeze basics” on the left-hand side of the screen.

The HBK Risk Advisory group can assist you with questions about Identity Theft or any other Cyber Security matters. For more information, please contact Bill Heaven at WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Are You Cyber Secure and Who Wants to Know?

Article Authors
HBK CPAs & Consultants

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

Security – The system is protected, both logically and physically, against unauthorized access.

Availability – The system is available for operation and use

Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



New Ohio Cyber Security Law to Take Effect November 2nd

Date October 30, 2018

Ohio Senate Bill 220 goes into effect on Friday, November 2, 2018.

The new law incentivizes businesses for implementing cyber security programs. Companies and corporations with a written cyber security program may assert “affirmative defense” to a tort claim related to a data breach.

To be eligible, a business must create, comply with, and periodically maintain a cyber security program that contains safeguards protecting both personal and restricted information, and which complies with at least one of the following three stipulations:

1) If a business institutes a policy that reasonably complies with at least one of the six industry-recognized cyber security frameworks.
2) If a business is regulated by the state or federal government, or both, and complies with HIPAA, GLBA, or FISMA guidelines.
3) If a business falls under PCI-DSS and reasonably complies with PCI-DSS guidelines and adopts one of the six industry-recognized frameworks.

If any one of these platforms are revised after implementation, the business in question has one year from the date of the latest revision to amend its cyber security policy in order to maintain the guidelines of that framework.

HBK can help with the creation and implementation or update of a cyber security program, as well as addressing other cyber security concerns or questions.

HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Speak to one of our professionals about your organizational needs

"*" indicates required fields